| View previous topic :: View next topic |
| Author |
Message |
corey_s
Apprentice
Joined: 29 Jun 2003
Posts: 264
|
 Posted: Sun Apr 10, 2005 4:06 am Post subject: log analyzers? |
 |
|
I'm trying to set up a system which will fire off a script when remote ftp & sftp connections quit/conclude.
I've not been successfull in locating an option such as a .logout or .bash_logout functional equivalent with ftp/sftp, so I figure perhaps another solution would be to use some sort of log analyzer that is able to execute arbitrary command(s) when it sees a particular syslog entry that it has been configured to parse for.
Anyone have any suggestions?
Thanks! |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Sun Apr 10, 2005 10:39 am Post subject: |
|
|
Hi,
maybe these can help:
| Code: | * app-admin/logwatch
Latest version available: 4.3.2
Size of downloaded files: 56 kB
Homepage: http://www.logwatch.org/
Description: Analyzes and Reports on system logs
License: MIT
* app-admin/tenshi
Latest version available: 0.3.3
Size of downloaded files: 21 kB
Homepage: http://tenshi.gentoo.org
Description: Log parsing and notification program
License: GPL-2
* app-admin/yaala
Latest version available: 0.6.3
Size of downloaded files: 34 kB
Homepage: http://yaala.org/
Description: Yet Another Log Analyzer
License: GPL-2 |
HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
mxc
Guru
Joined: 05 Mar 2003
Posts: 442
Location: South Africa
|
| Posted: Thu Apr 14, 2005 8:12 am Post subject: |
|
|
Does anyone have suggestions on a log file monitor that will monitor the file in real time and take action when critical events occur? It would be great if this could be integrated into nagios
_________________
http://www.CyberDesigns.co.za
http://www.Jumpingbean.co.za |
|
| Back to top |
|
|
transienteagle
Apprentice
Joined: 24 Dec 2003
Posts: 190
Location: UK
|
|
| Back to top |
|
|
corey_s
Apprentice
Joined: 29 Jun 2003
Posts: 264
|
| Posted: Thu Apr 14, 2005 6:36 pm Post subject: |
|
|
I will check out metalog a little further ( the other suggestions weren't a fit unfortunately ), although I believe I've found the hot ticket: logfmon.
Not in portage ( maybe I'll make an ebuild ), but check it out:
"Logfmon monitors a set of log files and processes messages based on a set of regexps. When a message matches, a command may be executed or the message may be ignored."
http://sourceforge.net/projects/logfmon/
http://logfmon.sourceforge.net/
I haven't actualy yet tested it, but it appears to be exactly what mxc and myself are looking for.
I'll post back within a day to confirm.
Beers! |
|
| Back to top |
|
|
sgtrock
Tux's lil' helper
Joined: 21 Feb 2003
Posts: 87
|
| Posted: Wed Jun 15, 2005 6:15 pm Post subject: |
|
|
| Did logfmon do the job for you? |
|
| Back to top |
|
|
mxc
Guru
Joined: 05 Mar 2003
Posts: 442
Location: South Africa
|
| Posted: Fri Jun 17, 2005 5:11 am Post subject: |
|
|
tenshi - from gentoo does a good job - except for the fact that you need to reset permission on /var/log/messages everytime you reboot to allow the tenshi user read permissions.  Only root user has read permission by default and this get reset every reboot.
_________________
http://www.CyberDesigns.co.za
http://www.Jumpingbean.co.za |
|
| Back to top |
|
|
corey_s
Apprentice
Joined: 29 Jun 2003
Posts: 264
|
| Posted: Fri Jun 17, 2005 5:19 am Post subject: |
|
|
| sgtrock wrote: | | Did logfmon do the job for you? |
Nope, I didn't like it...
It just didn't quite fit what I was trying to do: simply execute an arbitrary program/task/script upon parsing a particular line/entry/event in a log file. Logfmon wanted to generated an alert email and/or do something, for every log entry that _was_not_ specifically ignored... very annoying, and a little bit "backwards" if you ask me. ( would have been better to ignore everything by default, and configure it to look for specific entries that you wanted to be acted upon. )
I could have probably gotten it to work with some fiddling, but instead I ended up just writing a daemon in perl that did exactly what I wanted.
( But I just saw the post by mxc about tenshi - I think I'll give it whirl and try it out ) |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Fri Jun 17, 2005 9:50 am Post subject: |
|
|
did you already try net-analyzer/sec?
| SEC description wrote: | | SEC is an open source and platform independent event correlation tool that was designed to fill the gap between commercial event correlation systems and homegrown solutions that usually comprise a few simple shell scripts. SEC accepts input from regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream. |
| SEC featurelist wrote: |
among many other options it can...
* match input event and execute an action list.
* match input event and execute an action list, if an external script or program returns a certain exit value. |
HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
corey_s
Apprentice
Joined: 29 Jun 2003
Posts: 264
|
| Posted: Fri Jun 17, 2005 6:22 pm Post subject: |
|
|
| Think4UrS11 wrote: | | did you already try net-analyzer/sec? |
Killer - after reading through the docs, this looks like the hot ticket; exactly what I was looking for. ( Looks like I'll probably just scrap the perl daemon I was working on... )
It may be a bit overkill for the specific single and simple requirement that I have, but at least it has the exact feature I'm in need of.
( tenshi didn't work out either... more of a log analyzer that emailed alerts, rather than an event processor that could execute arbitrary scripts. )
Thanks a ton Think4UrS11 - this looks like a really usefull tool!
Beers!
Corey |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Fri Jun 17, 2005 6:45 pm Post subject: |
|
|
Glad to be helpful.
as soon as someone understands the concept behind it's the best since the invention of sliced bread 
Personally i'm not too far from unmerging logwatch/tenshi and alike and use sec only for all kinds of log checking.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
abt72
n00b
Joined: 04 Apr 2003
Posts: 44
|
| Posted: Wed Jun 22, 2005 10:57 am Post subject: |
|
|
@mxc
you can change the file permissions for /var/log/messages in /etc/syslog-ng/syslog-ng.conf, so you don't have to change them manually after each reboot.
abt72 |
|
| Back to top |
|
|
|
Networking & Security
