Grok
Grok aims to be a replacement for the now antiquated SEC (Simple Event Correlator).
Usage
A simple Grok watcher needs very little in the way of configuration
require 'grok'
configure do |c|
c.file = "/var/log/auth.log"
c.interval = 2
c.replay = 0
end
The above script won’t do very much, though.
Configuration
There’s only a few configuration parameters for Grok at this stage
-
file: The log file to watch
-
interval: How often to check the log file for changes (in seconds)
-
replay: The number of lines to read from the bottom of the file on startup
Responding to log events
At it’s most basic, you can simply get Grok to print a message as it receives them (pretty pointless)
on :log do
puts "I just got a log message"
end
Lets try something a bit more useful though. Lets say I want to know every time there’s an SSH authenitcation failure. For that, we can make use of the RegExp functionality in the event handlers
on :log, /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/ do |username, ip|
puts "SSH authentication failure for #{username} from #{ip}
end
This is a bit better. You could go further to have it automatically block the IP with iptables if you wanted (see examples/ssh_sentry.rb).
Note on Patches/Pull Requests
-
Fork the project.
-
Make your feature addition or bug fix.
-
Add tests for it. This is important so I don’t break it in a future version unintentionally.
-
Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
-
Send me a pull request. Bonus points for topic branches.
Copyright
Copyright © 2010 Tim Sharpe. See LICENSE for details.