filter-syslog

(Filters a syslog file and mails the results)

SYNOPSIS

filter-syslog [-hnov] [config] < syslog

filter-syslog parses a log generated by syslog, filtering out all of the boring lines as configured in config, and then mails the remaining lines to the address specified in config. It expects the log file on standard input, and is designed to run from an analyze action in newsyslog(8), although it can be used in other situations as well.

If config isn't an absolute path, it's taken to be relative to either /etc or /etc/leland, wherever the file is found (searched in that order). If config is not specified, it defaults to filter-syslog.conf and is looked for in both /etc and /etc/leland.

Lines containing -- MARK -- and syslog restart messages on Linux, which look like:

    Sep 10 04:02:07 example syslogd 1.4.1: restart.
    Apr  1 23:55:01 example syslogd 1.4.1#10: restart.
    Apr  1 23:55:01 example syslogd 1.4.1#10: restart (remote reception).
    Apr  1 23:55:09 example exiting on signal 15

are always ignored.

Messages of the form:

    Apr 28 07:09:40 10.1.1.1 Message forwarded from example.org: \
        program[36398]: some log message

(line split only for readability in this example) will be parsed exactly as if they had said:

    Apr 28 07:09:40 example.org program[36398]: some log message

This format is used by OpenBSD for forwarded syslog messages.

Please note that this is not intended to be a security tool or a real-time monitoring tool, but rather a tool to make sure that system administrators are aware of unusual log messages that might indicate server problems or failing hardware. An intrusion detection system would work differently and would be more paranoid, and a real-time monitoring tool wouldn't run in batch mode. There are other tools available to do that type of monitoring.

OPTIONS

-h, --help: Print out this documentation (which is done simply by feeding the script to perldoc -t).
-n, --no-mail: Rather than sending the results via e-mail, instead print out the non-boring lines that would have been sent via e-mail to standard output. Useful for testing filter rules.
-o, --hostname: Display the hostname field (from the input syslog) in the output.
-v, --version: Print the version of filter-syslog and exit.

CONFIGURATION FILE

There are three types of valid lines in the configuration file; variable settings, filter patterns, and includes of other configuration files. A variable setting looks like:

    variable = value

where value can contain whitespace (but can't begin with whitespace). A filter pattern looks like:

    program: /regex/

where program is the name of a particular program (the filter line will only apply to log entries from that program) and regex is a regular expression matching lines that are "boring" and shouldn't be reported. Any trailing whitespace in the syslog line will be removed before matching it against the regex. If program is * regex will be applied to all lines, regardless of what program they're from.

Finally, a line like:

    include /path/to/file

includes another configuration file at /path/to/file. The path can be a directory instead of a file, in which case every file in that directory that does not begin with a period is included (in no defined order).

The following variables are recognized:

alert: The address to which to mail the filtering results. No mail will be sent if all of the input lines are filtered out by the regexes provided. This variable must be set and may not contain any backslashes or single quotes.
sender: The address from which to mail the filtering results (used for the envelope sender and the To: header). If not set, no address will be given to sendmail, which will result in the mail system picking some default value based on the user filter-syslog is running as. The value of this variable may not contain any backslashes or single quotes.
subject: The value to use for the Subject: header of the filtering results. If you include $h in the value, it will be replaced with the hostname. This variable must be set.

If there are any input lines that don't match one of the filter rules, they will be mailed to the value of alert with a subject given by subject.

EXAMPLES

Filter /var/log/syslog using /etc/leland/syslog.filter as a configuration file.

    filter-syslog syslog.filter < /var/log/syslog

Here's a sample configuration file that filters out normal Kerberos messages and sends the result to root@example.com with a Subject: header of "example syslog filter results":

    alert = root@example.com
    subject = example syslog filter results

    kftgtd:  /^connect from /
    klogind: /^connect from /
    kshd:    /^Executing .* for principal /
    kshd:    /^Shell process completed\.$/
    kshd:    /^connect from /

Instead of the three separate lines to filter out TCP wrappers messages, one could instead use the line:

    *: /^connect from /

to filter out all syslog lines that begin with "connect from", but this runs a larger risk of filtering out messages that would be of interest.

FILES

/etc
/etc/leland: If the configuration file given on the command line isn't an absolute path, it is looked for first in /etc and then in /etc/leland. This default can be changed by editing the beginning of this program.
/etc/filter-syslog.conf
/etc/leland/filter-syslog.conf
./filter-syslog.conf: The default configuration file, if none is given. The paths will be searched in the above order.

BUGS

The rule that ignores -- MARK -- lines, which are automatically generated by (at least) Solaris syslogd at periodic intervals if requested, could be exploited to hide messages from filter-syslog that an administrator may want to see. Please again note that this is not a security tool. However, a better regex should be developed and used instead, regardless.

There is no protection against inclusion loops (a configuration file that includes another file which then includes the first file).

filter-syslog

SYNOPSIS

DESCRIPTION

OPTIONS

CONFIGURATION FILE

EXAMPLES

FILES

BUGS

NOTES

SEE ALSO

AUTHORS

COPYRIGHT AND LICENSE