My dream solution

[graycat]

Hi all! long time reader, first time poster and a windows admin to boot so please be nice lol

Situation: I've got an entirely Windows enterprise to support my part of and it's mostly win2k at that. It's not overly large at about 250 - 300 users, of which i directly support 40 - 50 and am second line for everyone else. We're talking about approximately 25 servers / NAS boxes plus the usual firewalls etc, no of which is reporting back to a central place.

Dream Solution: I'd love to have all the server event logs pulled into one place and displayed (via a web page) in such a manner that major events are easily visable, searches through previous logs can be done for trends, an overall "health" can be displayed but you can drill down to view individual offices and even servers. Also, it'd be moving into wet dream zone if performance trackers, health, history and status can be displayed with both e-mail and sms alerts sent for key events / situations.

So Far: well, so far I've been reading, surfing and googleing like a demon, trying to cover as much ground as possible so I can start the ball rolling in the right direction. To this end I've "gained" a spare PC (2.4GHz AMD with a 80Gb hdd & 256 Mb RAM) and have CentOS 4 installed with MySQL, Apache and rsyslog just going on. As I said I've been reading these forums for a while and asking questions in other places but i could do with some pointers.

I'm intending to finish getting rsyslog installed, a windows client on the servers and the whole thing writing to MySQL. Then following Rainer's guide to using php to display it all as a webpage....... after that, I'm pretty stuck on where to go. Can some kind soul give me some hints? is my dream solution possible on a freeware basis or am i going to have to pry the corporate fingers loose? lol

[mutex]

I think your dream solution is possible, but it's going to take some work.  The problem is that phplogcon and the syslog data in the mysal database is just dumb syslog data.  I think creating a view that will let you zoom in on a certain server would be pretty easy to create, because I think the host is a specific field in the mysql database.  But, from there it gets a bit tricky.  To be able to get the "office" view, you have to create an association of devices with offices.  The easiest way, in my opinion, to do that is to create a small mysql table that has an office name and a host name.  Then, you can either use phpmyadmin or create a small php web app to load in what devices are in what offices.  At that point, you can join together the office/device table and that syslog message table, which would give you the ability to select specific offices.  None of that is really more than a few hours work, if you have some php experience.

The "health" and whatnot starts to get tricky.  The problem is that the data is buried in often obscure messages and each message is quite specifically formatted based on the application.  So, you would have to know what you're looking for and create some kind of a script to parse out that data.  It's not terribly hard, but if you have a lot of devices it can be time consuming.

The big value that a lot of the commercial packages bring is that they've done a lot of the work to bring a higher level of intelligence to parsing the logs, so that you're seeing the meaing of the logs instead of just the logs.  In most cases, they've taken the time to create parsers for many different kinds of common logs.

If you're motivated and proficient in php, I think you can come up with an app that would really work well for your situation, but if you don't want to stray too far of the beaten path, then I'd recommend looking at some commercial tools.

[deviousz]

You may need a combination of tools. Im still researching this as well but check out splunk for your 1st need.  Maybe Nagios might be one tool as well?