tags:

views:

621

answers:

8
+6  Q: 

Log management&analysis Open Source product

My company is searching for an Open Source product that could do log management and analysis (edit: we'd use the product to handle custom log files - the ones generated by our applications, not standard logs)

We've had demos for some proprietary products (for example, Sensage or HP's Transaction Vision), but we'd like to find an Open Source alternative.

Requirements are:

  • The product should be able to collect logs from various machines (Solaris, Windows, etc.)
  • It should handle substantially big logfiles (even 500Mb per logfile)
  • It should handle different logfiles per day (for example, 24 logfiles a day with different names)
  • It should be able to store only the relevant informations from each logfile (for example, some fields, in a configurable way)
  • It should be able to handle multi-line records in logfiles (for example, xml)
  • Preferred method of storage for log records is an Oracle or MySQL database (not exotic indexing systems) (edit: after seeing Splunk in action, other forms of data storage are acceptable too)
  • It should handle quasi-realtime parsing and analysis of log files (10 or 20 minutes of delay is acceptable)

I know it seems too much and too specific for an Open Source system, but maybe Open Source could surprise us again.

A: 

I don't think there is anything from open source. What you're asking for is an integrated solution, open source projects aren't usually interested in this, they're mostly creating general purpose frameworks and then it's up to you to put up a solution on top of this. Your description fits perfectly to what we already have built as a commercial not expensive product - logFaces. There are other solutions as well, depending on how much you're willing to spend for integrating it with your system. I'm biased or course, but most of them are complex, non-trivial to setup and will require additional costs for getting it go in real life.

Dima  2009-06-25 07:29:27
Seems a good product, but, if I read well, all our applications would have to be modified, in order to feed logs to logFaces.That's not what we are searching, it would be too much of an overhaul.
friol  2009-06-25 21:06:49
I see.. Then perhaps you will need something which can crunch your log data and partition it for you offline. There are plenty of products doing just that. Splunk comes to mind as one of them...
Dima  2009-06-25 22:47:05
..but no open source to my knowledge. In fact I'd be interested too.
Dima  2009-06-25 22:48:17
Splunk comes 99% closer to what we're searching. Only downside: it's not opensource.
friol  2009-06-30 18:33:03
+1  A: 

Look into www.ossec.net. I don't know if it has all of your requirements; nonetheless, it's pretty powerful.

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. A list with all supported platforms is available here.

Mike Jr  2009-06-30 15:17:34
I've given a quick glance, but: does it support only some specific formats of logfiles? We're searching for a tool that could handle our applications' log files (that are custom).
friol  2009-06-30 18:32:17
I don't know if you are going to be able to find something free that processes multiple 'custom' log files. It would be much easier have custom applications write in syslog format so that any log reader analysis program can pick it up and display it.
Mike Jr  2009-07-03 15:16:04
A: 

To me, this sounds like a combination of tools. For managing system logs, I would recommend syslog-ng from Balabit, combined with the Simple Event Correlator to do log analysis.

Syslog-ng uses the syslog protocol, but enhances the capabilities of the daemon dramatically, handling multiple hosts with ease, splitting the incoming syslog messages into almost any set of categories imaginable. It is also possible to process the incoming logs in a variety of ways, including passing them along to another server.

Simple Event Correlator (SEC) is an extremely powerful log analysis tool which includes time oriented analysis. For example, it can raise the alarm when a particluar log message is seen right after another specific entry. SEC can raise the alarm when a particular log entry is not seen, or a particular log entry is seen too much. It can do a wide variety of things, including shell commands, alarms, and more.

David  2009-06-30 18:24:28
We already have a tool to handle alarms (HP Openview). Am I wrong or syslog-ng would handle only syslog events?
friol  2009-06-30 18:50:22
A: 

Will this help? http://code.google.com/p/dataparksearch/

Sai Ganesh  2009-07-01 03:29:58
+2  A: 

Try looking at Splunk. That's what they did initially before they became the IT Search thingy.

http://www.splunk.com/

DougN  2009-07-01 19:00:25
as I said before, great product, but it's not opensource.
friol  2009-07-01 19:24:17
I did not know about this product. I do now, thanks.
Troggy  2009-07-02 17:20:56
At the end, we'll try to test Splunk for a while and see if it's worth buying its license.
friol  2009-07-03 21:01:51
A: 

If it where me, I'd recommend a scripting language of some sort. If you're comfortable with perl I'm sure you could write your own script to do it. It runs on windows, linux, mac, *BSD. Totally open source and many projects use it to do the same thing you're doing. Really well documented, HUGE repository of reusable code. The only down side is the company would have to write it or have it written which would take time and/or additional money to do but it would do exactly what you want it to do. Just my 2 cents.

