Check out the new USENIX Web site.

Home About USENIX Events Membership Publications Students
LISA 2000 Abstract

Extending UNIX System Logging with SHARP

Matthew Bing and Carl Erickson, Grand Valley State University

Abstract

System messages in a UNIX system are handled by syslog. The responsibilities of syslog are to filter and disperse program generated messages based on a priority code contained in each message. Filtering with priority codes is not sufficient to generate enough usable information for the system administrator. Utilities which do regular expression parsing of syslog messages typically do not run continuously and thus are limited by a lack of state in detecting potentially important patterns in syslog messages.

SHARP (Syslog Heuristic Analysis and Response Program) improves the monitoring of systems by extending the existing syslog infrastructure with programmable modules. These modules use a library with a simple API to perform near real time analysis based on the messages they register to receive. System administrators can use SHARP to improve the services provided by their systems without the need for constant manual evaluation of message logs. The SHARP system and several modules were tested in a higher education production environment during the spring of 2000. Experience with SHARP indicates that it is stable, reliable, and improves the overall operation of a laboratory while not significantly increasing the workload on the system administrator.

?Need help? Use our Contacts page.

Last changed: 16 Jan. 2002 ml
Technical Program
LISA 2000 Home
USENIX home