[JaxPM] syslog analyzing

Nate nate at campin.net
Wed Apr 5 19:56:23 CDT 2000 

On the jacksonville-pm-list; Jax.PM'er Nate <nate at campin.net> wrote -

On Wed, 5 Apr 2000, j proctor wrote:

> On the jacksonville-pm-list; Jax.PM'er j proctor <jproctor at oit.umass.edu> wrote -

> for each hostname, hash with the key as everything *but* the time, and
> append times to the values.  That is, iterate over something like:
> 
>     $zeus{$event} .= ", $timestamp";
> 
> On successive(-ish) passes through the loop, you should see:
> 
> $event                                              $timestamp
> --------------------------------------------------  ----------
> (su) session opened for user root by nate(uid=501)  14:22:33
> (su) session opened for user root by nate(uid=501)  14:40:29
> (su) session opened for user root by nate(uid=501)  14:55:21
> 
> At the end, s/^, // off all hash values before printing.

So if I 

while (($key, $val) = (each @zeus)) {
	print "\"$key\" was reported at: $val\n";
}

I'll see something like:

"(su) session opened for user root by nate(uid=501)" was reported at 
14:22:33, 14:22:33, 14:55:21

That's perfect (maybe without the quotes ;)

> 
> It's quick-and-dirty, but for logs of the size you're talking about, it'll
> work just fine as long as the event entries are the same.  If they're not
> (or if you're expecting a change in PID or something like that), then you
> can work out rules for what you want matched as the same class of event,
> and do a regex thang. :)

The syslog file itself on the loghost reaches about 2 megs each day, but
the reports are trimmed down quite a bit by logcheck before I would feed
it into this perl script. Plus since it's run each hour it's not too much.

Right now ony half our hosts are logging to the loghost, but once I
implement this feature I'll send the logs from the rest. I just don't want
to read all that mail until this is in place, as the postmaster alias
already sends me about 2000 messages a day! Sheesh.

Thanks J,

Nate


Jax.PM Moderator's Note:
This message was posted to the Jacksonville Perl Monger's Group listserv.
The group manager can be reached at -- owner-jacksonville-pm-list at pm.org
to whom send all praises, complaints, or comments...

More information about the Jacksonville-pm mailing list