Cool or wrong? Searching logs

by Anton Chuvakin

Related link: http://www.computerworld.com/printthis/2005/0,4814,105905,00.html



This paper talks about using system logs in order to discover the "root cause" of the problem. The process discussed is "detection, identification, determination, resolution and reflection." Great! But the article claims that you have to search logs in order to discover the real issue.

This is where I disagree.



If you are using some supposeduly sophisticated application to search logs, why don't you use that same software (or, appliance, whatever) to highlight the root causes for you? I would prefer the intelligence of this software to be utilized for showing me what I need to know as opposed to for letting me search and then figure out what the results are until my brain turns blue...



And, in case you are wondering, its not easy to do it, but it sure is possible.


4 Comments

gary.rogers
2005-11-08 13:02:45
SQL
Sounds like what they want to do is pump logs into a SQL database and then perform queries on them. Not out of the question by any means, but is it really necessary? I mean if you're an administrator that hasn't got a rudimentary understanding of Regular Expressions, PERL, or even grep -v, should you maybe think about a different profession?


Now, centralized logging to a database with an ad-hock reporting tool front end... that could be nice.

anton_chuvakin
2005-11-09 13:49:46
SQL
Well, it is kinda necessary if you are handling about 5000 log records per second on the ongoing basis and more... Think 'grep' and, say, estimated, 900GB of logs per week... Its not even funny :-)
anton_chuvakin
2005-11-09 13:51:04
More comments posted
More comments posted by Jian Zhen (http://www.crypt0.net/blog/index.php?rating_submitted=10&p=142) at his blog.
gary.rogers
2005-11-16 06:54:40
SQL
Well, I've looked into pumping logs into Oracle, then using Discoverer to report on them. But then, we've got these nice edu site licenses for Oracle :)


It's certainly do-able for Windows machines, and probably syslog-ng.