Grok

Grok aims to be a replacement for the now antiquated SEC (Simple Event Correlator).

Usage

A simple Grok watcher needs very little in the way of configuration

require 'grok'

configure do |c|
  c.file = "/var/log/auth.log"
  c.interval = 2
  c.replay = 0
end

The above script won’t do very much, though.

Configuration

There’s only a few configuration parameters for Grok at this stage

• file: The log file to watch

• interval: How often to check the log file for changes (in seconds)

• replay: The number of lines to read from the bottom of the file on startup

Responding to log events

At it’s most basic, you can simply get Grok to print out each message as it receives them (pretty pointless)

on /(.*)/ do |line|
  puts line
end

Lets try something a bit more useful though. Lets say I want to know every time there’s an SSH authenitcation failure. For that, we can make use of the RegExp functionality in the event handlers

on /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/ do |username, ip|
  puts "SSH authentication failure for #{username} from #{ip}"
end

This is a bit better. You could go further to have it automatically block the IP with iptables if you wanted (see examples/ssh_sentry.rb).

Note on Patches/Pull Requests

• Fork the project.

• Make your feature addition or bug fix.

• Add tests for it. This is important so I don’t break it in a future version unintentionally.

• Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

• Send me a pull request. Bonus points for topic branches.

Copyright

Copyright © 2010 Tim Sharpe. See LICENSE for details.