Since syslog.log is plain ASCII, there's a lot you can do to manage it, except use syslogd. It has no options to manage it's logfiles (remember that this is *old* Unix code). Also note that syslogd is not a simple logging tool - syslog.conf can tell systlog to log all warnings and higher to 3 different files, 4 users, two serial ports and the console plust send the messages to another server to be included in another syslog file.
So the answer is: ceate a syslog scanner. Use this scanner to locate error messages of interest. Here's a start:
/usr/bin/grep -Fi -e error -e warn -e fatal -e fail /var/adm/syslog/syslog.log
Note the use of -F for much faster searching (I know grep -E can do the -e options but the performance penalty is enormous). Run this as often as you think necessary to notify sysadmins about issues. However, to avoid duplicate messages, you'll need to use a marker to start the search forward. See the man page for logger.
Then you can trim the syslog file. For history purposes, I keep the last 5 syslogs and roll them whenever syslog.log gets bigger than 2 megs. By running the error scanner independently of the log roller (pun intended), both tasks keep the logs under control. An example of a syslog scanner (and other log monitoring) is found in nightowl, written by David Totsch and located at:
ftp://contrib:9unsupp8@hprc.external.hp.com/sysadmin/coolscripts/
You'll also find a bunch of other nifty tools in that directory. Feel free to browse.
Bill Hassell, sysadmin
