HPE Community
Operating System - HP-UX
1832757 Members
3077 Online
110045 Solutions
New Discussion

Re: syslog scanner

 
SOLVED
Go to solution
Donny Jekels
Respected Contributor

‎04-28-2003 02:56 PM

‎04-28-2003 02:56 PM

syslog scanner

anyone know of a syslog scanner, floating around. looking for a tool/script perl || ksh to scan the syslog constantly looking for errors.

2 choices - build my own or get a working copy and build from there.


"Vision, is the art of seeing the invisible"
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎04-28-2003 06:39 PM

‎04-28-2003 06:39 PM

Re: syslog scanner

I wrote one looking for lbolts. It sends an email if it finds one. It could be run by cron on a regular basis.

Attached:

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Ben Thomas
Occasional Advisor

‎04-30-2003 05:31 AM

‎04-30-2003 05:31 AM

Re: syslog scanner

We use logcheck.sh. From the script:
#!/bin/sh
#
# logcheck.sh: Log file checker
# Written by Craig Rowland
#
# This file needs the program logtail.c to run
#
# This script checks logs for unusual activity and blatant
# attempts at hacking. All items are mailed to administrators
# for review. This script and the logtail.c program are based upon
# the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
# (c)Trusted Information Systems Inc. The original authors are
# Marcus J. Ranum and Fred Avolio.
#
# Default search files are tuned towards the TIS Firewall toolkit
# the TCP Wrapper program. Custom daemons and reporting facilites
# can be accounted for as well...read the rest of the script for
# details.

Don't remember where it came from, but we centralize syslog data for about 25 systems and use this to manage it.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎04-30-2003 05:49 AM

‎04-30-2003 05:49 AM

Re: syslog scanner

It is really difficult to generalize a syslog scanner as you have no control over the error message content. You can use a simple grep -i -e to find typical error flags:

grep -i -e warn -e err -e fail -e crit /var/adm/syslog/syslog.log

But to prevent seeing the same messages over and over, you need to:

1. compress and archive the current log and start a new log.

2. 'remember' the size of syslog (in lines) from the previous scan and start the new scan from lines+1 to the end.

3. Use logger to create a marker in the log foreach scan and start the new scan after the last marker.

As with any syslog scanner, you need to manually review the entries that are skipped in the log scanner to make sure important messages are not missed, and then adjust the grep -e options accordingly.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.