One method of chewing logs on those *nix (and likely windows) systems for consumption by ZenOSS. (Thanks Risto for SEC and Chet for getting me started with net::syslog)
I'll try my hand at writing a recipe ...
Using Simple Event Correlator (http://kodu.neti.ee/~risto/sec/), one is able to chew event streams searching for events of interest using event timeframes, multiple events steams, event contexts, etc. SEC is quite powerful and a great tool for your toolbox. However, the problem for me has been how to inject the results into the ZenOSS world. After consulting various SEC docs and the Net::Syslog docs, I was able to merge the capabilities.
Here's how. 1) I had the admin install the SEC perl script using the SEC RPM on the server of choice and 2) give me rights to the SEC config files. 3) Then I had the admin install Net::Syslog perl module using CPAN. I'll leave the details of the above to you. And now the secret sauce. 4) Once done, I added the following as my new rule file (sanitized with xxx throughout):
ptype=regExp
pattern=(SEC_STARTUP|SEC_RESTART)
context=SEC_INTERNAL_EVENT
desc=Compile logging routine
action=spawn /usr/bin/tail -f /opt/xxx/logs/xxx.log ;/
eval %syslog ( sub { require Net::Syslog; my $syslog = new Net::Syslog(SyslogHost => '10.xxx.xxx.xxx',Facility => 'syslog',Priority => 'warning');$syslog->Net::Syslog::send("@_"); } );
# catch this event
#WARN 2008-04-30 13:02:15,652 xxx - xxx xxx xxx disabled after unsuccesful login attempts from IP address x.x.x.x
ptype=regexp
pattern=WARN .*,.* xxx - xxx xxx .* disabled after unsuccesful login attempts from IP address .*
desc=Multiple user accounts disabled
action=call %o %syslog Multiple user accounts disabled
thresh=3
window=3600
# add new rules here
Brian Nafziger
~~~~~
make sure that SEC runs with internal events (-intevents) in the configs.
enabled by default on my rpm install
# normal startup
# -detach -conf=/etc/sec/*.sec -input=/var/log/messages
# -log=/var/log/sec -intevents -pid=/var/run/sec.pid
~~~~~
a nice, albeit overwhelming, rule to forward all remaining WARN events to zen
# catch all
#
#type=Single
#ptype=regExp
#pattern=(WARN)
#desc=Forward to syslog
#action=call %o %syslog $0