-------- From academic-firewalls-owner@net.tamu.edu Mon Oct 2 09:01:13 1995 Content-Length: 3999 Date: Mon, 2 Oct 1995 08:56:53 -0500 From: Doug Hughes Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: log watcher utility I've decided to announce the utility I use here for watching our logs. It's sort of like the perl swatch stuff, but different. It currently doesn't have as many options as the perl stuff, but since it's all in tcl/tk it's easily extensible to do what you want. Short description: We use tcp_wrappers to collect a lot of information and funnel all outside logins through two machines. on these two machines we have modified login program running (actually logdaemon-4.7) which collect information about where they are coming from and any ident information that might be available. These two machines also have shells that force the user to pick another College of Engineering machine which they want to login to. So, we know where the person is coming from, who they are logging in as, and where they are going to. All this information is logged via syslog. The first program is general purpope, it watches the log files on the restricted access syslog master machine and displays changes to these files in multiple colors in real time. Any low priority messages are displayed in an upper window. Anything matching the color red is displayed in a lower window as a priority message. In addition, the window is immediately de-iconized and raised to the top on priority messages. Priority messages include the following (easily changeable): * su message * bad login attempt * FTP login failure * klaxon alert * rexec alert trap * connection refused from hosts.deny hosts There are two kinds of filtering available. The first one, and fastest is filtering based on the log file. You associate a log file with a specific color and any message appended to that log file is shown in that color in the appropriate window. The second form is pattern matching. This is divided into two categories. One is a match and the other is an ignore. Both accept regular expressions and colors as arguments. Other options: * user configurable scrollback * pattern searching through scrollback and highlighting in place or displayed in separate window * load/save log current log view * customization of polling interval * top and lower window size user-setable There are some options in it that currently don't do anything but are there for future expansion. These are under the Options pull-down menu and are "File Associations" and "Colors". It requires a startup script in your home directory names .tkloggerrc that looks like this: (actual file) file auth /var/log/authlog file daemon /var/log/daemon file local0 /var/log/local0.info file local1 /var/log/local1.note file local2 /var/log/local2.warn file local3 /var/log/local3.note file maillog /var/log/maillog color local0 forestgreen color local1 lightseagreen color local2 magenta color local3 red1 color auth red2 match {LOGIN FAILURE} mediumvioletred match (pgcntd|refused) red4 match portwatcher red3 match (vrfy|expn) violetred The file directive associates a file handle with a file on the filesystem. The color directive associates a color with a file handle (files that do not have colors will not be displayed unless matched by a 'match' rule.) match rules use regular expressions followed by a color. Anything matching red comes in up in the priority window. Regular expressions follow Tcl's rules for regular expression matching. The only missing directive in this sample file is 'ignore'. It's syntax is the same as 'match'. Recommendations: Don't set the polling interval below 5 seconds or the program may fall behind. Too many match directives will significantly impact speed. Bugs: Because of the way pattern matching works, messages with embedded Tcl regular expression special characters may not load properly when loaded from a file. Requirements: tcl7.4/tk4.0 (7.3 and 3.6 should work too with minor modifications) tclX Availability: ftp://ftp.eng.auburn.edu/pub/doug/tklogger http://www.eng.auburn.edu/users/doug/second.html Doug Hughes Engineering Network Services doug@eng.auburn.edu Auburn University