[unisog] Syslog tips (was: Re: OSS monitoring recommendations)

Michael Holstein michael.holstein at csuohio.edu
Mon Oct 3 12:51:32 GMT 2005


> If you want to look for any IP in your CIDR blocks (or host name in
> your domains), try my "ipgrep" utility.  It was based on a tool
> developed by Corey Satten at the UW (creator of the NDC Logical
> Firewall and many other useful tools.)

This little snippet also helps the buffer issue in grepping for multiple 
conditions (eg: cat firewall.log |grep 'something' |grep 'something else' ..

tail -f firewall.log |perl -e 'while ($line=<>) {if ($line =~ m/\/445/ 
&& $line =~ m/OUTACL/){print "$line";}}'

(that example looks for port 445 hits against an ACL called 'OUTACL') .. 
you can string as many extra REGEX conditions on using '&&'.

Lets you see the hits in realtime versus waiting for the buffer to fill 
on the standard 'grep' utility. It's also a lot faster when doing a 
massive search (eg: cat firewall.log.*.bz2 |bunzip2 - |foo) -- but it'll 
be a cpu hog both for bunzip2 and perl (your loghost is SMP >2, right?).

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list