jt_showlog.pl - A Syslog Report Generator

jt_showlog.pl is a Perl program written to produce a number of summary tables from the data captured in syslog files. Written for Solaris, tested with syslogs from Solaris 9 and 10, it is easily extensible for any special analysis you want to do.

Requrements

First, you need a modern verion of Perl. Second, you need to log data to you system logs. Although this sounds like a forgone conclusion, the default logging on most systems is minimal. Since this program only produces output based upon the system logs, the more you log, the more information you get out. The easiest way to see just what you have avalable is to run the program. If your system logs are in /var/log/syslog, you can omit the name from the command line and run the program as:

jt_showlog.pl -v
or specify the syslog file as in:
jt_showlog.pl -v /var/adm/messages
By default, the program is configured to display the results grouped by labs, server groups, and individual servers, as specified in the program. The -v option is used to display all machines individually. Since you haven't configured the program yet, this will provide you with all of the machines you have in your log file.

When you run the program it will display the lines from the log file that it does not recognize, Either because it machine name is not specified in the program (and you did not use the -v flag), the program that generated the message is not known, or the message just isn't being recognized by the program. Usually the unrecognized messages are ones that appear sparsely or are of a very critical error (such as a memory error,) and the programming effort of decoding the messages far outway any utility gained by seeing them in a formatted list.

You may find that some, or many, of the catagories are all zero. To avoid seeing any of the catagories that have all zeroes, use the -Q option. Alternately, you can turn on additional logging in your system to add information to the logging file so that you can actually see what is going on. for example, turning on connection logging by the inetd daemon will allow you to see how many times your machines are scanned per port.

Options

Program options are:

jt_showlog.pl [-v] [-q] [-Q] [-T] [-s] [-stats] [input-file]
options (you must specify options individually, as it -q -v, not -qv)
-d = print details of some statistics, such as full types of errors in addition to counts
-D = print details of records, such as disk drive types, buss populations,etc
-DD = print nosy info, such as number of times users log in, weird error counts, etc full /device/.... names, ip numbers, host names from records., number of times users fail to login, host names and file names specific to one record Note some detailed error msg summaries print only on this level as they are comprised mainly if machine ip/names, user names, etc
-DDD = you really don't want to see this much, but is good for debugging
summarizes some of non-displayed output
removes some constraints on some header sizes so they are not truncated.
-FW = fixed width columns on -d,D,DD,DDD type output - default is variable width
-q = do not show lines with all zeroes
except for "other" groups. (assumed by -Q)
-Q = (DEFAULT) leave out "other" groups when zero,
if all entries in catagory are zero, not show show
the catagory. (What I usually run with)
-p = show lines with all zeroes
-P = show catagories with all zeroes anyway (assumed by -P)
-V = same as -v
-v = verbose - show each machine as separate line
ignores pre-defined groups,
still subject to -q
GOOD FOR 1st RUN ON LOG FILE or for finding unknown machines
-G = group all records in to the other catagory.
GOOD FOR SUMMARY RUN ON LOG FILE looking for problems.
-T = times - breakout by hour of certain stats
as in logins by hour, connects by hour, etc
Nice to see how busy a lab is.
-W = Warn about all unrecognized records. Otherwise just a summary table is printed.
Nice to see of you suddenly find unexpected/unknown programs in the output
-w = same as -W
-stats = show counts of records by machine, count by log entry source
(summary of what is in syslog)
-s = output table of ips vs number of bad logins.
-skipfile = FILENAME
The file FILENAME name contais programs to be skipped when
processing log files. Usefull for skipping local programs that log entries
not processed by this program, or just skipping thru services that you do not
want to bother with. File format is 1 program per line, specifying
program name as it appears in the log file. If the program name is followed
by a colon or right bracket, these must be included also, as in:
Port
lprm[
su:
-sys SYSTEM = only load decode modules for system type SYSTEM.
current choices are:
ALL (default)
sparc (assume solaris)
osx (apple)
-all = sets parms -DD -W -stats -s -T
* - log file to process (only 1 file though - I should fix that)
Defaults to /var/log/syslog if no file specified

Interrupts

The program will terminate processing of the data file when it receives a SIG INT (control-c) signal, allows you to grab a few records from the start of a file, and then view the output.

Questions? E-Mail me at
tysko at the address eecs.ohiou.edu