Grok
Grok aims to be a replacement for the now antiquated SEC (Simple Event Correlator).
Usage
A simple Grok watcher needs very little in the way of configuration
require 'grok'
configure do |c|
c.file = "/var/log/auth.log"
c.interval = 2
c.replay = 0
end
The above script won’t do very much, though.
Configuration
There’s only a few configuration parameters for Grok at this stage
-
file: The log file to watch
-
interval: How often to check the log file for changes (in seconds)
-
replay: The number of lines to read from the bottom of the file on startup
Responding to log events
At it’s most basic, you can simply get Grok to print out each message as it receives them (pretty pointless)
on /(.*)/ do |line|
puts line
end
Lets try something a bit more useful though. Lets say I want to know every time there’s an SSH authenitcation failure. For that, we can make use of the RegExp functionality in the event handlers
on /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/ do |username, ip|
puts "SSH authentication failure for #{username} from #{ip}"
end
This is a bit better. You could go further to have it automatically block the IP with iptables if you wanted (see examples/ssh_sentry.rb).
Note on Patches/Pull Requests
-
Fork the project.
-
Make your feature addition or bug fix.
-
Add tests for it. This is important so I don’t break it in a future version unintentionally.
-
Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-
Send me a pull request. Bonus points for topic branches.
Copyright
Copyright © 2010 Tim Sharpe. See LICENSE for details.