EDIT: So I'm looking around on sourceforge for a solution to your problem and I found this. http://sourceforge.net/projects/lofimo/

what piqued my interest was the fact that it could execute shell commands on certain events. Is this more what you where looking for?

mikeyickey  2009-07-02 04:09:21
a fast and flexible log parser, a GUI and a backup mechanism with a perl script? I don't want to be the one to do that :)
friol  2009-07-02 19:39:02
:D fair enough. I hope you find something that works for you though.
mikeyickey  2009-07-03 04:47:46
A:  
Apache Chainsaw V2 can do much of what you need:
    * The product should be able to collect logs from various machines (Solaris, Windows, etc.)
      Yes, by configuring a VFSLogFilePatternReceiver, which uses Jakarta Commons-VFS supported file systems
    * It should handle substantially big logfiles (even 500Mb per logfile)
      Yes, limited by how much memory you allocate to the VM, but Chainsaw also supports cyclic buffering if needed as well as the ability to filter events to reduce memory footprint (mentioned below)
    * It should handle different logfiles per day (for example, 24 logfiles a day with different names)
      You can define any number of receivers (one receiver/one log file) in a Chainsaw configuration, but it won't watch for log files in a folder and pull them in dynamically (but you could write a custom receiver to do that)
    * It should be able to store only the relevant informations from each logfile (for example, some fields, in a configurable way)
      You can define a filter expression on the VFSLogFilePatternReceiver, which will result in only matching events being processed
    * It should be able to handle multi-line records in logfiles (for example, xml)
      Yes, VFSLogFilePatternReceiver supports multiple line records, but it doesn't support XML - there is a LogFileXMLReceiver, but that receiver doesn't support Jakarta commons VFS file systems, and you'd have to write your own 'xml decoder' which understands how to parse your xml
    * Preferred method of storage for log records is an Oracle or MySQL database (not exotic indexing systems) (edit: after seeing Splunk in action, other forms of data storage are acceptable too)
      You can have any received events processed by an appender (DBAppender, for example, to have received events saved to a db automatically), or you can export events  as xml
    * It should handle quasi-realtime parsing and analysis of log files (10 or 20 minutes of delay is acceptable)
      Yes, it will parse and tail log files in realtime

Chainsaw also supports a number of other useful features: filter, colorize and search based on event contents using an expression syntax, annotate events and save the annotations with the events, save & load the information later with the annotations (exported as xml)

Feel free to email or ask questions on the mailing list.

Scott  2010-01-21 06:56:53
A: 

Hi check out XpoLog Center and XpoLog TxExpo www.xpolog.com The product can do the analysis and transaction analysis on logs.

bobyg  2010-02-10 23:56:02

related questions

What is the best way to organize my C project code and its external libraries?
Alternative to FreeLists for hosting my (developer/software) maling lists?
How do I decide which features to implement?
What is a quality real world example of TDD in action?
Why the proliferation of open source licenses?
Where can open source developers "showcase" their projects and ask for help with development?
Free (and/or open source) security software
FOSS tools for Flash development
Arguments for going open source
Is Mono ready for prime time?
Good Open Source Queuing Platform?
Where is a good place to find a talented web designer?
Alternatives to Visual Sourcesafe that integrate with Visual Studio
What is your motivation for doing free stuff?
Best License for Selling Open Source Software
Open Source C# Opportunities
How do I attract developers to an Open Source project?
Open Source Licensing Options for ASP.NET MVC Application?
Best Open Source Project Hosting Site
Open Source Windows Mobile OCR Library
Looking for WYSIWYG HTML editor
Using Xming X Window Server over a VPN
How to contribute code back to an Open Source project?
Open Source Ruby Projects
What level of programming should I have to contribute to open source?