Tips for Log File Analysis

What to monitor

• Activity Logging - what/who
  
• Software Monitoring - are software jobs running properly - on time, without failure, completing?
  
• Troubleshooting System Failures -  specific error conditions
  
• Track usage of resources

Distributed Logging vs Centralized Loghost

• Configure local logging AND centralized logging for redundancy
  

• Store remote logs on a easy to access server for faster response
• Access to logs even when the target system is down
• Can help identify the cause of problems that cause server reboot during startup - avoid extra reboots
• Hackers can't easily remove their tracks from the log files if they are  not stored locally - compare centralized logs with local logs
  
• Easier correlation of  unusual entries across servers
• Easier to restore a particular log from tape if all logs are from a centralized location, rather than distributed

Types of log monitoring

• Search for patterns - search the log files for a specific pattern
  
• Correlation - set up rules about what should be happening - ie whether a schedule job is running at the proper time, whether it completed with in the expected time limits, etc.
  

Syslog

• /dev/log --> device socket that receives log messages on local machine
• /dev/klog  --> device socket that receives kernel messages
• UDP Port 514  --> port used to receive log messages from other machines

• Must use tabs, not spaces

Simple Watcher (Swatch)