Arusha Project
Sidai (policy)
Sidai how-to, etc.
 
How to..., etc.
User environment
Disk configuration
OS installs
HPUX11 install
Solaris install
Red Hat Linux install
post OS-install
Pre OS-reinstall
ARK boot
user accounts
Compiling/Linking
Distributing password files
Package proto-hosts
Logfile management
Log analysis
Scripting
Version wrapper
Version wrapper
Backups/archiving
Backups/tapeless: rationale
Backups/tapeless: design
Hostname change
Magic keystrokes
Booting tricks
Dead machine!
Root passwords
Removable media
ClearCase install
ClearCase admin
Logical Volume tricks
HP Mirror/UX
Mailman
VNC
 
Hosted by
SourceForge.net Logo

Sidai team: Analysing log files

Why

Why fret over analysing log files? I suppose the typical answer would mumble something about `security', and `intrusion detection', and the like.

The answer I've liked best was one by Hal Snyder (formatting mine):

To: loganalysis@securityfocus.com
Date: 11 Sep 2001 04:04:28 -0500
Message-ID: <87r8tep083.fsf@gamera.vail>

Look at logs as part of monitoring.

If your network has 25 computers or more, and you can't find at least one misconfiguration per week by looking through the logs, then you should change jobs now to something less challenging. :)

Networks drift out of true more often than they halt completely. The longer you leave any network resource unattended, the more glitches it will accumulate. The most ``interesting'' (costly) system failures have four or five things wrong, no one of which would have been a show-stopper.

Monitoring software will watch for problems you know to expect. For everything else, you need to scan the logs.

Show the biz types the time-vs-probability-of-failure curve if you don't keep an eye on things.

With what

Tina Bird's list of tools on LogAnalysis.Org is very good.

Also: Linux.org has a whole section on log analyzers.

The rest

ToDo!

© The Arusha Project, 2000-2003; team: sidai; c/o partain@users.sourceforge.net; revision 1.7, 2004-05-26.