Monday, November 4, 2013

Grep 'Server Error' from Logfile of Last Ten Minutes On Each 10 Minutes Run

www.unixbabuforum.inNeed to search a log file for a spedific error 'Server Error' 
I only want to check the log for the last 10 minutes (the log is continually logging) 
If 'Server Error ' is detected in the last 10 min, send an email with the line that has the error. 
If no ''Server Error ' then do nothing. this has to be done on every 10minutes.

www.unixbabuforum.inWrite a very small shell script (see below algorithm) 

1) keep number of lines /var/log/messages by "wc" command 
2) sleep 600 seconds 
3) compute new line numbers of /var/log/messages by "wc" command 
4) subtract new lines minus old one computed from step 1 
5) search your requested "STRING"by "tail -X" X is result of step 4 
go to step 1
www.unixbabuforum.inThe cost of finding all those dates is going to get worse and worse as the file gets bigger. It is much better to keep track of the lines you have already looked at already, either in a script variable or in a separate small file. 

If that is in a variable called OLD_LC, then you collect the new lines by: 

AWK=''' 
/Server Error/ { maybe some complex stuff goes here... } 
''' 

NEW_TEXT="$( tail -n "+$(( OLD_LC + 1 ))" "${LOG_FILE}" )" 

ADD_LC="$( echo "${NEW_TEXT}" | wc -l )" 

[[ ADD_LC -gt 0 ]] && { 
echo "${NEW_TEXT}" | awk "${AWK}" | mail .. whatever 



and finally: 

OLD_LC="$(( OLD_LC + ADD_LC ))" 

sleep 600 


You probably want to set up OLD_WC initially to the existing log size, otherwise your first read is going to read everything that is already there. 

If you want to be able to restart this, or run it every 10 minutes from crontab, then you need permanent store for OLD_WC (i.e. write and read a named file with the value). 

You might also want to keep track of the bytes in the file (from an ls command) to figure out what to do if log roll-over can happen. If the file got smaller suddenly, you probably need to start over. 

Personally, I don't like "every 10 minutes". Why not just put a: tail -f | awk "${AWK}"; on the logfile anyway.


0 comments:

Post a Comment

 
Design by BABU | Dedicated to grandfather | welcome to BABU-UNIX-FORUM