Best way to aggregate multiple log files from several servers

Question

I need a simple way to monitor multiple text log files distributed over a number of HP-UX servers. They are a mix of text and XML log files from several distributed legacy systems. Currently we just ssh to the servers and use tail -f and grep, but that doesn't scale when you have many logs to keep track of.

Since the logs are in different formats and just files in folders (automatically rotated when they reach a certain size) I need to both collect them remotely and parse each one differently.

My initial thought was to make a simple daemon process that I can run on each server using a custom file reader for each file type to parse it into a common format that can be exported over the network via a socket. Another viewer program running locally will connect to these sockets and show the parsed logs in some simple tabbed GUI or aggregated to a console.

What log format should I try to convert to if I am to implement it this way?

Is there some other easier way? Should I attempt to translate the log files to the log4j format to use with Chainsaw or are there better log viewers that can connect to remote sockets? Could I use BareTail as suggested in another log question? This is not a massivly distributed system and changing the current logging implementations for all applications to use UDP broadcast or put messages on a JMS queue is not an option.

Answer 1

Splunk

Answer 2

Awstats provides a perl script that can merge several apache log files together. This script scales well since the memory footprint is very low, logs files are never loaded in memory. I know that si not exactly what you needs, but perhaps you can start from this script and adapt it for your needs.

Answer 3

Options: 1. Use a SocketAppender to send all logs to 1 server directly. (This could serverly hamper performance and add a single point of failure.) 2. Use scripts to aggregate the data. I use scp, ssh, and authentication keys to allow my scripts to get data from all servers without any login prompts.

Answer 4

We use a simple shell script like the one below. You'd, obviously, have to tweak it somewhat to tell it about the different file names and decide which box to look for which on but you get the basic idea. In our case we are tailing a file at the same location on multiple boxes. This requires ssh authentication via stored keys instead of typing in passwords.

#!/bin/bash
FILE = $1
for box in box1.foo.com box2.foo.com box3.foo.com box4.foo.com; do
     ssh $box tail -f $FILE &
done

wait

Answer 5

You can use the various receivers available with Chainsaw (VFSLogFilePatternReceiver to tail files over ssh, SocketReceiver, UDPReceiver, CustomSQLDBReceiver, etc) and then aggregate the logs into a single tab by changing the default tab identifier or creating a 'custom expression logpanel' by providing an expression which matches the events in the various source tabs.

Answer 6

gltail - real-time visualization of server traffic, events and statistics with Ruby, SSH and OpenGL from multiple servers

Answer 7

Probably the lightest-weight solution for real-time log watching is to use Dancer's shell in concurrent mode with tail -f:

dsh -Mac -- tail -f /var/log/apache/*.log

• The -a is for all machine names that you've defined in ~/.dsh/machines.list
• The -c is for concurrent running of tail
• The -M prepends the hostname to every line of output.