Another couple of options:
http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/ActionOnLog.html
Perl script that runs as a daemon to watch a log file (like tail in the background), and runs a command when a certain message is found. Smart enough to keep working when log files get rotated, etc. Very handy when you need to run a command to start gathering debugging data or recover from failure that is indicated by a log message.
ringdump.pl (attached)
start of config section for the script:
!/usr/bin/perl
VERSION v0.9b
use strict;
tcpdump settings
my %SETTINGS = (
external => { filter => "port 443" },
internal => { filter => "port 80" },
lo0 => { filter => "port 80" },
);
my $SNAPLEN = 4352;
script settings
free space checking
my $FREE_SPACE_CHECK_INTERVAL = 1; check free space every this number of seconds
my $MIN_FREE_SPACE = 5; minimum percent space left on parition
my $CAPTURE_LOCATION = $ARGV[0];
file rotation settings
my $CAPTURES_TO_ROTATE = 4; tcpdump capture files to rotate
my $DESIRED_CAPTURE_SIZE = 15; megabytes per capture file before rotating
my $OVERLAP_DURING_ROTATE = 5; seconds to overlap previous capture while starting a new one
my $CAPTURE_CHECK_INTERVAL = 1; how often (seconds) to check the size of capture files for rotating
trigger settings - time (run tcpdumps for x seconds)
my $TRIGGER = "time-based";
my $TIME_TO_CAPTURE = 300;
trigger settings - log-message (stop tcpdump when log message is received)
my $TRIGGER = "log-message based";
my $LOG_FILE = "/var/log/messages";
my $LOG_MESSAGE = "no space in response line";
my $FOUND_MESSAGE_WAIT = 5; how many seconds to gather tcpdumps after we match the log message
misc
my $IDLE_TIMER = 5; if ! receiving log entries, how long before checking if log is rotated
my $MAX_ROTATED_LINES = 10000; max lines to read from file we're re-reading because it's been rotated
my $PID_FILE = "/var/run/ring_dump.pid";
my $DEBUG = 0; 0/1
Aaron