that looks exactly like the type of script I'm looking for. I'll give it a crack later tonight.
thanks very much! On Fri, Feb 15, 2013 at 2:20 PM, Matthew Hannigan <[email protected]> wrote: > If you want something light for ad-hoc checks I use a bit of perl like > this that uses a dumb match of part of the date-time string as a key into a > hash of counts: > > #!/usr/bin/perl > # > # > use strict; > use warnings; > > my %events_per_minute; > while(<>) > { > chomp; > if (m,to svrdmz:NTP/123 \(NTP/123\),) { > $events_per_minute{substr $_, 0, 12}++; > } > } > > my $key; > foreach $key (keys %events_per_minute) { > print "minute: $key count: $events_per_minute{$key}\n"; > } > > Of course you can improve this e.g. pass the event to match as an arg. > Pipe to the usual "sort -rn | head" to get the top minutes by number of > events. > Preceded it with the tool "since" to only apply to events since the last > time you checked. > > For fancier setups, use the tools mentioned by others or the venerable > "swatch" > > Regards, > Matt > > > > On Thu, Feb 14, 2013 at 11:48 AM, Chris Barnes > <[email protected]>wrote: > >> Hi everyone, >> >> my firewall logs everything to a syslog server - new connections, >> terminated connections, etc >> >> basically what im trying to do is analyse the syslog in realtime looking >> for a specific string which indicates a new connection has been >> established, and to count the number of occurrences of that string to get >> an idea of how many connections per minute im getting for a particular >> internet service so that I can graph it. >> >> An example of the significant line in syslog im looking for is: >> >> Feb 14 11:42:52 10.1.1.1 : Feb 14 11:19:47 EDT: %PIX-session-6-302015: >> Built inbound UDP connection 3523357 for Outside:124.178.41.91/123 ( >> 124.178.41.91/123) to svrdmz:NTP/123 (NTP/123) >> >> I can use the following to watch the log for the specific event >> >> tail -f /var/log/syslog | grep "to svrdmz:NTP/123 (NTP/123)" >> >> >> But I cant figure out a way to programatically count how many of these >> events occur per minute. >> >> any suggestions? >> >> -- >> Kind Regards, >> >> Christopher Barnes >> >> e. [email protected] >> -- >> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ >> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >> > > > > -- > m a t t h e w l i n u s h a n n i g a n > -- Kind Regards, Christopher Barnes e. [email protected] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
