I would like to monitor syslog logs on few dozens of linux servers. In ideal world I'd prefer pull method where central monitoring server collects once per day logs from all machines via ssh, applies common and per-server rules and reports about any unexpected log entries.
Do you have any suggestions?
I would prefer not to use centralized syslog server.
I've looked at ossec, again I would prefer to use ssh for all the communication and would prefer to avoid installing any additional tools on monitored servers
Best Answer
I'm not sure of any turn-key application/solution for this but you could easily use rsyslog on your central monitoring server with the
imfile
module, which can monitor (and alert viaommail
module and conditionals) on arbitrary log files that could be pulled in from your Linux servers viarsync
and cron.I'm using rsyslog as a central syslog server and using
ommail
to send me alerts on various events from my edge firewall, Squid proxy, core switch, etc. Works well.