[Nagiosplug-devel] Re: Rewrite of check_log

[Stanley Hopcroft]

Dear Sir,

I am writing to thank you for your letter and say,

On Thu, Feb 26, 2004 at 09:36:03AM +0100, Flo Gleixner wrote:

> > If you are 'serious about logging' or events then
> >
> > 1 Log centrally
> >
> 
> How do you do that? With syslog? Not that bad, but not reliable and not
> secure.

Agreed. However some sites think the convenience of _one_ log
destination for log processing worth the costs you mention.

For MS hosts there are a number of products that do Event Log --> SysLog
forwarding.

That most often mentioned is Snare (aka BackLog).

> With nsca i can do some basic encryption if i want. And my syslog
> does not have to log spoofed messages :-) I know, nagios is not a central
> logger ...

Yes, if your syslog hosts are not subject to syslog attacks and folks
dropping mesages in your syslog server, syslog works fine.

Most if not all packet filtering software (ipfilter, ipfw) can limit the
log messages to coming from those hosts you choose.

> 
> 
> > 2 Monitor with an event correlator like Sec or RuleCore (Logsurfer or
> > Swatch maybe)
> >
> 
> Yeah, sure the better solution. Can you provide me with the homepage of
> Sec?

http://kodu.neti.ee/~risto/sec/

> 
> So, does it read from the inode or from the file with that name? If it
> reads from the inode, you have to kick it after logrotate, if it reads
> from the filename (like my check_log does), it has to get sure that it did
> read all lines of the old file that have been added between the last check
> and the logrotate. My script is NOT aware of that. And it sometimes simply
> does not work. Some Linuxes do a "logrotate and then compress". And some
> move the old file somewhere. How do i know?
>

I am too ignorant to be sure but Sec is written in Perl so you can
relatively easily tell. FWIW, I think it is the latter (see
input_shuffled() and read_line_from_file())


(I think it reguarly stats the file and compares the current offset with
the stat results. Under some circs it re-reads the file).

> 
> Florian Gleixner
> 

Yours sincerely.

-- 
------------------------------------------------------------------------
Stanley Hopcroft
------------------------------------------------------------------------

'...No man is an island, entire of itself; every man is a piece of the
continent, a part of the main. If a clod be washed away by the sea,
Europe is the less, as well as if a promontory were, as well as if a
manor of thy friend's or of thine own were. Any man's death diminishes
me, because I am involved in mankind; and therefore never send to know
for whom the bell tolls; it tolls for thee...'

from Meditation 17, J Donne.