Re: solaris 251 & syslogd

[helm () fionn es net (Michael Helm)]

Dave Kinchlea writes:
>         Assuming you have some real-time monitoring of syslog output, all
> you need to do is adjust the monitoring so that you expect to see *some*

This is good advice.  But....

I guess this is more of a "RISK" albeit a small one rather than a
security issue or BUGTRAQ-worthy bug, but most syslog monitors,
most monitors of every kind, look for events --
not non-events.  I'm not sure how I could get swatch to look
for the absence of mark messages.  I'm sure we could all think
of other circumstances when we'd like to know when something
wasn't happening, but the facility to do so wasn't there
(the mail hub stops accepting mail, the terminal server
stops accepting connections &c).  Something to think about
when designing a system.