Gentoo Linux Documentation -- Tenshi
1.
Introduction
Tenshi is a log monitoring program, designed to watch one or more log files for
lines matching user defined regular expressions and report on the matches. The
regular expressions are assigned to queues which have an alert interval and a
list of mail recipients.
Queues can be set to send a notification as soon as there is a log line assigned
to it, or to send periodic reports.
Additionally, uninteresting fields in the log lines (such as PID numbers) can be
masked with the standard regular expression grouping operators ( ). This
allows cleaner and more readable reports. All reports are separated by hostname
and all messages are condensed when possible.
The program reads a configuration file and then forks a deamon for monitoring
the specified log files.
Please read the example tenshi.conf and
tenshi.8 man page for usage instructions.
Important:
This package was formerly known as Wasabi, the name was changed due to
trademark infringement issues.
|
2.
Examples
Consider the following settings in tenshi.conf:
Code Listing 2.1: tenshi.conf queues settings |
...
set hidepid on
set queue mail tenshi@localhost sysadmin@localhost [0 */12 * * *]
set queue misc tenshi@localhost sysadmin@localhost [0 */24 * * *]
set queue critical tenshi@localhost sysadmin@localhost [now]
group ^ipop3d:
mail ^ipop3d: Login user=(.+)
mail ^ipop3d: Logout user=(.+)
mail ^ipop3d: pop3s SSL service init from (.+)
mail ^ipop3d: pop3 service init from (.+)
mail ^ipop3d: Command stream end of file, while reading.+
mail ^ipop3d: Command stream end of file while reading.+
critical ^ipop3d: Login failed.+
trash ^ipop3d:.+
group_end
critical ^sudo: (.+) : TTY=(.+) ; PWD=(.+) ; USER=root ; COMMAND=(.+)
misc .*
|
Every ipop3d message not matched by the regexps assigned to the queue
mail or critical will be matched by the queue trash (a builtin
null queue), any other message will be matched by queue misc. Fields
enclosed in (.+) are masked.
This is a sample report for the mail queue (sent every 12 hours):
Code Listing 2.2: Sample Report - queue [mail] |
host1:
79: ipop3d: Login user=___
74: ipop3d: Logout user=___
host2:
30: ipop3d: Login user=___
30: ipop3d: Logout user=___
19: ipop3d: pop3 service init from ___
12: ipop3d: pop3s SSL service init from ___
1: ipop3d: Command stream end of file while reading line user=??? host=bogus.domain.net [192.168.0.1]
1: ipop3d: Command stream end of file, while reading authentication host=bogus1.domain.net [10.1.7.1]
|
These are sample reports for the critical queue (sent every time a
message matches the regexp):
Code Listing 2.3: Sample Report - queue [critical] |
host1:
1: /usr/bin/sudo: ___ : TTY=___ ; PWD=___ ; USER=root ; COMMAND=/bin/dmesg
|
Code Listing 2.4: Sample Report - queue [critical] |
host1:
1: /usr/bin/sudo: ___ : TTY=___ ; PWD=___ ; USER=root ; COMMAND=/bin/bash
|
Code Listing 2.5: Sample Report - queue [critical] |
host2:
1: ipop3d: Login failed user=admin auth=admin host=bogus1.domain.net [10.1.7.1]
|
Code Listing 2.6: Sample Report - queue [critical] |
host2:
1: ipop3d: Autologout user=??? host=bogus.domain.net [192.168.0.1]
|
3.
Requirements
Tenshi needs a working 'tail' implementation, it also requires Net::SMTP module
for mailing reports which should be included in your perl installation.
Gentoo Linux users can simply install app-admin/tenshi ebuild.
4.
Resources
The most recent release of tenshi can be found at tenshi-latest.tar.gz.
All releases are available at http://www.gentoo.org/~lcars/tenshi.
Please send requests/suggestions/bug reports to tenshi@gentoo.org.
|