[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: log_analysis configuration

On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> Hi Mathias,

Hi Anne,

I send this one to the list again, I hope this is ok.

> 
> Actually, it is a good start. The developer sent me a tutorial,
> and I'm going to help him work on it for the clueless folks like
> me :)
> 
> > config_version 0.38
> 
> Good, we're using the same version (I'm not surprised since 
> Debian hasn't upgraded this yet).
> 
> > add arr log_type_list=
> > iptables
> > 
> > add arr log_type_list=
> > iptables
> 
> Ok, what is "add arr log_type_list" and why do you have this twice?
> 
This is just a name for the for a new type of log-files  where all the
definitions to follow apply. 

I am sure the doubling is by accident. As I said, I got a config
somewhere else and rewrote it according to my needs.

> > add arr iptables_filenames=
> > iptables
> 
> Ok, so that's the filename you're reading from, right?
> 

It is the root of the logfiles the log_type "iptables" applies to.
This rule actually reads iptables.0 ... or iptables.1.gz (when called
with argument -a)


You need to read about "perl regular expressions" (man perlre or heaps 
of other sources about regular expressions) to understand the following
and write your own configs. I am no expert in regexps and am sure you
could write better ones. Regexps being a powerful tool it is worthwile
to learn about them, so you wont waste your time.

> > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> 

Translated this means:

the brackets are just groupings

- ^ Match the beginning of the line
- ?: some switch I cant remember why I put it there
- Jan|Feb|Mar... matches Jan or Feb or Mar or ...
- + match at least one time
- \s match a whitespace (space, tab or similiar)
- \d{1,2} match one or two digits
- \: match a : (: is a special character and needs to be escaped)

hence it matches a string like

Oct  9 17:34:27

at the beginning of the line.

> 
> Ok, quick question:
> 
> What does +\s +\d do? I take it +d is an integer and +s is a string?
> 

see the above

> > set var iptables_date_format=%b %e
> 
> Not sure what %b and %e give you.

read man strftime. I am not sure what it really does.

> 
> > logtype: iptables
> > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > OTO=(.*)
> 
> I take *'s work like they do in the shell?
>

The . matches any character and the * matches the preceding
character 0 or more times. I am not sure if the "preceding character" is
the dot or the character replacing the dot. 

> > use_sprintf
> > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> 
> I have simple "format:" sections like:
> format: STMP from $1 to $2
> 
> What does use_sprintf buy you?

I actually dont know, I guess sprintf sounded just  familiar (knowing C
quite well), so I didn't search for anything else 


> 
> > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > ROTO=(.*)
> 
> Do the periods (.) give you anything if they aren't escaped with a \?
> 

see before.


Alright, hope this answers some of your questions. Good luck and thanks
for writing the tutorial. I'd be interested in it and would be glad if
you could notify me where to find it. 

Mathias
Reply to: