[JaxPM] syslog analyzing
Nate
nate at campin.net
Wed Apr 5 16:38:16 CDT 2000
On the jacksonville-pm-list; Jax.PM'er Nate <nate at campin.net> wrote -
Hello again there JaxPM!
A few weeks ago I modified the logcheck script (from www.psionic.com, the
Abacus stuff) to analyze the logs from a central syslog loghost. I use a
perl script to sort the logs by hostname, then the logcheck shell script
parses each log in turn and mails a report.
Why are you telling me this, you ask? Well, I have lots of duplicate log
entries, things like postfix complaining that it can't connect to a
certain mail server, etc. I certainly do want to see these messages, just
not 50 times!
I want to use perl to emulate the syslog feature that just tells you "Last
message repeated 5 times", but not just when they are one after
another. Even when the times are spread out, I could say it a couple ways
way #1: Message "zeus PAM_pwdb[19196]: (su) session opened
for user root by nate(uid=501)" reported at 14:22:33, 14:40:29, 14:55:21
way #2: Message "zeus PAM_pwdb[19196]: (su) session opened for user root
by nate(uid=501)" reported 3 times.
I'd like to use the first way. The ouput of logcheck is mailed to me every
hour, and the messages average about 300 lines. With this feature I could
reduce that drastically.
I want ideas on the best way to implement this feature. My first thought
is to create a hash for each hostname, with the hash values the log
entries, but I can't use the time for a key, as many log messages have the
same time. I have a feeling that I may need to look into using
multidimensional hashes to implement this, but I'm not sure. That's where
you guys come in ;)
Thanks in advance for any advice you can lend...
P.S. Bill, I didn't know that you have authored stuff on CPAN! I saw your
work there the other day. You're the man.
--
Nate Campi nate at campin.net
my infosec favorites: www.campin.net
Jax.PM Moderator's Note:
This message was posted to the Jacksonville Perl Monger's Group listserv.
The group manager can be reached at -- owner-jacksonville-pm-list at pm.org
to whom send all praises, complaints, or comments...
More information about the Jacksonville-pm
mailing list