HPE Community
Operating System - HP-UX
1821062 Members
2572 Online
109631 Solutions
New Discussion юеВ

Syslog Search Key Words

 
Fuad_1
Regular Advisor

тАО06-19-2004 09:51 PM

тАО06-19-2004 09:51 PM

Syslog Search Key Words

Hi,

I have monitoring tool to check syslog file for errors that may show a problem that exist.
Currently I use the following keywords,
critical, error, fail, unable, warn, panic

I need to know, what other keywords that may exist in syslog.
Set goals, and work to achieve them
0 Kudos
Reply
7 REPLIES 7
thijs lankhorst_1
Frequent Advisor

тАО06-19-2004 10:23 PM

тАО06-19-2004 10:23 PM

Re: Syslog Search Key Words

Hi Fuad

What we normally look for are 'lbolt' errors in conjuction with possible disk errors.
0 Kudos
Reply
Fuad_1
Regular Advisor

тАО06-19-2004 10:28 PM

тАО06-19-2004 10:28 PM

Re: Syslog Search Key Words

Thanks, what are the possible disk errors. And what bolt error show up?
Set goals, and work to achieve them
0 Kudos
Reply
thijs lankhorst_1
Frequent Advisor

тАО06-19-2004 10:46 PM

тАО06-19-2004 10:46 PM

Re: Syslog Search Key Words

The following is an extract of a doc that we use at work and explains a bit more:

Investigating Lbolt errors.

Lbolt errors within the syslog are usually a good indication that there is a hardware issue with a disk drive.

As soon as an alert is received the first thing to do is to determine which device has a problem.

To do this, have a look at /var/adm/syslog/syslog.log and grep out the ├в lbolt├в entries.
Look for the entry which refers to a device. An example of this entry is shown below:


Aug 29 10:11:44 vmunix: LVM: vg[0]: pvnum=0 (dev_t=0x1f016000) is POWERFAILED
Aug 29 10:11:44 vmunix:
Aug 29 10:11:44 vmunix: SCSI: Late REQ for command phase -- lbolt: 19877
295, dev: 1f016000
Aug 29 10:11:44 vmunix: lbp->state: 4000
Aug 29 10:11:44 vmunix: lbp->offset: ffffffff
Aug 29 10:11:44 vmunix: lbp->uPhysScript: 50c9000
Aug 29 10:11:44 yy523_1 vmunix: From most recent interrupt:
Aug 29 10:11:44 yy523_1 vmunix: ISTAT: 0a, SIST0: c0, SIST1: 00,
DSTAT: 80, DSPS: 050c9401

There will be lots of data associated with the lbolt error/SCSI reset, most of which will only really mean anything to HP.

The data you need to look for is that which is highlighted in red. This tells us which device has the problem.

Make a note of the device as above, then do a listing of /dev/dsk and match the two together.

# ll /dev/dsk | more
total 0
brw-r----- 1 bin sys 31 0x011000 Jul 24 1999 c1t1d0
brw-r----- 1 bin sys 31 0x016000 Jul 12 1999 c1t6d0

As you can see, the number in the listing above (the minor number of the device) matches the number from the syslog which in turn identifies the problem device as /dev/dsk/c1
0 Kudos
Reply
Victor Fridyev
Honored Contributor

тАО06-20-2004 07:29 AM

тАО06-20-2004 07:29 AM

Re: Syslog Search Key Words

Hi,

I'd recommend you to use the standard diagnostic tool, which you can configure from SAM.
Entities are not to be multiplied beyond necessity - RTFM
0 Kudos
Reply
isaac_loven
Frequent Advisor

тАО06-20-2004 01:46 PM

тАО06-20-2004 01:46 PM

Re: Syslog Search Key Words

You can grep OUT what u do not want to see.
ie grep -Eiv "ftp|sudo".
If anything unusual occurs, u will not miss it.
Isaac
0 Kudos
Reply
malay boy
Trusted Contributor

тАО06-20-2004 04:03 PM

тАО06-20-2004 04:03 PM

Re: Syslog Search Key Words

Hi Victor,
You are talking about standard diagnostic tool in SAM.May I know where is this extacly is SAM.
There are three person in my team-Me ,myself and I.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО06-20-2004 05:47 PM

тАО06-20-2004 05:47 PM

Re: Syslog Search Key Words

This is a good start:

grep -e crit -e err -e fail -e unable -e warn -e panic -e lbolt /var/ad,/syslog/syslog.log

The reason to abbreviate critical and error is that sometimes the messages will say err rather than error. The lbolt errors are multi-line so if you see one, there are many other lines in syslog that are related. There are other messages that may be multi-line. Use the keywords to catch the majority of them. There is no comprehensive list of error messages since any program can log error messages.

And SAM is really the program /usr/sbin/sam. It is the primary system administration tool for HP-UX. We usually write SAM so it stands out a bit but you really run it with the command: sam (from a root login).


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.