logalizer(8) logalizer(8)
NAME
logalizer - generates reports from log files
SYNOPSIS
logalizer [ -d ] < report-config-file >
DESCRIPTION
logalizer is a perl script that will analyze log files and
email you results. One of the most important things a
system administrator should do is to examine his system
log files. However, most system administrators have
neither the time nor inclination to to do so. After
setting up appropriate site filters (a bit of work),
logalizer will automatically generate reports of log files
for system administrators so that they can more easily
detect attempted break-ins or problems with their systems.
By using report control (or configuration) files, you can
inform logalizer which log files you want it to examine.
For each file examined, logalizer applies two filters.
First, it applies a filter file of regular expressions
that select which records of the log file are to be
included in the report, then it applys a filter file of
regular expressions that exclude records kept after
applying the first filter file.
Each log file can be processed by any number of of times
to produce different types of reports. For example, at
this site (www.sibbald.com), an attacks report is run once
per hour that examines the log files for anything that
could be considered a direct attack on the site. Normally,
nothing is found, so no report is generated. Then once
per day, the log files are examined first to find any
security "violations" such as account login being refused,
etc, and secondly to find any "unusual" log items.
Basic idea of this program:
It processes the log files as many times as you want
generating separate reports, which are normally emailed in
the same mail message. The report that I run once an hour
is called ATTACKS and the reports that I run once a day
are called VIOLATIONS and UNUSUAL
ATTACKS are any log entry that seems to be a direct attack
on your system. Only those messages that match the
patterns in logalizer.attacks will be reported in this
report. To get this report, call logalizer with the
logalizer.attack "configuration" file on the command line
as in:
/etc/logalizer/logalizer /etc/logalizer/logalizer.attacks
This is handy if you want to check for attacks once an
hour, but you want normal log reporting to be done once a
day. Note that normally, you should not need to change
logalizer.attacks
If you run the logalizer.reports report, as in:
/etc/logalizer/logalizer /etc/logalizer/logalizer.reports
You will get two reports in a single email message as
follows:
VIOLATIONS are those log entries that seem to be security
violations. Only those messages that match the patterns
in logalizer.violations will be reported in this report.
You will find that often messages matched by the
logalizer.violations file are not really security
violation. Note, normally, you should not need to change
logalzier.violations
To eliminate these violation messages, place an entry in
logalizer.violations.ignore. Be careful that entries
placed in logalizer.violations.ignore are very specific so
that they ignore only those messages that are truly not
violations. Note, this file should normally be quite
small.
UNUSUAL are those log entries that seem to be unusual and
thus worthy of reporting. Note, by default, the UNUSUAL
report includes all log messages. To eliminate messages
that are considered normal rather than unusual, you place
an entry in logalizer.unusual.ignore. I recommend that
you start with and empty file, use the -d option, and then
run loalizer and add entries to the
logalizer.unusual.ignore file until you reduce the noise
to a tolerable level.
OPTIONS
-d Puts logalizer in debug mode. In debug mode,
logalizer scans the full contents of the log
files specified in the report configuration
file, and prints the results rather than
emailing them.
DEFAULT FILE LOCATION
The default location of the control files is:
/etc/logalizer
FILES
logalizer main perl script
newtail perl script to print tail of log
file
logalizer.attacks Attack configuration file. Usually
run once per hour.
logalizer.reports Report configuration file. Usually
run once per day.
log.attacks Attacks filter file for log files
log.violations System violations filter file
log.violations.ignore System violation events to ignore
log.unusual Unusual system events filter file
log.unusual.ignore Unusual system events to ignore
attacks.ctl A control file used by newtail to
remember the part of log files
already processed for previous
attacks reports.
reports.ctl A control file used by newtail to
remember the part of log files
already processed for previous
reports.
SEE ALSO
newtail(8) -- not yet written. See source.
CREDITS
This program was based on an idea that I obtained from the
logcheck program written by Craig Rowland
crowland@psionic.com.
He based logcheck on the frequentcheck.sh script from
Gauntlet(tm) Firewall (c) Trusted Information Systems Inc.
The original authors are Marcus J. Ranum and Fred Avolio.
I have never seen the frequentcheck.sh script. However, I
did use logcheck for a short time, and I found the basic
concept very eligant, and it produced the results that I
was looking for. Unfortunately the license agreement that
Mr. Rowland provides is a bit unclear. Consequently, using
the basic idea, I wrote a new package from scratch in a
different language (perl instead of C and a shell script).
The new package is named logalizer, and is much more gen-
eral and configurable than logcheck. You can create any
number of reports by simply defining a new report file
(e.g. logalizer.reports, logalizer.attacks). You can have
any number of subreports in a single report. I've kept
the idea of violations and unusual, but you can define any
number of classifications. Your file system is not
poluted with files that retain the last log file position
scanned. With logalizer, this information is kept in a
single file per report and normally in /etc/logalizer
(e.g. with the distribution attacks.ctl and reports.ctl).
LICENSE
logalizer is in the public domain. Of course, if you use
it, credits where appropriate would be appreciated.
BUGS
The parsing of the reports files is pretty brain damaged.
It doesn't in general permit spaces.
AUTHOR
Kern Sibbald < kern at sibbald dot com >
www.sibbald.com