June 9, 2004

SysAdmin to SysAdmin: Using Jabber as a log monitor

Author: Brian Jones

Jabber, the streaming XML technology mainly used for instant messaging, is well-suited to its most common task. However, Jabber is a far more generic tool. It's not a chat server per se, but rather a complete XML routing framework. This has some pretty far-reaching implications.

Technically speaking, Jabber can act as a router
for anything that can be represented in or with XML. Since it's mostly used for
online messaging, and since clients for Linux are readily available (GAIM, for
example, is a Jabber client, there are many, many more), I'll focus here on
ways to use Jabber to send informational system messages to a Jabber client (or

Say hello to jann

Some time ago, I came across a simple Perl script called jann that takes input from
stdin via a simple config file or command line arguments and sends it to
everyone logged into the Jabber server you name. If you want to announce
that the Jabber server is going down, for example, you'd just run this command
on the Jabber server before issuing your shutdown or
reboot command:

[jonesy@newhotness jonesy]$ jann "The Jabber server will be going down in 5 minutes."

Jann's code is extremely simple. It uses the Net::Jabber Perl module, which
makes doing all of this so easy and well-documented
that even I, a self-proclaimed Perl dilettante, was able to hack together a
script to read messages from a simple FIFO named pipe. With that done, just
configure your syslog.conf to send whatever is most important to the queue in
question, and you're pretty much in business! Let's go over this a bit more

Novice hack: jann-log

You can grab the script
that resulted from my hack from my Web site. Read the comments at the top of
the script and you'll see you need a config file to tell the jann-log script
where to send the messages, and you'll want to provide some credentials to use
to do so. A simple ".jann" file sits in your home directory and looks something
like this:

server  localhost:5222
user    jonesy
pass    myPass

You'll also need to tell the jann-log script where to read messages from.
This being a hack, I've hardcoded it into the script. Search for "fifo" in the
script and you'll see the path I used, which you can change.

Once jann-log is in your PATH and you have your .jann file configured, you
have to create a FIFO to give something for your syslog server to send messages
to (and your jann-log something to listen to!). To create a FIFO, use the
mkfifo command, passing it the full path of the FIFO you want
created: mkfifo /tmp/fifo, for example.

Now you just need to tell syslog to send some stuff to this FIFO. Open your
/etc/syslog.conf file, and add a line similar to this:

*.info;mail.none;authpriv.none;cron.none |/tmp/fifo

In this case, I just copied another line in my syslog.conf file that sends
these messages to /var/log/messages. Now the messages will still go to
/var/log/messages, but will also be sent via Jabber to my desktop client. Don't
forget to send a SIGHUP to your syslogd process to pick up the configuration
change. Find its process ID, and kill -HUP <pid>.

Now you're ready to start things up. Fire up jann-log, and fire up a Jabber
client on your desktop, logged in to the account on the Jabber server that your
messages are being sent to. You should begin to see messages pop up in the
chat window. If you don't, well, no news is good news! If you want to do a
quick test, try to su to root on
the server where jann-log is running. This activity gets logged on most Unix
systems I've seen.


My script is just a hack, intended to
illustrate that Jabber is not just a chat server and should not be treated as
such, as it's infinitely more useful than that. In its current form, this
script is not extremely useful for anything but monitoring your local machine's
messages file. However, it probably wouldn't take much to make it more robust.
If you ran it on a centralized log host, it would get more useful rather
quickly. Also, this script currently sends its messages to everyone currently
logged in to the Jabber server. This is probably a serious security/privacy
concern in most environments. Ideally, you'd have to subscribe to messages as a
service. Even better, it would be great if you could actually specify a set of
regex statements to filter on, so you could get only "inetd" messages from
"hishost," and so on.

There are other Jabber-related tools out there I'm thinking about hacking
to make jann-log a more complete solution for more distributed administrative
environments. One to have a look at is JAnchor, which polls RSS feeds and
routes the headlines through Jabber to whichever clients are subscribed to the
RSS feed in question via the Jabber server. The client is presented with links
to the stories, and if they look interesting, the user clicks on the links to go to the Web site of the publisher to read the rest. The nice thing about
this model is that it saves webmasters from having 30,000 hits to the RSS page
per day from what looks like a single machine. Meanwhile, it's actually an
entire department made available behind one IP address via network address translation.

JAnchor would be a great model for the jann-log application of the future,
because you could create subcategories based on the services logging to syslog,
so an admin who deals primarily with LDAP could listen for just LDAP messages, while an admin who deals with Apache could listen for
just httpd messages. If anyone gets around to hacking all of this before
me, let me know!

Click Here!