How to monitor keywords like reboot, warning etc for Linux

[pratikmehta003]

Hi All,
We have a requirement of monitoring certain keywords for Linux servers in /var/log/messages path. Can you share some details as to how this can be achieved via Nagios XI?

[vtrac]

Hi pratikmehta003,
Nagios do have the "check_log" plugin that perform log file checks.

Checking log files can be a system intensive process, especially if you have a large log file that is being checked every five minutes. A better solution is to send the log file data to a central server and analyze the log data there. Nagios Log Server is the perfect solution for this and is strongly recommended over trying to check log files via a plugin or agent.

Below is an example of "check_log":

Code: Select all

Nagios Plugins includes the check_log plugin. The plugin scans a log file and reports and matches to the query provided. Successive calls to the plugin will only report new pattern matches in the log file, since an copy of the log file from the previous run is saved to old_log_file.

Commands:
Usage: check_log --help
Usage: check_log -F logfile -O oldlog -q query

./check_log -F /var/log/messages -O /var/log/messages_old -q 'Error'

Output:
(2) < Nov 27 16:09:45 xitest ndo2db: Error: Connection to MySQL database has been lost!

Hope this helps.

Regards,
Vinh

[pratikmehta003]

Thanks for the info..
I understand the point about intensive checks.. actually this is going to be for 30 odd servers.. so do u think it can have impact? We do have good config on the server...

and in the usage u mentioned old_log so does that need to be included everytime?

[vtrac]

Hi pratikmehta003,
Since most people are not going to "reboot" the server very often, you can schedule for it to check for "reboot" every hour, not every 5 minutes.
You can pick one server out of those 30 and try it out. I think it will be fine if you only run this every hour.

As to the "-o" option, it is required.

Assuming that you run check_log every hour.
What this does is the first time you ran this command, it will do the initialization by making a copy of your "message" and call that "messages_old". This "messages_old" file is then used as the last-ran-time of check_log ..... and only the new changes in the "messages" file since the last-ran-time will be checked. This can speed up the checking process since anything in the "message_old" was already checked in the last hour.

Hope this helps!!

Regards,
Vinh

[pratikmehta003]

Thanks Vinh,

Let me see... coz 1 hour is not something that would help...

Let me check with the team.. i will revert back...

[benjaminsmith]

Hi,

Let me check with the team.. i will revert back...

Sounds good. I think you can go less but just depends on the overall check load (host + services checks) of your server. You could also set these checks up passively using NCPA, which would require less resources from the Nagios XI server.

[pratikmehta003]

Thanks for the note Benjamin. I will revet back

[benjaminsmith]

Thanks for the note Benjamin. I will revet back

Sounds good.

[pratikmehta003]

This can be closed...

[scottwilkerson]

This can be closed...

Locking thread