Netexpertise

I looked for a long time for a piece of software that allows to manage messages sent to a central syslog server. Logwatch sends email reports containing tons of messages, or focused on some applications. Logs are usually not being looked at and forgotten. I then found out a Cacti module could do the job, quick and easy.

Installation

Installation steps are clearly described on cacti forum.
I should mention this module only supports syslog-ng, not syslog.

Configuration

I only filtered out messages to be displayed restricting them to errors and criticals. This was achieved modifying the syslog-ng configuration:

filter f_cacti  { level(error..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };

source net {
    udp();
};
 
destination d_mysql {
    pipe("/tmp/mysql.pipe"
    template("INSERT INTO syslog_incoming (host, facility, priority, date, time, message) VALUES ( '$HOST', '$
FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$MSG' );\n")
    template-escape(yes)
     );
};
 
log { source(net); filter(f_cacti); destination(d_mysql); };
log { source(s_sys); filter(f_cacti); destination(d_mysql); };

It is then possible to filter logs out using patterns, sort by server, criticity or date, or receive alerts, as shown in the screenshot:

Only regret: there is no option to mark a log as “being processed” or “closed” for instance.

Tags: cacti, linux, logging, unix

Comments RSS