MULTIPLEX

Merging and broadcasting event streams with mplex.rb command line tool.

Purpose

REC can correlate events from a single event source (a log file), and that can help to sift through each log and summarise it to a smaller set of meaningful events.

But in more ambitious scenarios, we may need to correlate events from several files. For example:

• SSH logs show one of the admins logging on

• Sudo logs show that admin executing commands to restart the web server

• Availability logs show the website was down for a short period

And we want to correlate these events and prevent the normal alert that would be sent when the site is down.

To do that, we’ll need to merge the event streams into a single stream. That is what mplex.rb does. It can merge several input streams into a single combined stream. It can also distribute the combined stream to one or more output streams.

Usage

mplex [OPTION] -i infile [-i infile2...] -o outfile [-o outfile2...]

where mplex reads from at least one infile and writes to at least one outfiles.

--input, -i   the path to a log file to read from
--output, -o  the path to a log file to write to
--help, -h    display usage
--version, -v show version
--debug, -d   display each line on stdout as it is passes through mplex

Examples

$ mplex -i input1.log -i input2.log -o output3.log
  combines two input files into a single output stream
$ mplex -i in.log -i in2.log -o out3.log -o out4.log -o out5.log
  combines two input streams and writes to 3 output streams