Simple but effective journald monitoring

JOURNALOGS analyzes the last hour's JOURNALD entries for
* alerts = to-be-notified-about entries
* unknown issues

and sends an email whenever there are any. It pretty much works similar to logcheck - but on journald instead of regular logfiles.
https://www.wyae.de/software/journalogs/

Volker Tanger 5d4a1a7017 retracted a bit too much regex optimisation 2 weeks ago
.gitignore a26f52907c initial to new repository 1 year ago
LICENSE_EUPL-1.2_EN.txt c659ac7966 re-licensed unter EUPL v1.2 7 months ago
README.md c659ac7966 re-licensed unter EUPL v1.2 7 months ago
alert_pattern a26f52907c initial to new repository 1 year ago
ignore_pattern 5d4a1a7017 retracted a bit too much regex optimisation 2 weeks ago
journalogs c659ac7966 re-licensed unter EUPL v1.2 7 months ago

README.md

journalogs

simple but effective journald monitoring

2015- by Volker Tanger volker.tanger@wyae.de

Homepage https://www.wyae.de/software/journalogs/ GIT-Repo https://git.wyae.de/WYAE/journalogs/

Licensed under the EUROPEAN UNION PUBLIC LICENCE v. 1.2 (or later). This is free software - see attached file LICENSE_EUPL-1.2_EN.txt and available in other languages under https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12

Purpose

JOURNALOGS analyzes the last hour's JOURNALD entries for

  • alerts = events you want to be notified about
  • unknown issues

and sends an email whenever there are any. It pretty much works similar to logcheck - but on journald instead of regular logfiles.

Installation

  • place the *_pattern files in /usr/local/etc/journalogs/ or in a directory defined in the $JLDIR config variable with in the journalogs script.
  • place journalogs script in /etc/cron.hourly/

Configuration

All messages are parsed through 2 files containing regular expressions placed in $JLDIR

  • alerts_pattern
  • ignore_pattern

Please feel free to add new lines. MAKE SURE THAT THERE ARE NO EMPTY LINES (which match everything)!

If you want a more frequent log evaluation (e.g. every 5 minutes), change the line in the journalogs script

--since "1 hour ago" 

into the appropriate value, e.g.

--since "5 minutes ago" 

and change the cron job to every 5 minutes (using CRON or a systemd timer job).

Journald Rant

With the advent of SYSTEMD the long-established Syslog logging facility has been replaced by JOURNALD - which locks-up the system whenever there are write-errors, is incapable of forwarding to central logging repositories, has an unreliable syslog connector, etc.

Additionally long-established log evaluation programs won't work anymore.

So even if it is massively unsuited for servers, journald (coming along with systemd) it has become the de-facto standard for logging.

So at least we now have an automated log evaluation to ease the proper maintenance of the systems.