# log analyzers?

## corey_s

I'm trying to set up a system which will fire off a script when remote ftp & sftp connections quit/conclude.

I've not been successfull in locating an option such as a .logout or .bash_logout functional equivalent with ftp/sftp, so I figure perhaps another solution would be to use some sort of log analyzer that is able to execute arbitrary command(s) when it sees a particular syslog entry that it has been configured to parse for.

Anyone have any suggestions?

Thanks!

----------

## think4urs11

Hi,

maybe these can help:

```
*  app-admin/logwatch

      Latest version available: 4.3.2

      Size of downloaded files: 56 kB

      Homepage:    http://www.logwatch.org/

      Description: Analyzes and Reports on system logs

      License:     MIT

*  app-admin/tenshi

      Latest version available: 0.3.3

      Size of downloaded files: 21 kB

      Homepage:    http://tenshi.gentoo.org

      Description: Log parsing and notification program

      License:     GPL-2

*  app-admin/yaala

      Latest version available: 0.6.3

      Size of downloaded files: 34 kB

      Homepage:    http://yaala.org/

      Description: Yet Another Log Analyzer

      License:     GPL-2
```

HTH

T.

----------

## mxc

Does anyone have suggestions on a log file monitor that will monitor the file in real time and take action when critical events occur? It would be great if this could be integrated into nagios

----------

## transienteagle

peeps,

take a look at this thread, in particular the comments about metalogs capabilities (towards the bottom); maybe something like this is what you are after.

https://forums.gentoo.org/viewtopic-t-312125-highlight-metalog+conf.html

rgds

TE

----------

## corey_s

I will check out metalog a little further ( the other suggestions weren't a fit unfortunately ), although I believe I've found the hot ticket: logfmon.

Not in portage ( maybe I'll make an ebuild ), but check it out:

"Logfmon monitors a set of log files and processes messages based on a set of regexps. When a message matches, a command may be executed or the message may be ignored."

http://sourceforge.net/projects/logfmon/

http://logfmon.sourceforge.net/

I haven't actualy yet tested it, but it appears to be exactly what mxc and myself are looking for.

I'll post back within a day to confirm.

Beers!

----------

## sgtrock

Did logfmon do the job for you?

----------

## mxc

tenshi - from gentoo does a good job - except for the fact that you need to reset permission on /var/log/messages everytime you reboot to allow the tenshi user read permissions.  :Sad:  Only root user has read permission by default and this get reset every reboot.

----------

## corey_s

 *sgtrock wrote:*   

> Did logfmon do the job for you?

 

Nope, I didn't like it...  

It just didn't quite fit what I was trying to do: simply execute an arbitrary program/task/script upon parsing a particular line/entry/event in a log file.   Logfmon wanted to generated an alert email and/or do something, for every log entry that _was_not_ specifically ignored... very annoying, and a little bit "backwards" if you ask me.  ( would have been better to ignore everything by default, and configure it to look for specific entries that you wanted to be acted upon. )

I could have probably gotten it to work with some fiddling, but instead I ended up just writing a daemon in perl that did exactly what I wanted.

( But I just saw the post by mxc about tenshi - I think I'll give it whirl and try it out )

----------

## think4urs11

did you already try net-analyzer/sec?

 *SEC description wrote:*   

> SEC is an open source and platform independent event correlation tool that was designed to fill the gap between commercial event correlation systems and homegrown solutions that usually comprise a few simple shell scripts. SEC accepts input from regular files, named pipes, and standard input, and can thus be employed as an event correlator for any application that is able to write its output events to a file stream.

 

 *SEC featurelist wrote:*   

> 
> 
> among many other options it can...
> 
>     * match input event and execute an action list.
> ...

 

HTH

T.

----------

## corey_s

 *Think4UrS11 wrote:*   

> did you already try net-analyzer/sec?

 

Killer - after reading through the docs, this looks like the hot ticket; exactly what I was looking for. ( Looks like I'll probably just scrap the perl daemon I was working on... )

It may be a bit overkill for the specific single and simple requirement that I have, but at least it has the exact feature I'm in need of.

( tenshi didn't work out either... more of a log analyzer that emailed alerts, rather than an event processor that could execute arbitrary scripts. )

Thanks a ton Think4UrS11 - this looks like a really usefull tool!

Beers!

Corey

----------

## think4urs11

Glad to be helpful.

as soon as someone understands the concept behind it's the best since the invention of sliced bread  :Wink: 

Personally i'm not too far from unmerging logwatch/tenshi and alike and use sec only for all kinds of log checking.

----------

## abt72

@mxc

you can change the file permissions for /var/log/messages in /etc/syslog-ng/syslog-ng.conf, so you don't have to change them manually after each reboot.

abt72

----------

