Topic: Parsing logs

My FreeBSD 6.3 system runs quasi-troublefree.
Logs, which have been very useful in the early days, are now accumulating uselessly in /var/log.
I know I should pay some attention to them from time to time, especially the pf logs but, as the system is troublefree, I don't know what I should be looking for.
And the more the logs grow in size, the less I am ready to spend time parsing manually kilobytes of ascii, looking for I don't know what.
So, I am looking for some kind of parser that would do the job for me.
The parsing software is not the problem by itself as, at least, I know how to program one.
The major problem is the parsing rules as, as written above, I do not know a-priori what I should look for.
Would someone direct me to a parsing system with already built-in parsing rules or to some kind of tuto descripting extensively what should be alerting in the typical FreeBSD's + pf logs.


Last edited by UltimaPratica (2008-03-20 10:20:09)

Re: Parsing logs

If you don't know what you are looking for, how can you possibly analyze your logs in a meaningful way?

Why not let newsyslog rotate and eventually discard logs you aren't interested in; those you want to keep but don't know why, copy them periodically to a dir in your ~. You can always run grep and awk on them later.

If you are interested in what's in your postfix maillogs, you can trying running pflogsumm on a regular basis (it is in the ports).