[syslog-ng]Log monitoring

Nicholas Bernstein syslog-ng@lists.balabit.hu
09 Jun 2003 11:51:28 -0700


Ok.... 

something like : 
	grep "Jun  9 11" messages| grep ftpd
will get you all of the messages containing ftpd on June 9th, during the
11th hour. if you wanted to be inexact you can get the date by doing: 
date | awk -F : '{ print $1 }'
so to put it all together you could do :
grep $(date | awk -F : '{ print $1 }') <file> | <grep whatever your
looking for> | wc -l 

or somesuch... 

If I was going to really do it, I'd probably use perl. To be accurate,
you would want to convert the date into minutes, and then do a grep
based only look at the entries within "Now - (Minutes)" otherwise, it
effectivly resets the counter every hour. 

We aren't doing the exact same thing, otherwise I would try to be of
more help, but I'm guessing that should be enough to get you started. 


man sed
man awk
man wc
man bash (of course)
http://www.perldoc.com



On Mon, 2003-06-09 at 11:01, netsec novice wrote:
> It sounds like what I'm looking for.  Would you mind sending me more 
> details?  I am a relative newbie to syslog and linux.  I appreciate anything 
> you can share.
> 
> Nicole
> 
> 
> >From: Nicholas Bernstein <nick@docmagic.com>
> >Reply-To: syslog-ng@lists.balabit.hu
> >To: syslog-ng@lists.balabit.hu
> >Subject: Re: [syslog-ng]Log monitoring
> >Date: 09 Jun 2003 10:56:57 -0700
> >
> >We have a similar circumstance, where we basically have our logs
> >filtered, and the events that we want put into a separate log file. Then
> >we grep the log based on time stamp & count the number of lines. The
> >counter runs from cron every minute, and sends out an email if the
> >number is higher than the threshold.
> >
> >Hope that helps!
> >Nick
> >
> >On Mon, 2003-06-09 at 10:42, netsec novice wrote:
> > > I am looking for a tool that would allow me to perform an action(send
> > > e-mail) when a particular event meets a threshhold.  I have my IDS tuned 
> >to
> > > the point where I have a good sense of how many alerts I receive in an 
> >hour.
> > >   I know I can send an alert based on matching a particular alert but 
> >what I
> > > would really like to do is send notification based on whether I receive 
> >more
> > > than 10 alerts in less than an hour.  I hope my intention is clear 
> >here...
> > > I know there are products out there such as Swatch or logwatch but I 
> >haven't
> > > seen anything that alerts on thresholds rather than pattern matching 
> >only.
> > > My idea here is to set up something that watches my logs continuously 
> >and if
> > > I get more than 10 alerts within an hour or less during any part of the 
> >day
> > > - I would be paged.  I am not a Perl guru so any help I can get in 
> >getting
> > > started is appreciated.  My guess is that someone has already invented 
> >the
> > > wheel - I just don't know where it is.
> > >
> > > Thanks for any guidance...
> > > Nicole
> > >
> > > _________________________________________________________________
> > > Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> > > http://join.msn.com/?page=features/featuredemail
> > >
> > > _______________________________________________
> > > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> > > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >--
> >+---------------------------------------------------------------+
> >| Nicholas Bernstein            | nick@docmagic.com             |
> >| UNIX Systems Administrator    | http://www.docmagic.com       |
> >| Document Systems Inc.         |                               |
> >+---------------------------------------------------------------+
> >
> >_______________________________________________
> >syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> >https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
> 
> _________________________________________________________________
> Add photos to your messages with MSN 8. Get 2 months FREE*.  
> http://join.msn.com/?page=features/featuredemail
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- 
+---------------------------------------------------------------+
| Nicholas Bernstein            | nick@docmagic.com             |
| UNIX Systems Administrator    | http://www.docmagic.com       |
| Document Systems Inc.         |                               |
+---------------------------------------------------------------+