NAME logsurfer - process logfiles and perform certain actions SYNOPSIS logsurfer [ -f ] [ -c configfile ] [ -d dumpfile ] [ - l start_linenum ] [ -r start_regex ] [ filename ] DESCRIPTION Logsurfer is a program that works on single textlines from a logfile (or from standard input). It compares each line against regular expressions of a set of "rules" and performs certain actions that are defined for this match. The logsurfer uses "rules" to define actions for messages (single lines). Messages may be collected in "contexts" which are stored in memory. Those contexts have their own default actions (e.g. for timeouts). At starttime you have to define a set of rules in the configuration file. While processing logmessages the logsurfer is able to dynamically add or delete rules, create or destroy contexts, invoke external programs for alerting people or to perform further automated actions etc. A rule starts with a set of regular expressions. The mes- sageline that is being checked has to match against the first regular expression but must not match the second expression. The string "-" can be used as the second regex if you don't need this "match not" expression. If the mes- sageline meets these requirements the associated action is taken. Currently the following actions are allowed: ignore this message, execute an external program, pass this mes- sageline as standard input to an external program, create or delete a context, generate a "report" or dynamically add a new rule. In addition to these actions rules may have a con- figuration to delete themself if another message (again specified by two regular expressions) is being processed by the logsurfer or if an optional timeout has occured. Match- ing of messagelines against rules is usually done until the first match occurs. This can be circumvented by specifing a "continue" keyword in the rule. In this case the program will continue to search for another match in the rule defin- itions. A context is a set of messagelines that have been read by the logsurfer. Again the messagelines are specified by two regular expressions. Contexts can be used in "reports" to present a collection of messages associated with a specific action (e.g. all messagelines from one ftp session). Every context has a default action which is launched if either a specified timeout has occured or a configured limit (of linenumbers) has been reached. Default actions may be: ignore (drop) this context, execute an external program, feed all collected logmessages as standard input to an external program or generate a "report". A report summarizes a number of contexts and pipes the result into an external program. The normal procedure for each logline is: Store this line in all matching contexts (as defined by their regular expres- sions), if the self-destroy regex matches, too, then the default action of the context is executed and the context is deleted, find the first matching rule and execute the given action (continue rule matching if the rule has the keyword "continue" --- see logsurfer.conf(4) manpage), check for the stop-pattern of the rule and in case of a match delete the rule, check for timeouts of rules and delete the affected rules, check for context timeouts and execute their default action. Errors (like broken configuration statements or memory prob- lems) are reported on standard error. The syslog mechanism is currently not being used because this might result in a loop if the logsurfer is processing those syslog-messages. It is suggested to start the logsurfer and redirect the out- put (incl. error output) to another file. If necessary you might want to start a second logsurfer that is watching the output of the first logsurfer. If the program exits the following steps are executed: 1) The status of all active rules and contexts is dumped to the dumpfile. 2) If contexts have timeout values (other than 0) then a timeout is send to those functions. This will result in launching the default actions of the affected con- texts. 3) Rules and contexts are deleted from memory (cleanup). This is only important for debugging purposes and should have no effect. 4) If there are still external programs running the log- surfer will wait up to 20 seconds to catch them. 5) The logsurfer exits whith a return value of zero (0). OPTIONS -c configfile Specify another configuration file for the logsurfer. The default is "/usr/local/etc/logsurfer.conf". -d dumpfile Specify another dumpfile for the logsurfer. The log- surfer writes the internal information about rules and contexts to this file if the program exists or a spe- cial signal was sent to the process (see NOTES). The default is "/var/tmp/logsurfer.dump". -l start_linenum Start logfile processing at the given linenumber. -r start_regex Start logfile processing with the first line that matches the given regular expression. FILES /usr/local/etc/logsurfer.conf default configuration file /var/tmp/logsurfer.dump dump of the rules and con- texts SEE ALSO logsurfer.conf(4), swatch(8) NOTES This program may consume a lot of memory. Resource control should be done by the operating system (for example by set- ting limits). The program was designed to fall back to a defined state if some resources are not available. The following signals have the specified effect when sent to the logsurfer programm using the kill(1) command. SIGHUP Reopens the logfile (to be analyzed). Processing starts with the first line in this file. This can be used after "shifting" logfiles and creating new logfiles. SIGUSR1 Dump the internal state of all active rules and the collected contexts to the dumpfile "/var/tmp/logsurfer.dump". SIGTERM Dumps the state to the dumpfile (see above) and exits. BUGS My programs never have bugs. They just develop random features. If you discover such a feature and you want it to be removed: please send an email to ley@cert.dfn.de (Wolf- gang Ley)