|
LISA 2000 Abstract
Extending UNIX System Logging with SHARP
Matthew Bing and Carl Erickson, Grand Valley State University
Abstract
System messages in a UNIX system are handled by syslog. The
responsibilities of syslog are to filter and disperse program
generated messages based on a priority code contained in each message.
Filtering with priority codes is not sufficient to generate enough
usable information for the system administrator. Utilities which do
regular expression parsing of syslog messages typically do not run
continuously and thus are limited by a lack of state in detecting
potentially important patterns in syslog messages.
SHARP (Syslog Heuristic Analysis and Response Program) improves
the monitoring of systems by extending the existing syslog
infrastructure with programmable modules. These modules use a library
with a simple API to perform near real time analysis based on the
messages they register to receive. System administrators can use SHARP
to improve the services provided by their systems without the need for
constant manual evaluation of message logs. The SHARP system and
several modules were tested in a higher education production
environment during the spring of 2000. Experience with SHARP indicates
that it is stable, reliable, and improves the overall operation of a
laboratory while not significantly increasing the workload on the
system administrator.
|
Need help? Use our Contacts page.
