Managing your Logs with Chklogs

An introduction to a program written by Mr. Grimaldo to manage system logs.
Setting Up the Environment

Once you have created your first configuration file, you need to have Chklogs initialize its internal database (not to be confused with configuration) specified by either the configuration variable ResrcFile (for historic reasons) or the Personal Resource File's ChklogsDb variable. Remember, initialization overwrites any previous history so should be done only after the first installation (rather than when you make changes to add/remove logs/groups). Use the following administrative command:

chklogsadm init

Then, issue the administrative command:

chklogsadm initrepos
to initialize all the alternate repositories. Unlike init, you must execute this command each time you create a new group or change the location of your alternate repository (the global parameter). All of these steps are explained in detail in the documentation provided with the package.

Finally, the sync option of chklogsadm is needed whenever you make a modification to the configuration file (chklogs.conf). This is not done automatically because it is not very effective if several modifications are made to the file consecutively. This operation is as simple as typing:

chklogsadm sync
The Plug-out Interface

Chklogs comes with several plug-outs. I use them to generate statistics on my UUCP logs, listserver log, etc. You can build your own plug-outs, and in fact I would like to hear about any log scanners or filters you have. Available plug-outs are stored in the /plug-out and /contrib directories.

A plug-out is any external program executed by Chklogs in the Pre/Post group directives or the execute actions. This program must not generate any output on stdout/stderr as it will clutter the report, and if you, like most users, run Chklogs with a cron job, then this sort of behavior is undesirable. So, do you have a nice scanner that does write to stdout/stderr and don't want to hack it up? Or don't know a thing about programming? Simply use the cdkwrap wrapper provided in the distribution, and it will capture all the output and mail it to you.

Also, the plugged-out child inherits certain environment variables that provide useful information:

  • CDKLOG: The fully-qualified log name

  • CDKROOT: The archive repository

  • CDKMAILTO: The e-mail address for mailing the report

Running Chklogs from the Command-Line

Now, we have finished our setup; we have a configuration file, a resource file and initialized repositories. The administrative tasks are done for now (you can make changes later, if needed), and we are ready to get down to the action. Chklogs has several command-line options, some of which can be combined to achieve a particular effect. I won't cover all of them, or even all of the possibilities, but I will discuss enough of them to enable you to begin, and to acquaint you with a few of its capabilities. Note that we will now be using the chklogs program, not the administrative program, chklogsadm.

Basically, there are four major actions you can perform:

  1. Check the configuration file.

  2. Get an overview of all the logs that are archived.

  3. Obtain a report of actions to be taken when you execute the program.

  4. Perform the actions as directed on the configuration file.

To check the correctness of the configuration file (although the check is not very thorough) use the following command:

chklogs -w

For a quick overview of which logs are archived into the repositories, there is the -l command line option:

chklogs -l
This gives you an indication of how many logs you need to scan or filter and needed information in case something suspicious happens on your system.

To get the usual log report indicating whether a log is still within its threshold, and if not, what action would be performed, use the -w option:

chklogs -w [-m]

Alternatively, you can also specify the -m (mail) option to mail the report. You cannot put them on the same switch (-wm).

Finally, when you want Chklogs to actually process your logs as specified in the configuration file, simply use it without any of the above options:

chklogs [-m]

A report is produced on standard output unless you use the mail (-m) option. Mail is the most frequently used option.

Most users make an entry into the /etc/crontab file so that Chklogs runs every day at a particular time and mails the report. A typical crontab entry looks like this:

# System Cron Tab
45 23 * * * root /usr/local/sbin/chklogs -m
______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState