Re: Is runit not being maintained?

From: Alex Efros <powerman_at_powerman.name>
Date: Thu, 24 Jul 2014 01:29:13 +0300

Hi!

On Wed, Jul 23, 2014 at 04:05:41PM -0500, Joe M wrote:
> On a slightly different note, how do you process the svlog logs? Do
> you have any related scripts that you do not mind sharing?

I don't do any advanced log rotation/backup/timestamp format change -
default features of svlogd are good enough for me on these tasks.

What I do is log filtering to make it ease to review logs in daily basis
and detect anomalies:

- in /var/log/<SERVICE>/config file I've "e*" command to send copy of all
  log lines to STDERR followed by several "Esomething" commands to avoid
  sending non-interesting log lines to STDERR (to make it possible to
  really review logs on daily basis they shouldn't contain too much lines)

- in beginning of each service's /service/<SERVICE>/log/run I've this:

  exec &>/var/log/all/.log

  where /var/log/all/.log is FIFO file:

  # ls -l /var/log/all/.log
  prw------- 1 root root 0 Jul 24 01:00 /var/log/all/.log

- next, I've special service "log-all":
  
  # cat /service/log-all/run
  #!/bin/bash
  exec 1<>/var/log/.notify 2>&1
  exec chpst -u log svlogd /var/log/all/ <>/var/log/all/.log

  This let me run `sudo tail -F /var/log/all/current` in one of virtual
  consoles 24x7 and have there very few log lines from overall system
  which wasn't excluded by "Esomething" and thus might be interesting.

As for /var/log/.notify mentioned in ./run script above - it's second
level of same system, which is optional (just remove that line).
It works by adding same "e*" into /var/log/all/config, creating FIFO
/var/log/.notify and adding one more service "notify". This service is
just a perl script which read from /var/log/.notify and do some automated
actions based on log lines it reads - like showing popup notification when
someone log into my workstation, or automatically block (using iptables)
attempt to bruteforce my ssh, etc.

-- 
			WBR, Alex.
Received on Wed Jul 23 2014 - 22:29:13 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:18 UTC