Re: new location for LVS-HOWTOs

To:	"LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: new location for LVS-HOWTOs
From:	Roberto Nibali <ratz@xxxxxxxxxxxx>
Date:	Mon, 01 Dec 2003 22:45:49 +0100

Hello,

Sorry to interfere with your business, guys, but ...

I belive you need to sort the entries by date .. most log analyzers expect
this..


Easy enough:

cat error_log* | sort -r > error_log.all

I'm not convinced. This will not sort entries by date. Imagine followingtwo (fictive, but syntactically and semantically correct) error_logs:


# cat error_log.1

[Thu Dec 4 03:47:24 2002] [notice] Apache/1.3.27 (Unix) mod_jk/1.2.2mod_perl/1.27 PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a configured --resuming normal operations[Thu Mar 27 03:47:24 2003] [notice] Apache/1.3.27 (Unix) mod_jk/1.2.2mod_perl/1.27 PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a configured --resuming normal operations


# cat error_log.2

[Sun Jan 19 06:57:41 2003] [error] [client 4.65.71.160] File does notexist:/var/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe[Thu Apr 20 03:47:24 2003] [notice] Apache/1.3.27 (Unix) mod_jk/1.2.2mod_perl/1.27 PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a configured --resuming normal operations

Your pipeline does not sort them in a correct way (entries by date) atall. IMHO it's not so easy to script ;).


# cat error_log.* | sort -r

[Thu Mar 27 03:47:24 2003] [notice] Apache/1.3.27 (Unix) mod_jk/1.2.2mod_perl/1.27 PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a configured --resuming normal operations[Thu Dec 4 03:47:24 2002] [notice] Apache/1.3.27 (Unix) mod_jk/1.2.2mod_perl/1.27 PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a configured --resuming normal operations[Thu Apr 20 03:47:24 2003] [notice] Apache/1.3.27 (Unix) mod_jk/1.2.2mod_perl/1.27 PHP/4.3.1 mod_ssl/2.8.14 OpenSSL/0.9.7a configured --resuming normal operations[Sun Jan 19 06:57:41 2003] [error] [client 4.65.71.160] File does notexist:/var/www/htdocs/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe

To me the best solution is still to either write all error_logs into thesame file or to configure httpd.conf in a way that the logs are sent viathe syslog() interface.

Then you use syslog-ng to do all the needed logics, data handling,merging, correlation and event triggering.

Of course, the possibility of me not understanding the real problemcould be an issue here too, as noone else has complained about thissolution yet and I already had a pretty long day today.


Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

<Prev in Thread]	Current Thread	[Next in Thread>
new location for LVS-HOWTOs, Joseph Mack Re: new location for LVS-HOWTOs, Jacob Coby Re: new location for LVS-HOWTOs, Justin Albstmeijer Re: new location for LVS-HOWTOs, Jacob Coby Re: new location for LVS-HOWTOs, Joseph Mack Re: new location for LVS-HOWTOs, Horms Re: new location for LVS-HOWTOs, Roberto Nibali <= Re: new location for LVS-HOWTOs, Jacob Coby Re: new location for LVS-HOWTOs, Roberto Nibali Re: new location for LVS-HOWTOs, Guy Waugh Re: new location for LVS-HOWTOs, Roberto Nibali Re: new location for LVS-HOWTOs, Guy Waugh RE: new location for LVS-HOWTOs, Easytrans Systems (Laurie Baker) Re: new location for LVS-HOWTOs, Joseph Mack

Previous by Date:	anti-DOS techniques?, Matt Sturtz
Next by Date:	Re: anti-DOS techniques?, Roberto Nibali
Previous by Thread:	Re: new location for LVS-HOWTOs, Horms
Next by Thread:	Re: new location for LVS-HOWTOs, Jacob Coby
Indexes:	[Date] [Thread] [Top] [All Lists]