-
-
Notifications
You must be signed in to change notification settings - Fork 3
logalert.8
logalert - watch files for specific patterns
NORMAL MODE:
logalert -m PATTERN -e COMMAND [OPTION] [FILENAME]
PARENT MODE:
logalert -c CONFIGFILE
logalert is a logfile monitoring tool which executes a specific action whenever it matches a string (pattern) occurrence.
It reads an entire file (or starts at the end, just like tail -f), keeps track of any changes, waiting for a specific pattern (a syslog process error, a user login, ...) and fires an action you define when that happens.
logalert uses regular expression to match the pattern occurrence and executes commands via shell interaction. It deals fine with logrotation and temporary removal normally used by sysadmins.
-m, --match=PATTERN
match any occurrence of PATTERN. Uses regular expression.
-e, --exec=COMMAND
Executes COMMAND if pattern is found. This command is executed via the default user SHELL. Please be caution - this may be a security issue.
-c, --config-file=CONFFILE
PARENT MODE ONLY - configuration file listing one or more files to monitor and their respec. options. This is a standalone option. Please reffer to PARENT MODE section bellow.
-s, --match-sleep=SECONDS
number of seconds after a match we disable execution command. Sometimes a pattern may appear multiple times, but we would like to execute only once. We execute the command for the first match and then disable it for SECONDS period of time.
-i, --match-count=count
number of instances of a pattern occurrence afer which we would like to execute command only once.
-r, --retry=RETRY
how many times we'll try to open/read the logfile before giving up.
-b, --from-begin
Default mode is to start reading from the end of the file. It this is set we will read the entire file.
-u, --user=USER
run as USER. Considering using this always as a security measure.
-v, --verbose
If set, we'll display the output to stdout (just like tail -f).
In short, you specify all options in command line and run one instance of logalert monitoring one file.
logalert -m '[Oo]pss' -e '/etc/mailme.sh' -b somefile
If FILENAME is not defined, then stdin is used. So you can do some pipe, like this:
cat somefile | logalert -m '[Oo]pss' -e '/etc/mailme.sh'
This is for system administrators who whish to monitor multiple files, differente options and actions. Just create a simple configuration file with the following syntax:
filename name-of-the-file
{
match = /PATTERN/
exec = COMMAND
match_sleep = INTEGER
retry = INTEGER
user = USER
}
Imagine you have a VPN in your firewall server and would like to restart it everytime it goes down. The process related to the VPN reports it's information via syslog to the file /var/log/vpn .
Everytime a problem occurs, it dumps a message :
'Error: VPN lost connection'
You already have a script in /etc/init.d/startprocess that [re]starts the VPN, so you could:
./logalert --match='[Ee]rror: VPN lost connection' --exec='/etc/init.d/startprocess restart' /var/log/vpn
You have multiple logfiles and different options/actions ?
Create a configuration file like this:
-------
filename /var/log/messages
{
match = /[Ee][Rr]{2}or: VPN lost connection/
exec = /etc/init.d/vpn restart
match_sleep = 10
match_count = 2
retry = 3
user = vpnuser
verbose
}
filename /var/log/mail
{
match = /Bounce from:/
exec = /home/willy/alertme.sh
match_sleep = 5
retry = 3
user = willy
}
-------
And starts logalert in PARENT mode:
logalert -c /etc/logalert.conf
(1) Commands are executed using SHELL -c command .
(2) Configuration file braces must always be in a separated line.
I welcome any feedback about logalert. Please email them to <gabriel@icaro.com.br>
Written by Gabriel Armbrust Araujo