Difference between revisions of "System Log Analysis"

From Stadm
Jump to navigationJump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=SYSTEM LOG ANALYSIS PROCEDURES: =
 
=SYSTEM LOG ANALYSIS PROCEDURES: =
  
<br />(Here are the steps to perform the log analysis for ‘'''slate'''’ and ‘'''quake'''’ and ''''ics'''')<br />
+
(Here are the steps to perform the log analysis for ‘'''slate'''’ and ‘'''quake'''’ and ''''ics'''')<br /><br />
  
NOTE: the log files that need analyzing are cleared and renewed each month<br />
+
'''NOTE''': the log files that need analyzing are cleared and renewed each month<br />
NOTE2: log analysis procedures for quake and ics are the same as for slate<br />
+
'''NOTE2''': log analysis procedures for '''quake''' and '''ics''' are the same as for slate<br />
NOTE3: a star (*) means fill in the blank<br />
+
'''NOTE3''': a star (*) means fill in the blank<br /><br />
  
 
#  Open a new terminal session.  The terminal can be found in the quick link bar at the bottom of the MacOS X screen.
 
#  Open a new terminal session.  The terminal can be found in the quick link bar at the bottom of the MacOS X screen.
Line 11: Line 11:
 
#  Change directories using the following command:<br /> cd /space/stadm/loganalysis
 
#  Change directories using the following command:<br /> cd /space/stadm/loganalysis
 
#* this directory should contain 6 log scripts (cleanall, copyall, sautolog, qautolog, iautolog, suniq) and 12 directories "conf.orig/", "iconf/", "qconf/", "sconf/", ilogs/", "qlogs/", "slogs/", "iresults/", "qresults/", "sresults/", "logclean/" and "logcopy/" (use the ‘ls’ command to list directory contents)<br /><br />
 
#* this directory should contain 6 log scripts (cleanall, copyall, sautolog, qautolog, iautolog, suniq) and 12 directories "conf.orig/", "iconf/", "qconf/", "sconf/", ilogs/", "qlogs/", "slogs/", "iresults/", "qresults/", "sresults/", "logclean/" and "logcopy/" (use the ‘ls’ command to list directory contents)<br /><br />
#* '''Overview''': slogs/ and qlogs/ and ilogs/ contain the log files to be analyzed for the slate and quake and ics machines respectively; sresults/ and qresults/ and iresults/ contain the analysis results after running the ‘sautolog’ and ‘qautolog’ and 'iautolog' scripts; sconf/ and qconf/ and iconf/ contain the .ls and .ln files used by  the logsurfer script. conf.orig/ contains the default .ls and .ln files used by  the logsurfer script. logclean/ contains the scripts used to remove empty log files prior to analysis. logcopy/ contains the scripts for copying all log files from their respective machines.
+
#: '''Overview''': slogs/ and qlogs/ and ilogs/ contain the log files to be analyzed for the slate and quake and ics machines respectively; sresults/ and qresults/ and iresults/ contain the analysis results after running the ‘sautolog’ and ‘qautolog’ and 'iautolog' scripts; sconf/ and qconf/ and iconf/ contain the .ls and .ln files used by  the logsurfer script. conf.orig/ contains the default .ls and .ln files used by  the logsurfer script. logclean/ contains the scripts used to remove empty log files prior to analysis. logcopy/ contains the scripts for copying all log files from their respective machines.
 
#* if any of the above directories do not exist, create them using “mkdir [dir_name]”
 
#* if any of the above directories do not exist, create them using “mkdir [dir_name]”
 
#  Verify the paths used in each *logcopy script (for copying over all logs for analysis) with Aaron.
 
#  Verify the paths used in each *logcopy script (for copying over all logs for analysis) with Aaron.
Line 24: Line 24:
 
#* if not, then use the ‘find’ command to locate it searching at the root directory or ask Aaron
 
#* if not, then use the ‘find’ command to locate it searching at the root directory or ask Aaron
 
