epylog - Syslog new log notifier and parser.
epylog [-c epylog.conf] [-d LOGLEVEL] [--last PERIOD]
[--store-offsets] [--quiet] [--cron]
Epylog is a new log notifier and parser which runs periodically
out of cron, looks at your logs, processes the entries in order to present
them in a more comprehensive format, and then provides you with the output.
It is written specifically with large network clusters in mind where a lot
of machines (around 50 and upwards) log to the same loghost using syslog or
syslog-ng.
Alternatively, Epylog can be invoked from the command line and
provide a log report based on a certain provided time period. In this case
it relies on syslog timestamps to find the offsets, as opposed to the
end-of-log offsets stored during the last run, though this behavior is not
as reliable and is easily thwarted by skewed clocks.
- -c config.file
- Provide an alternative config file to Epylog. By default, it will look in
/etc/epylog/epylog.conf.
- -d LOGLEVEL
- Logging level. The default is 1. 0 will produce no output except for
critical errors (useful for cron runs). 2 and above are debugging levels.
5 is the most verbose.
- --last PERIOD
- Will make a report on events that occurred in the last PERIOD. PERIOD can
be either "hour", "day", "week",
"month", or more granular: "1h", "2h",
"3d", "2w", etc. When --last is specified, epylog will
ignore the saved offsets and locate the entries by timestamps.
CAUTION: this process is not to be trusted, since the timestamps
are not checked for any validity when arriving to the loghost. One
reporting machine with a skewed clock may confuse Epylog enough to miss a
lot of valid entries.
- --store-offsets
- When specified, will store the offset of the last log entry processed in
offsets.xml. During the cron runs epylog relies on the offset information
to find out what new entries to process. This is more trustworthy than
relying on timestamps. The default behavior is not to store the offsets,
as this allows to run epylog both from cron and manually without the two
interfering with each-other. The location of offset.xml is specified in
epylog.conf. See epylog.conf(5) for more details.
- --quiet
- In every way identical to -d 0.
- --cron
- This is essentially --quiet --store-offsets, plus a lockfile will be
created and consulted, preventing more than one instance of epylog from
running. You can still run epylog manually -- the lockfile is only checked
when running in --cron mode.
The core of epylog is written in python. It handles
things like timestamp lookups, unwrapping of "last message repeated"
lines, handling of rotated files, preparing and publishing the reports, etc.
The modules are pluggable and can be either "internal",
written in python, or external. External modules can be written in any
language, but at a price of some convenience. For more info see
epylog-modules(5).
Depending on the size of your logs, you might want to
initialize your offsets before letting epylog run from cron. When the
offsets.xml file is missing, epylog will by default process the entire log,
and depending on your configuration, that can be a lot of entries. A good way
to init epylog is to run:
epylog --last day --store-offsets
/etc/epylog/epylog.conf
/usr/sbin/epylog
/etc/cron.daily/epylog.cron
/etc/epylog/*
/var/lib/epylog/*
/usr/share/epylog/modules/*
The useful way to run from a command line is with --last.
E.g.:
epylog --last day
epylog --last 2w
When running from cron, you want to store the offsets and not rely
on timestamps. There is a mode that allows you to do this:
epylog --cron
Konstantin Ryabitsev <icon@linux.duke.edu>