I wrote this Perl script for use in a project where I had get an
understanding of the rate RADIUS requests coming in. I impressed myself (as
a very lapsed programmer) that I figured out how to (a) write a SIGnal
handler and (b) put POD documentation in the file. The most basic usage is
simply :-
tail -f /var/log/message | lookfor -lookfor "string1","string2"
output looks like :-
$ sudo tail -f /var/log/messages | ./lookfor --lookfor "OK","denied","401
Un"
Total Count
===========
OK: Count:1 ( Delta: 0 Last: 0.0ps Peak: 0.2ps Avg: 0.0ps )
denied: Count:2 ( Delta: 0 Last: 0.0ps Peak: 0.4ps Avg: 0.1ps )
401 Un: Count:1 ( Delta: 0 Last: 0.0ps Peak: 0.2ps Avg: 0.0ps )
#!/usr/bin/perl
# Created by Martin Visser - Version 1.0 - 2003
use Getopt::Long;
use Pod::Usage;
$eachone = 1;
$interval = 5;
$avgintervals = 6;
$label = "";
$clear_opt = 1;
$delta_opt = 1;
@lookfor = ();
#@lookfor = ('Access-Request','Accounting-Request', 'Request Accepted',
'Request Rejected');
$result = GetOptions ("lookfor=s" => \@lookfor,
"interval=i" => \$interval,
"label=s" => \$label,
"clear!" => \$clear_opt,
"delta!" => \$delta_opt,
"help|man|?" => \$help);
pod2usage(1) if $help;
@lookfor = split(/,/ , join(',', @lookfor));
sub set_alarm {
$SIG{'ALRM'} = \&interim_dump;
alarm $interval;
}
sub set_quit {
$SIG{'QUIT'} = \&final_dump;
$SIG{'INT'} = \&final_dump;
}
sub dump_lookfor {
foreach $lookfor (@lookfor) {
$delta = $count{$lookfor} - $lastcount{$lookfor};
$tps = $delta / $interval;
$peaktps{$lookfor} = ($tps > $peaktps{$lookfor}) ? $tps :
$peaktps{$lookfor};
$avgtps{$lookfor} = $avgtps{$lookfor} * ($avgintervals -
1)/($avgintervals) + $tps / $avgintervals;
printf "%s: Count:%d ( Delta: %d Last: %.1fps Peak: %.1fps Avg:
%.1fps
)\n",$lookfor,$count{$lookfor},$delta,$tps,$peaktps{$lookfor},$avgtps{$lookfor};
# print "$lookfor: Count:$count{$lookfor} ( Delta: $delta Last: ${tps}
ps Peak: $peaktps{$lookfor} ps Avg: $avgtps{$lookfor} )\n";
$lastcount{$lookfor} = $count{$lookfor};
}
print "\n";
}
sub interim_dump {
if ($clear_opt) {system("clear");}
if ($label ne "") { print "$label\n";}
print "Interim Count\n=============\n";
&dump_lookfor;
alarm $interval;
}
sub final_dump {
if ($clear_opt) {system("clear");}
if ($label ne "") { print "$label\n";}
print "Total Count\n===========\n";
&dump_lookfor;
exit;
}
sub zero_count {
foreach $lookfor (@lookfor) {
$count{$lookfor} = 0;
$lastcount{$lookfor} = 0;
$peaktps{$lookfor} = 0;
$avgtps{$lookfor} = 0;
}
}
zero_count;
set_quit;
set_alarm;
interim_dump;
while(<>){
foreach $lookfor (@lookfor) {
if (/$lookfor/) {
$count{$lookfor}++;
}
}
}
final_dump;
__END__
=head1 NAME
lookfor
=head1 SYNOPSIS
lookfor <-interval int> <-lookfor string<,string><...>>
Example: lookfor -int 30 -lookfor 'Access-Request','Access-Response'
Reads from stdin, and display counts (and other stats) for matched strings
written by Martin Visser <martinvisser99ATgmail.com>
=head1 OPTIONS
=over 8
=item B<-help or -?>
Print this help message and exit.
=item B<-interval> I<time in secs>
Specify how often the displayed statistics are refreshed
(Default: 5)
=item B<-lookfor> I<string,string,string>
Specify the strings that lookfor is to calculate stats on. (note it
currently counts and number of matches of the string on the line as 1
(Default: *)
=head1 DESCRIPTION1
Reads from stdin, and display counts (and other stats) for matched strings
=cut
Regards, Martin
[email protected]
On 14 February 2013 11:48, Chris Barnes <[email protected]> wrote:
> Hi everyone,
>
> my firewall logs everything to a syslog server - new connections,
> terminated connections, etc
>
> basically what im trying to do is analyse the syslog in realtime looking
> for a specific string which indicates a new connection has been
> established, and to count the number of occurrences of that string to get
> an idea of how many connections per minute im getting for a particular
> internet service so that I can graph it.
>
> An example of the significant line in syslog im looking for is:
>
> Feb 14 11:42:52 10.1.1.1 : Feb 14 11:19:47 EDT: %PIX-session-6-302015:
> Built inbound UDP connection 3523357 for Outside:124.178.41.91/123 (
> 124.178.41.91/123) to svrdmz:NTP/123 (NTP/123)
>
> I can use the following to watch the log for the specific event
>
> tail -f /var/log/syslog | grep "to svrdmz:NTP/123 (NTP/123)"
>
>
> But I cant figure out a way to programatically count how many of these
> events occur per minute.
>
> any suggestions?
>
> --
> Kind Regards,
>
> Christopher Barnes
>
> e. [email protected]
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
