Hi
> When it comes to system administration and diagnostics, it is quite
> common to use standard Linux utilities for debugging. Things like grep,
> awk, sed, cut, etc. The CAS logs make this quite difficult. Could we
> maybe start composing the logs into single line "records" of a sort?
>
> for example, the following is not easily processed using the cli...
>
> =============================================================
> WHO: someone
> WHAT: ST-54765-7eEtYFJT1VBZ2Ssexczzf7FE5ow-tst-cas-01
> ACTION: SERVICE_TICKET_VALIDATED
> APPLICATION: CAS
> WHEN: Mon Aug 26 15:27:53 MDT 2019
> CLIENT IP ADDRESS: 123.123.123.123
> SERVER IP ADDRESS: server.example.com
> =============================================================
The only way I know to process multiline log files properly is to use a
programming language like AWK, Perl, Python… You won't make it with grep &
friends.
Here is a sample AWK program you can adapt to your needs:
------
BEGIN {
eot = ":"; eor = "\r";
eol = "\r";
}
FNR == 1 {
if (_filename_ != "")
endfile(_filename_)
_filename_ = FILENAME
beginfile(FILENAME)
}
END { endfile("finished"); }
/^WHO: / {
sub(/^WHO: /,"");
WHO = $0; next
}
/^WHAT: / {
sub(/^WHAT: /,""); # WHAT
WHAT = $0; next
}
/^ACTION: / {
sub(/^ACTION: /,""); # ACTION
ACTION = $0; next
}
/^APPLICATION: / {
sub(/^APPLICATION: /,""); # APPLICATION
APPLICATION = $0; next
}
/^WHEN: / {
sub(/^WHEN: /,""); # WHEN
APPLICATION = $0; next
}
/^CLIENT IP ADDRESS: / {
sub(/^CLIENT IP ADDRESS: /,""); # CLIENT IP ADDRESS
CLIENT_IP_ADDRESS = " "$0; next
}
/^SERVER IP ADDRESS: / {
sub(/^SERVER IP ADDRESS: /,""); # SERVER IP ADDRESS
SERVER_IP_ADDRESS = " "$0; next
}
$0 !~/.+/ {
prfields();
WHO=""; WHAT =""; APPLICATION = ""; ACTION=""; CLIENT_IP_ADDRESS="";
SERVER_IP_ADDRESS="";
}
#============================ fonctions =====================
function beginfile(fichier) {
# init
WHO = ""; WHAT =""; APPLICATION = ""; ACTION=""; CLIENT_IP_ADDRESS="";
SERVER_IP_ADDRESS="";
}
function endfile(fichier) { # end of file
printf("%s",eor); nfich++;
printf(".") > "/dev/stderr";
}
function prfields() { # output to stdout
printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", WHO, eot, WHAT, eot,
APPLICATION, eot, APPLICATION, eot,
ACTION,",",SERVER_IP_ADDRESS,",",APPLICATION,",",CLIENT_IP_ADDRESS":", "\n");
}
------
You save it as foo.awk on your server, and use it like this:
awk -f /path/to/foo.awk /path/to/cas.log
To change the output, just tweak function prfields and eot. It needs testing,
it's a quick & dirty script.
If you don't have more than 500 MB of cas.log daily, I would suggest you give
Splunk a try. Under 500 MB per day you wont need a paid licence and can live
with a free licence. It's incredibly powerful and will allow you to parse your
log with great efficiency: no more headaches and 100% of your time on valuable
task ;)
Patrick PRONIEWSKI
--
Chef du Service Opérations - DSI - Université Lumière Lyon 2
Responsable Sécurité des Systèmes d'Information
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BC3EDF92-8F9D-4CB7-9587-7D6EB16FCBF8%40univ-lyon2.fr.
