topic Re: shell script for checking if the system logs are updating in Operating System - Linux

shell script for checking if the system logs are updating

Sunny Jaisinghani — Wed, 26 Dec 2007 06:48:04 GMT

Hello All,

I need to write a shell script for checking if the system logs are updating.

Sometimes it so happens that someone changes the configuration in syslog.conf due to which the logging stops.

I want to run a monthly script which will check if the log files are updating..

How can i achieve this.

Regards
Sunny

Re: shell script for checking if the system logs are updating

Dennis Handly — Wed, 26 Dec 2007 10:07:00 GMT

What would it take to determine if the logfiles are updating? A modification date within the last day or week? If so, you could use something like:
$ find /var/adm/syslog/syslog.log -mtime -7
If you don't get any output, then the file hasn't changed in 7 days.

If you only care about since the last time your ran your script, you can touch a reference file and then compare that with the current logfile with this syntax:
if [ logfile -nt ref_file ]; then
echo "logfile is newer"
else
echo "logfile hasn't been updated"
fi

Re: shell script for checking if the system logs are updating

Sunny Jaisinghani — Wed, 26 Dec 2007 10:17:10 GMT

Hi Denis,

Thanks for your response.
The find command just skipped out of my mind.

This will solve my purpose.

Thanks

Re: shell script for checking if the system logs are updating

Hasan Atasoy — Wed, 26 Dec 2007 10:23:11 GMT

hi sunny ;

save file line count to another file and check every 15 ( for example ) minutes for line count .

for example

linecnt=`cat /test/syslog.filecnt`

file=/usr/adm/syslog/syslog.dated

newcnt=`cat $file | wc -l`

if [ $newcnt -gt $linecnt ] ; then
let diff=$newcnt-$filecnt
cat $file | tail -${diff} > difffile
fi

echo $newcnt > /test/syslog.filecnt

check for write mistakes.

Hasan

Re: shell script for checking if the system logs are updating

blah2blah — Wed, 26 Dec 2007 19:26:25 GMT

not sure what version of hp-ux your using, but doesn't syslogd provide a file mark/timestamp every 20 minutes by default and can modified with the -m option.

why don't you check that the file has been updated with it's timestamp mark

Re: shell script for checking if the system logs are updating

Bill Hassell — Thu, 27 Dec 2007 04:51:30 GMT

An even simpler method is to use the logger command. You use this command to generate all the different priorities and service requests, then simply look that all of them now appear in your syslog file. In fact, *NO* change should be allowed to syslog.conf unless followed immediately by the logger tests. Waiting for a month is far too long to way for a notice that a bad change by a root user was made.

Re: shell script for checking if the system logs are updating

Sunny Jaisinghani — Thu, 27 Dec 2007 06:10:09 GMT

Hi,

The fact mentioned by "blah2blah" about syslogd won't work for me. I have a bunch of log files which i have to check.

Yes. Even i thought 1 month is too long to check if anything is wrong with syslog.conf

May be i can run the script weekly.

Anyways thanks for your valuable suggestions.

REgards

Re: shell script for checking if the system logs are updating

Bill Hassell — Thu, 27 Dec 2007 13:32:57 GMT

If the system is in production, I would check all the log files daily (unless there are some that never update unless there is an error). The absolute simplest method is to look at ll, the last date that the file was modified. This requires virtually no CPU time, but you have to also put into the logs something that says that the application is working OK. Log files are often just for errors and therefore, no news is good news. But that does not verify that the applications are running correctly.

Re: shell script for checking if the system logs are updating

Sunny Jaisinghani — Thu, 27 Dec 2007 13:54:51 GMT

Hello Bill,

The purpose of the script is to check if all the log files (selected ones) are present and if they are getting updated.
This script is going to be deployed on all kind of servers, production, development, archieve, backup etc...
So there will some files which may not get updated for some period of time.
Hence planning for a weekly check.

This is what the person who is going to audit the server has asked for.

The contents which are logging to syslog and other log files depend upon the correct configuration of syslog.conf. And this is a different point to look at..

However i have noted the points you mentioned. :)

Thanks

Re: shell script for checking if the system logs are updating

Bill Hassell — Thu, 27 Dec 2007 14:07:56 GMT

As long as you are only checking files created by syslog, then logger is the correct tool. The syslog.conf file has the ability sort various messages among different log files and the logger command (available on virtually any system that has the syslog facility) can be used weekly (or daily) to verify that syslogd is working correctly.

For completeness, look at /var/adm for all the other logfiles that are kept on your system.

Re: shell script for checking if the system logs are updating

James R. Ferguson — Thu, 27 Dec 2007 15:39:42 GMT

Hi Sunny:

Here's another way to verify that a file is being updated. This one-liner will return one (1) to denote failure and zero (0) to denote an updated file, exactly like any standard Unix command would be expected to do. You can than construct any logic around that that you need.

# perl -le 'exit 1 if -M "/var/adm/syslog/syslog.log" > 3600/86400'

This tests then named file's modification timestamp. In this example, the script exits with one (1) if the "syslog.log" has *not* been updated in more than *one_hour* (60 seconds times 60 minutes) of a day (60 seconds times 60 minutes times 24 hours).

Nothing more is needed --- no temporary files nor complex logic.

Regards!

...JRF...