swatch with syslog-ng

Posted on 2008-11-12
Last Modified: 2013-11-17
I have syslog-ng server ( linux)  and swatch (AIX) on another server. How can I view both of them together. I have cacti installed on syslog-ng server by which I can view syslog-ng messages. So any ideas...

If I can implement how can this be done..
Question by:jdenver247
    LVL 12

    Expert Comment

    I'm confused about what you're looking for. "suslog-ng" is a syslog server, swatch is a tool for realtime monitoring of event logs, and cacti is an SNMP poller. These are 3 different tools for different purposes. They can certainly be connected, but what exactly do you want the end result to be?
    LVL 68

    Expert Comment

    forget about swatch, let the aix syslog send its stuff to syslog-ng (you know how to do that?) and keep on using cacti.


    Author Comment

    I used Cacti syslog plugin to actually poll all the syslog messages and this is working fine. Now I see that syslog messages can also be sent to swatch and view. I have tried this
    BUt was not quite useful...Any ideas
    LVL 68

    Expert Comment

    since I'm not familiar with swatch, I can't help you using it.
    But, as we know, one can concentrate all syslog messages at one host (namely your syslog-ng server).
    Why not let all the syslogs of your machines go to one file per host on syslog-ng and use swatch there to view those logfiles? (As I said, swatch is not my thing).
    LVL 12

    Accepted Solution

    If all you want to do is concentrate your syslog events in one place, syslog on the AIX can be configured to forward messages to the linux box (make sure you configure the syslog-ng server to accept messages from a network connection, and open up the port in the linux firewall).

    If you like the Cacti plugin for displaying alerts. If you're interested in some more sophisticated logfile analysis, have a look at Splunk.

    If you want incorporate the output from swatch into your logfile views, feed the output to a file and feed that in to Cacti with the "logger" command, which sends alerts to syslog. Use one of the other syslog facilities to kieep the events separate.

    I've used swatch many times, but sometimes I need more sophisticated event analysis involving correlation, such as alarming only if a particular alert happens more than 10 times in 60 seconds. For that I've used SEC (Simple Event Correlation), labelling the event source as "synthetic" and feed the results back into syslog via the logger command.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
    FreeBSD on EC2 FreeBSD ( is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
    This tutorial goes over how to archive and restore FreeBSD jails that are managed by ezjail.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now