#  Run the ‘*autolog’ command for the quake, ics, and slate machines.
 
#  Run the ‘*autolog’ command for the quake, ics, and slate machines.
qautolog - log analysis for the quake  machine<br />
+
#: qautolog - log analysis for the quake  machine<br />
sautolog - log analysis for the slate machine<br />
+
#: sautolog - log analysis for the slate machine<br />
iautolog - log analysis for the ics machine<br />
+
#: iautolog - log analysis for the ics machine<br /><br />
with optional flags  *autolog [-h]<br /><br />
+
#: with optional flags  *autolog [-h]<br />
for list of options and usage (AS OF 2006-02, THE LOG FILES THAT ARE COPIED DO NOT GET REPLACED EACH MONTH, SO DO NOT USE THE -NM FLAG!!!!!!!!!!!!! - you can verify this by opening the log files and checking the dates) <br /><br />
+
#* for list of options and usage (AS OF 2006-02, THE LOG FILES THAT ARE COPIED DO NOT GET REPLACED EACH MONTH, SO DO NOT USE THE -NM FLAG!!!!!!!!!!!!! - you can verify this by opening the log files and checking the dates) <br />
NOTE: use the –nm flag to reset the line counters used by logsurfer when analyzing logs of a new month for the first time. Or you can delete all files (EXCEPT default.ls) from the *conf/ directory.<br />
+
#* NOTE: use the –nm flag to reset the line counters used by logsurfer when analyzing logs of a new month for the first time. Or you can delete all files (EXCEPT default.ls) from the *conf/ directory.
NOTE2: useful flags are -d and -wr (see documentation or use '*autolog -h' ) (if you use these flags, you can skip step 14)<br />
+
#* NOTE2: useful flags are -d and -wr (see documentation or use '*autolog -h' ) (if you use these flags, you can skip step 14)<br />
 
# choose log # to analyze.
 
# choose log # to analyze.
 
#* the script will prompt you
 
#* the script will prompt you
Line 37: Line 37:
 
# when asked “Do you want to commit changes to name.log.ln? (y/n)”, select YES (only if you didn't use the -wr flag).
 
# when asked “Do you want to commit changes to name.log.ln? (y/n)”, select YES (only if you didn't use the -wr flag).
 
#* this saves and updates the last line number that was analyzed (.ln file used by logsurfer) in case log analysis was not complete, that way the next time you analyze the log file, you resume on the line you left off on rather than analyzing the entire file again.
 
#* this saves and updates the last line number that was analyzed (.ln file used by logsurfer) in case log analysis was not complete, that way the next time you analyze the log file, you resume on the line you left off on rather than analyzing the entire file again.
 +
# repeat steps 12-14 for each log file.
 +
#* to make this process faster, open another terminal, log into fablio, go to the loganalysis/ directory, and follow steps 12-14
 +
# cd into *results/ and run 'suniqall' (see documentation for more info)
 +
#: NOTE: before using 'suniqall', the suniq script must be in <br /> /space/stadm/loganalysis (see step #3).
 +
#* make sure that *results/ contains another directory old_results/ and that this directory has permissions of "drwxr-xr-x" ('ls -l' to check)
 +
# analyze log.out.uniq files using more
 +
#* the *.uniq files are the files that need to be analyzed and reported
 +
# send Aaron an email detailing any entries of interest with the appropriate subject header (like "slate log analysis results") <br /><br />
  
12. repeat steps 12-14 for each log file.
+
Do this for each machine's log entries of interest. I (RD) will write one email that includes all entries of interest.<br />
-- to make this process faster, open another terminal, log into fablio, go to the loganalysis/ directory, and follow steps 12-14
 
  
13. cd into *results/ and run 'suniqall' (see documentation for more info)
 
NOTE: before using 'suniqall', the suniq script must be in
 
/space/stadm/loganalysis (see step #3).
 
-- make sure that *results/ contains another directory old_results/ and that this directory has permissions of "drwxr-xr-x" ('ls -l' to check)
 
  
14. analyze log.out.uniq files using more
+
= Manual New Month Procedure =
-- the *.uniq files are the files that need to be analyzed and reported
 
  
15. send Aaron an email detailing any entries of interest with the appropriate subject header (like "slate log analysis results")
+
This must be done before you do the first log analysis of each month.<br /><br />
  
Do this for each machine's log entries of interest.  I (RD) will write one email that includes all entries of interest.
+
Some of the log files are updated monthly, while some run continuously. Because of this, the -nm tag is not enough to update the logs each month. Here is a list of the log files that update monthly (all others are continuous). The rule of thumb is that any log file that ends in .log is updated monthly, but his is not necessarily the case.<br /><br />
  
**************************************************************************************
+
qlogs:<br />
 +
horde.log<br />
 +
rsync.log<br />
 +
xfer.log<br /><br />
  
Manual New Month Procedure
+
slogs:<br />
 +
All files are continuous, so simply do not run -nm, The rest of the procedure only refers to the qlogs and ilogs.<br /><br />
  
