[plug] /newbie - extracting info from log files
Earnshaw, Mike
earnshawm at wa.switch.aust.com
Tue May 30 09:31:32 WST 2000
List,
At the moment I monitor the log files manually and send any e-mails off
if we have been probed as per the thoughtful info from AusCERT the other
day. I know this is not the way to do it, but my skills are not good
enough to do otherwise.
I would like to approach this as a learning exercise rather than an
answer, could some please point me in the right direction of how:
1. Scan log files automatically to extract certain info, say the IP
number.
2. Lookup that IP number to get the SOA
3. Send the appropriate e-mail
I see problems with:
1. The format of the log file. Will the info always be in the same
place?
2. What if the lookup fails?
3. How would I ensure that an IP address from one line, matches up to
the appropriate date and time. It would be embarrassing to send an
incorrect e-mail.
Below is a sample of the netsaint generated log files I monitor:
----sample
May 30 07:43:27 usswa kernel: Packet log: input DENY ppp0 PROTO=1
203.108.63.250:8 139.130.81.81:0 L=60 S=0x00 I=42529 F=0x0000 T=20 (#40)
May 30 07:43:28 usswa kernel: Packet log: input DENY ppp0 PROTO=1
203.108.63.250:8 139.130.81.81:0 L=60 S=0x00 I=42785 F=0x0000 T=20 (#40)
----end sample
I assume I will be using grep, but (as previous posts show) I am still
very new to this.
Any pointers greatly appreciated.
MTIA
------------------------------------------------------------------------
----
Mike Earnshaw | "It don't mean a thing if | e-mail in header
Computer Systems | you cain't get that Ping...." | Tel: +61 8 9256
1099
Support | Duke Ellington, 1932 | Fax: +61 8 9256
1199
------------------------------------------------------------------------
----
Union Switch & Signal, 24 Bannick Court, Canning Vale, WA 6155,
Australia
------------------------------------------------------------------------
----
More information about the plug
mailing list