Application log aggregation, management and notifications...

Question

I'm wondering what everyone is using for logging, log management and log aggregation on their systems.

I am working in a company which uses .NET for all it's applications and all systems are Windows based. Currently each application looks after its own logging and notifications of failures (e.g. if app A fails it will send out its own 'call for help' to an admin).

While this current practice works its a bit hacky and hard to manage. I've been trying to find some options for making this work better and I've come up with the following:

• log4net & Chainsaw (ah, if it works).
• Logging via log4net or another framework into a central database & rolling our own management tool.
• Logging to the Windows event log and using MOM or System Center Operations Manager to aggregate and manage each of these servers & their apps.
• A hand-rolled solution to suck all the log files into one point and work some magic across them.

Essentially what we are after is something which can pull log entries all together and allow for some analytics to be run across them, plus use a kind of event based system to, for example, send out a warning email when there have been 30+ warning level logs for an application in the last x minutes.

So is there anything I've missed, or something someone else can suggest?

Answer 1

L4ndash: log4net log viewer with free developer version.

Answer 2

Check the Microsoft Log Parser and examples. The log parser can handle xml, csv as well as Microsoft event log, registry and can send information to 'syslog' servers.

From the example screenshot this seems to be really useful tool.

Answer 3

It depends on your needs. If, for example, you're running a data center and are mostly concerned with real-time alarming, then you might want to look at Avicode. It's very capable, but can be pricey.

If, on the other hand, you're supporting desktop applications or logs from remote systems, or are more concerned with offline log analysis then you might take a look at Gibraltar. It provides a nice combination of logging, log management and log aggregation/analysis capabilities. But, to be honest, I'm a bit partial -- I'm one of the Gibraltar developers.

Answer 4

If you can, I'd recommend writing to the EventLog and creating rules in SCOM to monitor. We use this extensively and it works well, even to a point of putting together pieces of code which monitor certain elements of our apps and writing values to the event log, where SCOM parses for the errors, and graphs those, plus informational errors, into reports showing stats over a given time.

I am however quite keen on rewriting some that into WMI, and having SCOM poll the WMI service for those same counters, as writing queue lengths to event log every 15 minutes seems a little wasteful ;)

Answer 5

log4net is definitely the place to go for simple logging that outputs to the most common targets. log4net can log to windows eventlog as well as put messages out to db, email or file. It's fairly trivial to setup and the documentation is pretty good.

Answer 6

I'm using log4net and log4view (www.log4view.org). They have a TCP adapter that you can distribute as part of your application. You then use their client app to connect to your various applications and the log messages are displayed in real time.

It can monitor multiple logs at the same time - up to 255 if you but the commercial version (a measly $50).

It can also work with the RollingFileAppender.

They have a pretty powerful filtering UI so you can home in on what you want to look at.

Answer 7

We've used MOM with pretty good success since it handles the purging, viewing, and other concerns outside of data entry. The caveat to MOM is that it doesn't do *NIX out of the box(at least the version we have). There are connectors and such. Another option is look into LogLogic. This takes log info from network devices, but has an open web service API that you could tie into. MOM has APIs as well, so you could funnel down to something like LogLogic.

Answer 8

Hello Matthew, I think we've got something very close to what you're looking for. logFaces is a log server, aggregator and viewer. It's built particularly for larger distributed applications and multi-user environments. We put together all the good stuff from Apache logging services and made out-of-the-box solution for those who use log4j, log4net, log4cxx or event log4python. logFaces can work with major database brands and will let you quickly dig out the issues from the flood of log data which is very common in large applications. It will also let you see the slices of your system (log-wise) in real-time. There are many more features, feel free to give it a try. If you like I can help you with setup directly, although it's very simple to get started just after watching the demos we have.

Answer 9

Hi In my case, I'm try to adopt scribe, facebook's log aggregator. Facebook and Twitter are using scribe now.