This must be done before you do the first log analysis of each month.
+
ilogs:<br />
 +
maillist-autolistupdate.log<br />
 +
rsyncd.log<br />
 +
spamtraining.log<br />
 +
watchdog.log<br /><br />
  
Some of the log files are updated monthly, while some run continuously. Because of this, the -nm tag is not enough to update the logs each month. Here is a list of the log files that update monthly (all others are continuous). The rule of thumb is that any log file that ends in .log is updated monthly, but his is not necessarily the case.
+
# In order to ensure that all the files work properly, go to *conf/ and use the more command to find the current line number for all of the above files. Make a note of these line numbers.
 +
# Run *autolog -nm.
 +
# Go back to *conf/ and edit the conf files for the above logs. These files will have been reset to zero, simply change this line number to the line number you wrote down.<br /><br />
  
qlogs:
+
Once you have done this, you can proceed with the normal log analysis procedure.<br /><br />
horde.log
 
rsync.log
 
xfer.log
 
  
slogs:
+
If you do this procedure, and one of the monthly log files has dates before the first of the month, the log file has become continuous. Add that file to the documentation.<br /><br />
All files are continuous, so simply do not run -nm, The rest of the procedure only refers to the qlogs and ilogs.
 
  
ilogs:
+
Conversely, if you find that one of the above files is 0 bytes, this file may have become monthly. Go to *logs/ and check the file manually. If all of the entries are  from the new month, this file is now monthly, and remove it from this list.<br /><br />
maillist-autolistupdate.log
 
rsyncd.log
 
spamtraining.log
 
watchdog.log
 
  
1.  In order to ensure that all the files work properly, go to *conf/ and use the more command to find the current line number for all of the above files. Make a note of these line numbers.
+
----
 
+
Mark Gorecki<br />
2.  Run *autolog -nm.
+
modified by Joe Mount 2006-02-21<br />
 
+
modified by Robert Dame 2006-06-02<br />
3.  Go back to *conf/ and edit the conf files for the above logs. These files will have been reset to zero, simply change this line number to the line number you wrote down.
+
modified by Kurt Olsson 2006-10-19<br />
 
 
Once you have done this, you can proceed with the normal log analysis procedure.
 
 
 
If you do this procedure, and one of the monthly log files has dates before the first of the month, the log file has become continuous. Add that file to the documentation.
 
 
 
Conversely, if you find that one of the above files is 0 bytes, this file may have become monthly. Go to *logs/ and check the file manually. If all of the entries are  from the new month, this file is now monthly, and remove it from this list.
 
 
 
 
 
 
 
 
 
Mark Gorecki
 
modified by Joe Mount 2006-02-21
 
modified by Robert Dame 2006-06-02
 
modified by Kurt Olsson 2006-10-19
 

Latest revision as of 15:31, 29 September 2010

SYSTEM LOG ANALYSIS PROCEDURES:

(Here are the steps to perform the log analysis for ‘slate’ and ‘quake’ and 'ics')

NOTE: the log files that need analyzing are cleared and renewed each month
NOTE2: log analysis procedures for quake and ics are the same as for slate
NOTE3: a star (*) means fill in the blank

  1. Open a new terminal session. The terminal can be found in the quick link bar at the bottom of the MacOS X screen.
  2. Open a connection to “fablio”, and log in using your password.
    ssh fablio
  3. Change directories using the following command:
    cd /space/stadm/loganalysis
    • this directory should contain 6 log scripts (cleanall, copyall, sautolog, qautolog, iautolog, suniq) and 12 directories "conf.orig/", "iconf/", "qconf/", "sconf/", ilogs/", "qlogs/", "slogs/", "iresults/", "qresults/", "sresults/", "logclean/" and "logcopy/" (use the ‘ls’ command to list directory contents)

