Frank_Kenisky at psc.uscourts.gov
2010-May-19 15:30 UTC
[Logcheck-users] Problems noted in logcheck
We use logcheck in our systems. From time to time during what appears to be large volumes of information I get emails with current and sometimes dated traffic. Recently, we had a change to the system which created quite a lot of 404 traffic. I don't have a specific log analysis tool but use my own home grown tool. I have all the emailed log files go to a log folder in my email client. They are separated by server, this way I can gather all the entries for a specific server and save them to a text file. I run a script to eliminate the email headers and other noise not associated with the logs. I then import this into excel which I have a macro set up to change it from text to data. Therefore the logs are from the current 24 hours period. Once in a while after a huge amount of traffic, usually caused by something we did or didn't do seems to cause this. My question is has any one experienced this with log check in the past of it retrieving old traffic from somewhere in syslog, if so where might it be coming from? Frank Kenisky IV, CISSP, CISA, CISM -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20100519/83957f81/attachment.htm>
On Wed, 2010-05-19 at 10:30 -0500, Frank_Kenisky at psc.uscourts.gov wrote:> We use logcheck in our systems. From time to time during what appears > to be large volumes of information I get emails with current and > sometimes dated traffic. Recently, we had a change to the system > which created quite a lot of 404 traffic. > > I don't have a specific log analysis tool but use my own home grown > tool. > > I have all the emailed log files go to a log folder in my email > client. They are separated by server, this way I can gather all the > entries for a specific server and save them to a text file. I run a > script to eliminate the email headers and other noise not associated > with the logs. I then import this into excel which I have a macro set > up to change it from text to data. > > Therefore the logs are from the current 24 hours period. Once in a > while after a huge amount of traffic, usually caused by something we > did or didn't do seems to cause this. My question is has any one > experienced this with log check in the past of it retrieving old > traffic from somewhere in syslog, if so where might it be coming > from?I think I've noticed that if logcheck doesn't run, or fails, the later runs will play catch up. Perhaps the high load could be causing runs to fail. This doesn't sound as if it's your problem, but I thought I'd throw it out. Ross Boylan