logaudit is a tool for gathering and analyzing log files. I intend it for logs such as those in GNU/Linux systems under /var/log.

I have a few machines and I want to keep an eye on the logs. One problem is that there are many log messages I don't care about. Another is that it is time consuming to look at logs on each host.

I hope this to make monitoring the logs more efficient for me.

logaudit runs on each host where you want to monitor logs. Typically it runs from cron. It reads logs from /var/log, filters them, and publishes lines of interest to a GCP Pub/Sub topic. I use emailpub to email me this summary.

Create a service account and allow it to publish to GCP Pub/Sub. If necessary, copy the key to the host.

Create a config and copy it to the host.

Add logaudit to root's cron:

21 6 * * * GOOGLE_APPLICATION_CREDENTIALS=service-account.json /path/to/logaudit \
  -config /path/to/logaudit.conf \
  -email you@example.com  \
  -project-id myproject \
  -state-file /path/to/logaudit.state \
  -topic mytopic 2>&1 | logger

Note GOOGLE_APPLICATION_CREDENTIALS only needs to be set if you're using a key from a file.