jt_showlog.pl - A Syslog Report Generator
jt_showlog.pl is a Perl program written to produce a number of
summary tables from the data captured in syslog files.
Written for Solaris, tested with syslogs from Solaris 9 and 10, it is
easily extensible for any special analysis you want to do.
Requrements
First, you need a modern verion of Perl. Second, you need to
log data to you system logs. Although this sounds like a forgone
conclusion, the default logging on most systems is minimal. Since
this program only produces output based upon the system logs, the
more you log, the more information you get out. The easiest way to
see just what you have avalable is to run the program. If your system
logs are in /var/log/syslog, you can omit the name from the command
line and run the program as:
jt_showlog.pl -v
or specify the syslog file as in:
jt_showlog.pl -v /var/adm/messages
By default, the program is configured to display the results grouped by
labs, server groups, and individual servers, as specified in the program.
The -v option is used to display all machines individually. Since you
haven't configured the program yet, this will provide you with all of the
machines you have in your log file.
When you run the program it will display the lines from the log file
that it does not recognize, Either because it machine name is not
specified in the program (and you did not use the -v flag), the
program that generated the message is not known, or the message just
isn't being recognized by the program. Usually the unrecognized
messages are ones that appear sparsely or are of a very critical error
(such as a memory error,) and the programming effort of decoding the
messages far outway any utility gained by seeing them in a formatted list.
You may find that some, or many, of the catagories are all zero.
To avoid seeing any of the catagories that have all zeroes, use the -Q
option. Alternately, you can turn on additional logging in your system
to add information to the logging file so that you can actually see what
is going on. for example, turning on connection logging by the inetd daemon
will allow you to see how many times your machines are scanned per port.
Options
Program options are:
- jt_showlog.pl [-v] [-q] [-Q] [-T] [-s] [-stats] [input-file]
-
- options (you must specify options individually, as it -q -v, not -qv)
- -d = print details of some statistics, such as full types of errors in addition to counts
- -D = print details of records, such as disk drive types, buss populations,etc
- -DD = print nosy info, such as number of times users log in, weird error counts, etc
full /device/.... names, ip numbers, host names from records., number of times
users fail to login, host names and file names specific to one record
Note some detailed error msg summaries print only on this level as they are comprised
mainly if machine ip/names, user names, etc
- -DDD = you really don't want to see this much, but is good for debugging
- summarizes some of non-displayed output
- removes some constraints on some header sizes so they are not truncated.
- -FW = fixed width columns on -d,D,DD,DDD type output - default is variable width
- -q = do not show lines with all zeroes
- except for "other" groups. (assumed by -Q)
- -Q = (DEFAULT) leave out "other" groups when zero,
- if all entries in catagory are zero, not show show
- the catagory. (What I usually run with)
- -p = show lines with all zeroes
- -P = show catagories with all zeroes anyway (assumed by -P)
- -V = same as -v
- -v = verbose - show each machine as separate line
- ignores pre-defined groups,
- still subject to -q
- GOOD FOR 1st RUN ON LOG FILE or for finding unknown machines
- -G = group all records in to the other catagory.
- GOOD FOR SUMMARY RUN ON LOG FILE looking for problems.
- -T = times - breakout by hour of certain stats
- as in logins by hour, connects by hour, etc
- Nice to see how busy a lab is.
- -W = Warn about all unrecognized records. Otherwise just a summary table is printed.
- Nice to see of you suddenly find unexpected/unknown programs in the output
- -w = same as -W
- -stats = show counts of records by machine, count by log entry source
- (summary of what is in syslog)
- -s = output table of ips vs number of bad logins.
- -skipfile = FILENAME
- The file FILENAME name contais programs to be skipped when
- processing log files. Usefull for skipping local programs that log entries
- not processed by this program, or just skipping thru services that you do not
- want to bother with. File format is 1 program per line, specifying
- program name as it appears in the log file. If the program name is followed
- by a colon or right bracket, these must be included also, as in:
- Port
- lprm[
- su:
- -sys SYSTEM = only load decode modules for system type SYSTEM.
- current choices are:
- ALL (default)
- sparc (assume solaris)
- osx (apple)
- -all = sets parms -DD -W -stats -s -T
- * - log file to process (only 1 file though - I should fix that)
- Defaults to /var/log/syslog if no file specified
-
Interrupts
The program will terminate processing of the data file when it
receives a SIG INT (control-c) signal, allows you to grab a few
records from the start of a file, and then view the output.
- Questions? E-Mail me at
- tysko at the address eecs.ohiou.edu