HPE Community
Operating System - Linux
1822437 Members
2697 Online
109642 Solutions
New Discussion юеВ

shell script for checking if the system logs are updating

 
SOLVED
Go to solution
Sunny Jaisinghani
Trusted Contributor

тАО12-25-2007 10:48 PM

тАО12-25-2007 10:48 PM

shell script for checking if the system logs are updating

Hello All,

I need to write a shell script for checking if the system logs are updating.

Sometimes it so happens that someone changes the configuration in syslog.conf due to which the logging stops.

I want to run a monthly script which will check if the log files are updating..

How can i achieve this.

Regards
Sunny
0 Kudos
Reply
10 REPLIES 10
Dennis Handly
Acclaimed Contributor

тАО12-26-2007 02:07 AM

тАО12-26-2007 02:07 AM

Solution

Re: shell script for checking if the system logs are updating

What would it take to determine if the logfiles are updating? A modification date within the last day or week? If so, you could use something like:
$ find /var/adm/syslog/syslog.log -mtime -7
If you don't get any output, then the file hasn't changed in 7 days.

If you only care about since the last time your ran your script, you can touch a reference file and then compare that with the current logfile with this syntax:
if [ logfile -nt ref_file ]; then
echo "logfile is newer"
else
echo "logfile hasn't been updated"
fi
Reply
Sunny Jaisinghani
Trusted Contributor

тАО12-26-2007 02:17 AM

тАО12-26-2007 02:17 AM

Re: shell script for checking if the system logs are updating

Hi Denis,

Thanks for your response.
The find command just skipped out of my mind.

This will solve my purpose.

Thanks
0 Kudos
Reply
Hasan Atasoy
Honored Contributor

тАО12-26-2007 02:23 AM

тАО12-26-2007 02:23 AM

Re: shell script for checking if the system logs are updating

hi sunny ;

save file line count to another file and check every 15 ( for example ) minutes for line count .


for example

linecnt=`cat /test/syslog.filecnt`

file=/usr/adm/syslog/syslog.dated

newcnt=`cat $file | wc -l`

if [ $newcnt -gt $linecnt ] ; then
let diff=$newcnt-$filecnt
cat $file | tail -${diff} > difffile
fi

echo $newcnt > /test/syslog.filecnt


check for write mistakes.

Hasan

0 Kudos
Reply
blah2blah
Frequent Advisor

тАО12-26-2007 11:26 AM

тАО12-26-2007 11:26 AM

Re: shell script for checking if the system logs are updating

not sure what version of hp-ux your using, but doesn't syslogd provide a file mark/timestamp every 20 minutes by default and can modified with the -m option.

why don't you check that the file has been updated with it's timestamp mark
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-26-2007 08:51 PM

тАО12-26-2007 08:51 PM

Re: shell script for checking if the system logs are updating

An even simpler method is to use the logger command. You use this command to generate all the different priorities and service requests, then simply look that all of them now appear in your syslog file. In fact, *NO* change should be allowed to syslog.conf unless followed immediately by the logger tests. Waiting for a month is far too long to way for a notice that a bad change by a root user was made.


Bill Hassell, sysadmin
0 Kudos
Reply
Sunny Jaisinghani
Trusted Contributor

тАО12-26-2007 10:10 PM

тАО12-26-2007 10:10 PM

Re: shell script for checking if the system logs are updating

Hi,

The fact mentioned by "blah2blah" about syslogd won't work for me. I have a bunch of log files which i have to check.

Yes. Even i thought 1 month is too long to check if anything is wrong with syslog.conf

May be i can run the script weekly.

Anyways thanks for your valuable suggestions.

REgards
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-27-2007 05:32 AM

тАО12-27-2007 05:32 AM

Re: shell script for checking if the system logs are updating

If the system is in production, I would check all the log files daily (unless there are some that never update unless there is an error). The absolute simplest method is to look at ll, the last date that the file was modified. This requires virtually no CPU time, but you have to also put into the logs something that says that the application is working OK. Log files are often just for errors and therefore, no news is good news. But that does not verify that the applications are running correctly.


Bill Hassell, sysadmin
0 Kudos
Reply
Sunny Jaisinghani
Trusted Contributor

тАО12-27-2007 05:54 AM

тАО12-27-2007 05:54 AM

Re: shell script for checking if the system logs are updating

Hello Bill,

The purpose of the script is to check if all the log files (selected ones) are present and if they are getting updated.
This script is going to be deployed on all kind of servers, production, development, archieve, backup etc...
So there will some files which may not get updated for some period of time.
Hence planning for a weekly check.

This is what the person who is going to audit the server has asked for.

The contents which are logging to syslog and other log files depend upon the correct configuration of syslog.conf. And this is a different point to look at..

However i have noted the points you mentioned. :)

Thanks
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-27-2007 06:07 AM

тАО12-27-2007 06:07 AM

Re: shell script for checking if the system logs are updating

As long as you are only checking files created by syslog, then logger is the correct tool. The syslog.conf file has the ability sort various messages among different log files and the logger command (available on virtually any system that has the syslog facility) can be used weekly (or daily) to verify that syslogd is working correctly.

For completeness, look at /var/adm for all the other logfiles that are kept on your system.


Bill Hassell, sysadmin
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО12-27-2007 07:39 AM

тАО12-27-2007 07:39 AM

Re: shell script for checking if the system logs are updating

Hi Sunny:

Here's another way to verify that a file is being updated. This one-liner will return one (1) to denote failure and zero (0) to denote an updated file, exactly like any standard Unix command would be expected to do. You can than construct any logic around that that you need.

# perl -le 'exit 1 if -M "/var/adm/syslog/syslog.log" > 3600/86400'

This tests then named file's modification timestamp. In this example, the script exits with one (1) if the "syslog.log" has *not* been updated in more than *one_hour* (60 seconds times 60 minutes) of a day (60 seconds times 60 minutes times 24 hours).

Nothing more is needed --- no temporary files nor complex logic.

Regards!

...JRF...

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.