Comments on: Really Simple Consolation

By: Mark

Mark — Tue, 21 Feb 2006 08:12:37 +0000

This really sounds like the sort of thing that Bayesian filtering would excel at. Of course, the filters would have to be trained to recognize the log's output correctly, but I don't see why it wouldn't be consistent enough across different systems to make a generic training file work. Take a look at this Wikipedia article for some good background on the process.

By: Andre Stechert

Andre Stechert — Thu, 05 Jan 2006 07:31:34 +0000

Shameless plug: Splunk does the thing you were asking for (we call it "event aggregation") and a lot more. It includes RSS feeds. For personal use, it's free. Of course, we've got to pay the bills, so there is also a commercial version that gets priority support, etc. I work there and love it. Cheers, Andre

By: Adam Bell

Adam Bell — Thu, 05 Jan 2006 01:31:47 +0000

Did you see this today? Great minds…..

http://dekstop.de/weblog/2006/01/revisiting_aggregators_pt_one/

Adam

By: Ozguru

Ozguru — Wed, 04 Jan 2006 22:29:19 +0000

As Ed pointed out, all sorts of crap gets mixed into the genuine messages. Another approach would be to use syslog.conf to send valid messages to some other location that your parser reads. Under Solaris, I was able to send select syslog messages to a pipe but I am not sure if this can be done in MacOSX. Also, in Tiger, Apple introduced the ASL routines which add extra configuration options.

By: eric gundrum

eric gundrum — Wed, 04 Jan 2006 21:54:24 +0000

Have you looked at asl.log? According to man syslogd, asl.log is the agregate output of what is sent to syslog using the syslog or asl APIs. It may not contain all that you want to watch, but it seems like a good starting point.

By: alexr

alexr — Wed, 04 Jan 2006 20:24:17 +0000

Combine this with Never Been Seen: http://www.ranum.com/security/computer_security/code/

By: Ed

Ed — Wed, 04 Jan 2006 19:24:16 +0000

I’m not sure you will be able to get anything close to perfect. I’d go with what you already planned: use the ‘good’ format for chunks (looks like the NSLog format) and glom all the rest together. The problem is that any old app can print to stderr and end up in the console.log file.

By: Beau Hartshorne

Beau Hartshorne — Wed, 04 Jan 2006 18:13:18 +0000

Err: http://www.macgeekery.com/node/86

By: Beau Hartshorne

Beau Hartshorne — Wed, 04 Jan 2006 18:12:52 +0000

Annard, is this what you were thinking of: ?

By: Annard Brouwer

Annard Brouwer — Wed, 04 Jan 2006 15:49:44 +0000

This has been done before but then using perl for monitoring remote sites. I can’t for the life of me find the reference though…