G. Pape

socklog - log events notification

The service socklog-notify provides instant notification of log events. There is an interval in seconds for the creation of notifications to prevent a flood.

Set up the socklog-notify service as described in Configuration to ensure that the named pipe /var/log/socklog/.notify exists. Do not delete this file after creation.

Read disable notifications before stopping the socklog-notify service once it is started.

socklog-notify is handled by the uncat program.

how to configure log events

Choose a log controlled by multilog to be watched for log events, say /service/dnscache/log/main/.

Make sure the account running this log service is member of the socklog group adm. If it isn't, change it now. Make sure that the socklog-notify service is running.

Redirect the standard error output stderr of multilog to the named pipe socklog-notify is reading from. To do so, insert exec 2> /var/log/socklog/.notify as second line into /service/dnscache/log/run:

  exec 2> /var/log/socklog/.notify
  exec setuidgid dnslog multilog t s1000000 ./main
multilog's error messages are always log events.

To configure additional log events in /service/dnscache/log/main/, use the alert action e from multilog. If you want to be notified about all log entries showing stats, add a corresponding script to the multilog configuration in /service/dnscache/log/run like this:

  exec 2> /var/log/socklog/.notify
  exec setuidgid dnslog multilog t s1000000 ./main \
    -* '+* stats *' e
Then restart the log service:
  # svc -t /service/dnscache/log

how to configure the notification

Per default, socklog-notify injects a mail to a specified address containing the log events, but the behavior is configurable, so you can change it to use instant or short messaging service for example.

To configure the kind of notification, edit /etc/socklog/notify/run and change the prog argument of uncat to your needs. This example uses sms_client to notify:

  #!/bin/sh -e
  if [ ! -p "$PIPE" ]; then mkfifo -m0620 "$PIPE"; chown log:adm "$PIPE"; fi
  exec <> "$PIPE"
  exec setuidgid log uncat -s49999 -t90 \
    sh -c 'head -c140 | sms_client pager'
Then restart the service:
  # svc -t /service/socklog-notify

Another example using wall:

  exec setuidgid log uncat -vs49999 -t180 \
    sh -c 'head | wall'

Disable log event notifications

You need to disable all log event notifications before stopping the socklog-notify service. To check which services are configured for sending log events, run:
  # grep -F /var/log/socklog/.notify /service/*/log/run
For each of these services, edit the corresponding log/run script to remove the exec 2>/var/log/socklog/.notify line and the configured log event(s) and restart its log service:
  # svc -t /service/<service>/log
Now it is safe to stop the socklog-notify service.
Gerrit Pape <pape@smarden.org>
$Id: notify.html,v 1.10 2002/01/14 12:04:23 pape Exp $