improving signal to noise ratio from centralized network syslogs

Alternative, and more universal, way to do it is to use multiple IPs for
syslog server. Then configure correct syslog server IP on the device.

syslog-ng and others can all do filtering to different destinations
based on the IP where message was received.

Use 'tail -f' or similar.

The only problem is that with BASH based solutions is that they are
slow. They don't scale well.

Some years ago I wrote a script that would periodically (every 5
minutes by default) grep for interesting events / filter uninteresting
events from the syslog file and email you the results. It's here if
anyone is interested:

It's OK for a small network or small number of devices but it doesn't
scale well. Having said that, it's better than nothing and costs $0
(which exactly why I used it in the first place).


The basic point was that you need to supply your own solution for monitoring
syslog-ng logs, be it tail or logwatch or whatever - it doesn't come with its own.

Last year I found the time to code something similar in perl using
File::Tail , here is the outcome in case anyone is interested: