6.2 What Oak Can Help You Do

Oak examines a message log in syslog format and allows you to:

• Ignore unimportant messages

• Condense redundant information

• Produce reports of important messages

• Notify operators immediately of critical messages

Note that the term "syslog format" is a bit misleading. There is no standard format for the printed syslog messages themselves , only for the mechanism that transports them between machines. However, printed syslog messages are typically in one of a small number of formats, and Oak takes measures to correctly interpret the format of the message.

The Oak configuration file will specify which messages are important to you and how you wish to be notified in the event they should be received. For example, at MIT, we have Oak configured to send a daily report in email, an hourly report in an instant message ^[1] to the operational group, and an immediate instant message to the operational group if a critical problem is detected . One of the hourly messages might look like this:

^[1] Instant message here simply refers to a text message that is sent directly to the users; it is not delayed as email can be. At MIT, we use the Zephyr protocol and applications for this purpose.

 Hourly message log   SERVER1.EXAMPLE.COM:      2: login: ROOT LOGIN console      1: syslogd: going down on signal 15      1: saslauthd[___]: Caught signal 15. Cleaning up $      1: genunix: syncing file systems...      1: genunix:  done      1: genunix: ^MSunOS Release 5.9 Version Generic 64-bit      1: genunix: Copyright 1983-2002 Sun Microsystems,$      1: Use is subject to license terms.      ** Too many messages found for host, truncating **   ROUTER.EXAMPLE.COM:      6: ___:___ %LINEPROTO-5-UPDOWN: \         Line protocol on Interface Ethernet9/4, change$      5: ___:___ %LINEPROTO-5-UPDOWN: \         Line protocol on Interface Ethernet9/4, change$      2: ___:___ %LINEPROTO-5-UPDOWN: \         Line protocol on Interface Ethernet9/2, change$      1: ___:___ %LINEPROTO-5-UPDOWN: \         Line protocol on Interface Ethernet9/2, change$   SERVER2.EXAMPLE.COM:      9: named[___]: poll: Invalid argument   SERVER3.EXMPLE.COM:      11: sshd[___]: ROOT LOGIN as 'root' from CLIENT.EXAMPLE.COM   ** Message longer than 25 lines, message has been truncated ** 

The number to the left of each message indicates how many copies of the message were received. Note that in several places, Oak has replaced text with a series of underscores. These are examples of Oak's finding and removing information that may be redundant or unnecessary for reporting. If Oak did not remove the pieces of information to the left of the LINEPROTO-5-UPDOWN messages, each one would be reported on a line of its own. This would increase the size of your report and make it more difficult to understand.

Also notice that Oak truncates the message, both when there are too many messages for a particular host and when the message itself is too long. These are parameters set in the configuration file, and they can be set differently for different reports. The previous example was an instant message and as such was restricted to a relatively small amount of space. The daily email, however, is allowed to use many more lines.

A time-critical message might look like this:

 **** CRITICAL MESSAGE LOG ****   SERVER4.EXAMPLE.COM:      ufs: NOTICE: alloc : /var: file system full 

Here we see a server with a full filesystem, which should be reported to an administrator right away.