[plug] /newbie - extracting info from log files

Kai vk6ksj at iinet.net.au
Tue May 30 13:57:41 WST 2000


Hi Mike !
I know this is not exactly what you want, but have you heard of a program
called logwatch?
It's a program that scans all log files, and sends a report either to file
or someone's email address, once a day.
Wanna copy?
Kai

----- Original Message -----
From: Earnshaw, Mike <earnshawm at wa.switch.aust.com>
To: PLUG (E-mail) <plug at plug.linux.org.au>
Sent: Tuesday, May 30, 2000 9:31 AM
Subject: [plug] /newbie - extracting info from log files


> List,
>
> At the moment I monitor the log files manually and send any e-mails off
> if we have been probed as per the thoughtful info from AusCERT the other
> day. I know this is not the way to do it, but my skills are not good
> enough to do otherwise.
>
> I would like to approach this as a learning exercise rather than an
> answer, could some please point me in the right direction of how:
>
> 1. Scan log files automatically to extract certain info, say the IP
> number.
> 2. Lookup that IP number to get the SOA
> 3. Send the appropriate e-mail
>
> I see problems with:
>
> 1. The format of the log file. Will the info always be in the same
> place?
> 2. What if the lookup fails?
> 3. How would I ensure that an IP address from one line, matches up to
> the appropriate date and time. It would be embarrassing to send an
> incorrect e-mail.
>
> Below is a sample of the netsaint generated log files I monitor:
>
> ----sample
>
> May 30 07:43:27 usswa kernel: Packet log: input DENY ppp0 PROTO=1
> 203.108.63.250:8 139.130.81.81:0 L=60 S=0x00 I=42529 F=0x0000 T=20 (#40)
>
> May 30 07:43:28 usswa kernel: Packet log: input DENY ppp0 PROTO=1
> 203.108.63.250:8 139.130.81.81:0 L=60 S=0x00 I=42785 F=0x0000 T=20 (#40)
>
>
> ----end sample
>
> I assume I will be using grep, but (as previous posts show) I am still
> very new to this.
>
> Any pointers greatly appreciated.
>
> MTIA
>
> ------------------------------------------------------------------------
> ----
> Mike Earnshaw       | "It don't mean a thing if     | e-mail in header
> Computer Systems    | you cain't get that Ping...." | Tel: +61 8 9256
> 1099
>   Support           |    Duke Ellington, 1932       | Fax: +61 8 9256
> 1199
> ------------------------------------------------------------------------
> ----
> Union Switch & Signal, 24 Bannick Court, Canning Vale, WA 6155,
> Australia
> ------------------------------------------------------------------------
> ----
>
>




More information about the plug mailing list