    Overview: slogs/ and qlogs/ and ilogs/ contain the log files to be analyzed for the slate and quake and ics machines respectively; sresults/ and qresults/ and iresults/ contain the analysis results after running the ‘sautolog’ and ‘qautolog’ and 'iautolog' scripts; sconf/ and qconf/ and iconf/ contain the .ls and .ln files used by the logsurfer script. conf.orig/ contains the default .ls and .ln files used by the logsurfer script. logclean/ contains the scripts used to remove empty log files prior to analysis. logcopy/ contains the scripts for copying all log files from their respective machines.
    • if any of the above directories do not exist, create them using “mkdir [dir_name]”
  4. Verify the paths used in each *logcopy script (for copying over all logs for analysis) with Aaron.
    • DEFAULT location of .log files to be analyzed:
      see each *logcopy file within logcopy/
    • DEFAULT destination directory for .log files:
      /space/stadm/loganalysis/*logs/
  5. Run copyall
    • it will take a few seconds, so be patient (you should see progress output)
    • “*logs/” should now contain the log files
  6. Run cleanall
  7. Verify location of logsurfer script (should be included in your PATH environment variable; if not, then ask Aaron to include it).
  8. Verify that “default.ls” is in each *conf/ directory for use by logsurfer
    • if not, then use the ‘find’ command to locate it searching at the root directory or ask Aaron
  9. Run the ‘*autolog’ command for the quake, ics, and slate machines.
    qautolog - log analysis for the quake machine
    sautolog - log analysis for the slate machine
    iautolog - log analysis for the ics machine

    with optional flags *autolog [-h]
    • for list of options and usage (AS OF 2006-02, THE LOG FILES THAT ARE COPIED DO NOT GET REPLACED EACH MONTH, SO DO NOT USE THE -NM FLAG!!!!!!!!!!!!! - you can verify this by opening the log files and checking the dates)
    • NOTE: use the –nm flag to reset the line counters used by logsurfer when analyzing logs of a new month for the first time. Or you can delete all files (EXCEPT default.ls) from the *conf/ directory.
    • NOTE2: useful flags are -d and -wr (see documentation or use '*autolog -h' ) (if you use these flags, you can skip step 14)
  10. choose log # to analyze.
    • the script will prompt you
    • log analysis may take a while (depending on the size of the log file), so BE PATIENT!
    • you can ignore "ipf.log" and "http*.log"
  11. when asked “Do you want to commit changes to name.log.ln? (y/n)”, select YES (only if you didn't use the -wr flag).
    • this saves and updates the last line number that was analyzed (.ln file used by logsurfer) in case log analysis was not complete, that way the next time you analyze the log file, you resume on the line you left off on rather than analyzing the entire file again.
  12. repeat steps 12-14 for each log file.
    • to make this process faster, open another terminal, log into fablio, go to the loganalysis/ directory, and follow steps 12-14
  13. cd into *results/ and run 'suniqall' (see documentation for more info)
    NOTE: before using 'suniqall', the suniq script must be in
    /space/stadm/loganalysis (see step #3).
    • make sure that *results/ contains another directory old_results/ and that this directory has permissions of "drwxr-xr-x" ('ls -l' to check)
  14. analyze log.out.uniq files using more
    • the *.uniq files are the files that need to be analyzed and reported
  15. send Aaron an email detailing any entries of interest with the appropriate subject header (like "slate log analysis results")

Do this for each machine's log entries of interest. I (RD) will write one email that includes all entries of interest.


Manual New Month Procedure

This must be done before you do the first log analysis of each month.

Some of the log files are updated monthly, while some run continuously. Because of this, the -nm tag is not enough to update the logs each month. Here is a list of the log files that update monthly (all others are continuous). The rule of thumb is that any log file that ends in .log is updated monthly, but his is not necessarily the case.

qlogs:
horde.log
rsync.log
xfer.log

slogs:
All files are continuous, so simply do not run -nm, The rest of the procedure only refers to the qlogs and ilogs.

ilogs:
maillist-autolistupdate.log
rsyncd.log
spamtraining.log
watchdog.log

  1. In order to ensure that all the files work properly, go to *conf/ and use the more command to find the current line number for all of the above files. Make a note of these line numbers.
  2. Run *autolog -nm.
  3. Go back to *conf/ and edit the conf files for the above logs. These files will have been reset to zero, simply change this line number to the line number you wrote down.

Once you have done this, you can proceed with the normal log analysis procedure.

If you do this procedure, and one of the monthly log files has dates before the first of the month, the log file has become continuous. Add that file to the documentation.

Conversely, if you find that one of the above files is 0 bytes, this file may have become monthly. Go to *logs/ and check the file manually. If all of the entries are from the new month, this file is now monthly, and remove it from this list.

Mark Gorecki
modified by Joe Mount 2006-02-21
modified by Robert Dame 2006-06-02
modified by Kurt Olsson 2006-10-19

Retrieved from "http://wiki-stadm.eri.ucsb.edu/index.php?title=System_Log_Analysis&oldid=101"