Re: [SLUG] script to analyse syslog in realtime

Thu, 14 Feb 2013 19:21:00 -0800 

If you want something light for ad-hoc checks I use a bit of perl like this
that uses a dumb match of part of the date-time string as a key into a hash
of counts:

  #!/usr/bin/perl
  #
  #
  use strict;
  use warnings;

  my %events_per_minute;
  while(<>)
  {
          chomp;
          if (m,to svrdmz:NTP/123 \(NTP/123\),) {
                  $events_per_minute{substr $_, 0, 12}++;
          }
  }

  my $key;
  foreach $key (keys %events_per_minute) {
          print "minute: $key count: $events_per_minute{$key}\n";
  }

Of course you can improve this e.g. pass the event to match as an arg.
Pipe to the usual "sort -rn | head" to get the top minutes by number of
events.
Preceded it with the tool "since" to only apply to events since the last
time you checked.

For fancier setups, use the tools mentioned by others or the venerable
"swatch"

Regards,
Matt



On Thu, Feb 14, 2013 at 11:48 AM, Chris Barnes <[email protected]>wrote:

> Hi everyone,
>
> my firewall logs everything to a syslog server - new connections,
> terminated connections, etc
>
> basically what im trying to do is analyse the syslog in realtime looking
> for a specific string which indicates a new connection has been
> established, and to count the number of occurrences of that string to get
> an idea of how many connections per minute im getting for a particular
> internet service so that I can graph it.
>
> An example of the significant line in syslog im looking for is:
>
> Feb 14 11:42:52 10.1.1.1 : Feb 14 11:19:47 EDT: %PIX-session-6-302015:
> Built inbound UDP connection 3523357 for Outside:124.178.41.91/123 (
> 124.178.41.91/123) to svrdmz:NTP/123 (NTP/123)
>
> I can use the following to watch the log for the specific event
>
> tail -f /var/log/syslog | grep "to svrdmz:NTP/123 (NTP/123)"
>
>
> But I cant figure out a way to programatically count how many of these
> events occur per minute.
>
> any suggestions?
>
> --
> Kind Regards,
>
> Christopher Barnes
>
> e. [email protected]
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>



-- 
m a t t h e w   l i n u s   h a n n i g a n
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Reply via email to