LOGALERT

Gabriel Armbrust Araujo
08/02/2005

NAME

logalert - watch files for specific patterns

SYNOPSIS

NORMAL MODE:

logalert -m PATTERN -e COMMAND [OPTION] [FILENAME]

PARENT MODE:

logalert -c CONFIGFILE

DESCRIPTION

logalert is a logfile monitoring tool which executes a specific action whenever it matches a string (pattern) occurrence.

It reads an entire file (or starts at the end, just like tail -f), keeps track of any changes, waiting for a specific pattern (a syslog process error, a user login, ...) and fires an action you define when that happens.

logalert uses regular expression to match the pattern occurrence and executes commands via shell interaction. It deals fine with logrotation and temporary removal normally used by sysadmins.

OPTIONS

-m, --match=PATTERN
match any occurrence of PATTERN. Uses regular expression.

-e, --exec=COMMAND
Executes COMMAND if pattern is found. This command is executed via the default user SHELL. Please be caution - this may be a security issue.

-c, --config-file=CONFFILE
PARENT MODE ONLY - configuration file listing one or more files to monitor and their respec. options. This is a standalone option. Please reffer to PARENT MODE section bellow.

-s, --match-sleep=SECONDS
number of seconds after a match we disable execution command. Sometimes a pattern may appear multiple times, but we would like to execute only once. We execute the command for the first match and then disable it for SECONDS period of time.

-r, --retry=RETRY
how many times we'll try to open/read the logfile before giving up.

-b, --from-begin
Default mode is to start reading from the end of the file. It this is set we will read the entire file.

-u, --user=USER
run as USER. Considering using this always as a security measure.

-v, --verbose
If set, we'll display the output to stdout (just like tail -c).

NORMAL MODE

In short, you specify all options in command line and run one instance of logalert monitoring one file.

  logalert -m '[Oo]pss' -e '/etc/mailme.sh' -b somefile 

If FILENAME is not defined, then stdin is used. So you can do some pipe, like this:

  cat somefile | logalert -m '[Oo]pss' -e '/etc/mailme.sh' 

PARENT MODE

This is for system administrators who whish to monitor multiple files, differente options and actions. Just create a simple configuration file with the following syntax:

  filename name-of-the-file
  {
  
          match           = /PATTERN/
          exec            = COMMAND
          match_sleep     = INTEGER
          retry           = INTEGER
          user            = USER
  
  }

EXAMPLES

1

Imagine you have a VPN in your firewall server and would like to restart it everytime it goes down. The process related to the VPN reports it's information via syslog to the file /var/log/vpn .

Everytime a problem occurs, it dumps a message :

  'Error: VPN lost connection'

You already have a script in /etc/init.d/startprocess that [re]starts the VPN, so you could:

  ./logalert --match='[Ee]rror: VPN lost connection' --exec='/etc/init.d/startprocess restart' /var/log/vpn

2

You have multiple logfiles and different options/actions ?

Create a configuration file like this:

  -------
  filename /var/log/messages
  {
          match           = /[Ee][Rr]{2}or: VPN lost connection/
          exec            = /etc/init.d/vpn restart
          match_sleep     = 10
          retry           = 3
          user            = vpnuser
  }
  
  filename /var/log/mail
  {
          match           = /Bounce from:/
          exec            = /home/willy/alertme.sh
          match_sleep     = 5
          retry           = 3
          user            = willy
  }
  -------
  

And starts logalert in PARENT mode:

  logalert -c /etc/logalert.conf

NOTES

(1) Commands are executed using SHELL -c command .

(2) Configuration file braces must always be in a separated line.

BUGS, FEEDBACK

I welcome any feedback about logalert. Please email them to <gabriel@icaro.com.br>

AUTHOR

Written by Gabriel Armbrust Araujo