[aklug] On the subject of logfiles and logging...

I don't know about you guys, but reading logfiles gets old, fast. With
one job I had, I had to read through ALL the logs I could, as often as I
could, and it is a serious chore.

The more systems you have, the more services you have, the more logging
you get. Logwatch, chkrootkit, rkhunter, backup logs, error logs,
cron job logs, SAN logs, NAS logs, dhcp logs, ftpd logs, http logs,
everything - you can log the whole world, but if you never read them,
you might as well keep your inbox clean and not bother running them at all.

At my last job, we set up a central email address that ran the email
through a perl script that filtered out stuff we didn't care about. I
replicated that at my current job.

The email server is a postfix box, so I have an email address
specifically set up for it:

So, in /etc/postfix/transport_regexp, I have:

/cronparser@domain.com/ local:

I have a .procmailrc file that looks like this:

:0
*
|/usr/local/bin/parser.pl

In parser.pl , I use regular expressions to grab certain parts of the
mail (For example, the sender, To: , From: Subject:).

Each line of the email is gone over, and then filtered using regexes.
Example:

     # SMART entries.
     next if (m!smartctl!);
     next if (m!Unable to register SCSI!);

In this case, lines with the above things in them would get skipped. If
a line of the email gets all the way to the bottom, (or, if it gets
caught by something I specifically watch for) the line gets added to an
array.

After the entire email is parsed, if the array has anything in it,
Mail::Sender creates a new email with the identical subject, From: and a
new To:, and sends it to where I please.

Using that, I can take 50 emails, and boil it down to say, 10. The 10
emails I *do* get contain important stuff that I care to know about, and
are brief - small enough to see the entire contents in the viewer pane
of thunderbird, unless someone has gone crazy attacking the system.

Like anything, it takes a bit to get it up and running and properly
tweaked. And, there's likely to be a lot of preexisting programs out
there that do the same thing. But I didn't know about them (still
don't!) and this is quick, and easy.

If you know about 'em, feel free to let me know - otherwise, take this
idea and help cut down on the amount of email in your inbox. If you're
interested in seeing more of what *I* have, talk to me off-list and I'll
send you some snippets (not that it is all that interesting. If you're
looking to do the same thing, it'll save you time.)

-- 
Adam
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.