Apologies for a late summary on how to extract data from the syslog.dated
directories:
Thanks to:
Roger Joss <giarjo_at_gia.ch
kris_at_schulung.netuse.de (Kristian Köhntopp )
greepo_at_this.nrl.navy.mil (Andy Schmitt)
munhoven_at_olive.msm.ulg.ac.be (Serge Munhoven)
Benoit Maillard - Digital France <maillard_at_atyisa.enet.dec.com>
"Andrew C. Saylor" <asaylor_at_alpha.comsource.net>
David Shrewsbury <shrewsbu_at_chief.niehs.nih.gov>
Mike Iglesias <iglesias_at_draco.acs.uci.edu>
This is the suggestion I use now to change directories to the current log
directory, and it works really nicely. The rest of my script greps and
counts, culling usage statistics and other info. This cd command finds the
latest directory in /var/adm/syslog.dated and cd's to it:
cd `/usr/bin/ls -td /var/adm/syslog.dated/*|head -1`
My script:
#!/bin/sh
# this script checks the day's logs for a variety of
# purposes: culling statistics,
# etc.
cd `/usr/bin/ls -td /var/adm/syslog.dated/*|head -1`;
pwd > monitor.out;
date >> monitor.out;
# count the telnet sessions
echo "all telnet sessions (includes serial dialins)" >> monitor.out;
grep telnetd lpr.log |wc -l >> monitor.out;
# count the telnet sessions
echo "all serial dialins (portmaster to robles)" >> monitor.out;
grep telnetd lpr.log |grep portmaster |wc -l >> monitor.out;
# count the dialin sessions
echo "dialin connects" >> monitor.out;
grep PPP auth.log |wc -l >> monitor.out;
# count messages received (incoming)
echo "mail count = incoming/rec'd msg" >> monitor.out;
grep to= mail.log |grep _at_robles |wc -l >> monitor.out;
grep to= mail.log |grep _at_callutheran |wc -l >> monitor.out;
grep to= mail.log |grep _at_clunet |wc -l >> monitor.out;
# count mail messages for the day
echo "mail count - outgoing/sent msg" >> monitor.out;
grep from= mail.log |grep _at_robles |wc -l >> monitor.out;
grep from= mail.log |grep _at_callutheran |wc -l >> monitor.out;
grep from= mail.log |grep _at_clunet |wc -l >> monitor.out;
# finger requests
echo "finger requests" >> monitor.out;
grep fingerd lpr.log |wc -l >> monitor.out;
# ftp sessions
echo "ftp requests" >> monitor.out;
grep ftpd lpr.log |wc -l >> monitor.out
# check the dir for time stamps
ls -ls >> monitor.out;
# send the results to myself
mail carole < monitor.out;
--------------------------------
The other suggestions:
1. The basename(1) and dirname(1) commands should help you.
2. cd /var/adm/syslog.dated/
cd `ls -1t | head -1`
3. a sample script
# scan log files for unusual happenings.
#
# check daemon happenings (except hourly xntpd stuff) here:
echo " --- daemon.logs:"
cat `ls -rt /var/adm/syslog.dated/*/daemon.log` | grep -v xntpd | tail
#
echo " "
echo " --- syslogs:"
cat `ls -rt /var/adm/syslog.dated/*/syslog.log` | grep -v restart
#
# all SU's will be recorded here:
echo " "
echo " --- SU ATTEMPTS ----"
cat `ls -rt /var/adm/syslog.dated/*/auth.log` | tail -10
#
# last logins:
echo " "
echo " last 10 logins:"
last -10
# and now list the rest of the sendmail messages:
echo " "
echo " sendmail.logs:"
cat `ls -rt /var/adm/syslog.dated/*/mail.log` | grep sendmail | grep -v
"message-id" | tail -10
#
# tcp wrappers put all info into here:
echo " "
echo " tcpwrapper.logs:"
cat `ls -rt /var/adm/syslog.dated/*/mail.log` | grep -v sendmail | tail -15
#
echo " "
echo " tail -5 /var/adm/messages: "
tail -5 /var/adm/messages
#
4.
The most conventient solution would be a modification to the
script creating this directories. It should maintain a symlink
/var/adm/syslog.dated/current -> 17-Sep-03:12. When a new
directory has been created by the log rotation script, the
symlink must be deleted and recreated with the new directory
name by the log rotation script.
Creating such a symlink is easy for the log rotation script,
because it still has knowledge of the name it just created.
Another solution would be to parse the output of "ls -l" and
extract the last field ($NF) with awk. This is not as easy as
it could be, because the name of the directory created is
chosen quite stupid: When sorting, it is not guaranteed that
the most recent name is first or last wrt to the sort order. A
name of 1996-09-17-03-12 instead of 17-Sep-03:12 would have
been much easier to handle. In that case you would simply
name="`ls -l /var/adm/syslog.dated | sort -rn | awk 'NR == 2 { print $NF }'`"
or something like this.
5. The FIND command can do some of this very quickly. For example, to extract
all information from the FTP daemon using GREP:
cd /var/adm/syslog.dated
find . -name daemon.log -exec grep FTPD {} \;
The find command will look for all files named "daemon.log" and pass the
GREP command that filename.
6. Use a perl script
#########################
#!/usr/common/bin/perl
open(LS, "ls /var/adm/syslog.dated |");
($dy, $mth, $dt) = split(' ',`date`);
$dt--;
$search = join('-', $dt, $mth);
while(<LS>) {
chop;
if ($_ =~ $search) { $dir = $_; }
}
close LS;
open (LOG,"/var/adm/syslog.dated/$dir/mail.log") ||
die "Cannot open /var/adm/syslog.dated/$dir/mail.log: $!\n";
. . .
Received on Tue Oct 29 1996 - 02:15:52 NZDT