[Logcheck-commits] Hannes von Haugwitz: Added src/logcheck-test and docs/logcheck-test.1
Gerfried Fuchs
alfie at alioth.debian.org
Thu Feb 25 19:21:02 UTC 2010
Module: logcheck
Branch: lenny-backports
Commit: 8c6e70d61e6bcb6ef8bf21ebe6aae4d9e7e8f470
URL: http://git.debian.org/?p=logcheck/logcheck.git;a=commit;h=8c6e70d61e6bcb6ef8bf21ebe6aae4d9e7e8f470
Author: Hannes von Haugwitz <hannes at vonhaugwitz.com>
Date: Thu Feb 18 21:07:59 2010 +0100
Added src/logcheck-test and docs/logcheck-test.1
---
debian/changelog | 1 +
docs/logcheck-test.1 | 110 +++++++++++++++++++++++++++
src/logcheck-test | 205 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 316 insertions(+), 0 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 2b1b3f8..1297b29 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
logcheck (1.3.7) UNRELEASED; urgency=low
[ Hannes von Haugwitz ]
+ * Added src/logcheck-test and docs/logcheck-test.1
* ignore.d.server/wu-ftpd:
- adjusted rule to match optional pid (closes: #570207)
* src/logcheck:
diff --git a/docs/logcheck-test.1 b/docs/logcheck-test.1
new file mode 100644
index 0000000..7baa6c8
--- /dev/null
+++ b/docs/logcheck-test.1
@@ -0,0 +1,110 @@
+.TH logcheck-test 1 "Feb 18, 2010"
+.SH NAME
+logcheck-test \- test new logcheck rules easily
+.SH SYNOPSIS
+.B logcheck-test
+.RB [ \-q | \-i ]
+.RB [ \-a | \-s | \-l
+.IR FILE ]
+.RB [ \-e ]
+.RB [ \-P
+.IR PREFIX ]
+.RB [ \-S
+.IR SUFFIX ]
+.I RULE
+.br
+.B logcheck-test
+.RB [ \-q | \-i ]
+.RB [ \-a | \-s | \-l
+.IR FILE ]
+.B \-r
+.I RULEFILE
+.
+.SH DESCRIPTION
+.B logcheck-test
+parses a log file for matching lines specified by a single rule or a rule file. If using a single
+.I RULE
+you can set a
+.I PREFIX
+and a
+.I SUFFIX
+to write new rules easily.
+
+.SH OPTIONS
+.TP
+.B -h, --help
+Show usage information
+.TP
+.B -a, --auth.log
+Parse /var/log/auth.log for matching lines
+.TP
+.B -s, --syslog
+Parse /var/log/syslog for matching lines
+.TP
+.B -l, --log-file FILE
+Parse FILE for matching lines
+.TP
+.B -i, --invert-match
+Show line that don't match the RULE or the RULEFILE
+.TP
+.B -q, --quiet
+Suppress rule summary at the end of output
+.TP
+.B -e, --surround-rule
+Surround RULE with standard prefix '^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ' and suffix '$'
+.TP
+.B -P, --append-prefix PREFIX
+Append PREFIX to rule prefix. Option can be given multiple times
+.TP
+.B -S, --prepend-suffix SUFFIX
+Prepend SUFFIX to rule suffix. Option can be given multiple times
+.TP
+.B -r, --rule-file RULEFILE
+Use file RULEFILE for rule input
+.SH EXAMPLES
+With
+.B logcheck-test
+you can easily write and test new rules.
+.PP
+Test a single rule against /var/log/syslog
+.RS
+.fam C
+logcheck -s "RULE"
+.fam T
+.RE
+
+.PP
+Test a single rule against ~/log, surround the rule with standard prefix and suffix and append "kernel " to prefix
+.RS
+.fam C
+logcheck -l ~/log -e -P "kernel " "RULE"
+.fam T
+.RE
+
+.PP
+Test the rules in rulefiles/linux/ignore.d.server/kernel against ~/log
+.RS
+.fam C
+logcheck -l ~/log -r rulefiles/linux/ignore.d.server/kernel
+.fam T
+.RE
+
+.PP
+Test which lines the rules in rulefiles/linux/ignore.d.server/kernel doesn't match
+.RS
+.fam C
+logcheck -l ~/log -r rulefiles/linux/ignore.d.server/kernel -i
+.fam T
+.RE
+
+.SH "EXIT STATUS"
+On successful matching
+.B logcheck-test
+will complete with exit code 0. An exit code of 1 indicates no successful matching.
+.PP
+An exit code greater then 1 indicates an error occurred. Textual errors are written to the standard error stream.
+.SH "SEE ALSO"
+\fBlogcheck\fR(8)
+.SH "AUTHOR"
+logcheck is developed by Debian logcheck Team at alioth:
+http://alioth.debian.org/projects/logcheck/. This manual was written by Hannes von Haugwitz <hannes at vonhaugwitz.com>.
diff --git a/src/logcheck-test b/src/logcheck-test
new file mode 100755
index 0000000..82ab606
--- /dev/null
+++ b/src/logcheck-test
@@ -0,0 +1,205 @@
+#!/bin/sh
+#
+# Copyright © 2007–2010 Hannes von Haugwitz <hannes at vonhaugwitz.com>
+
+# This file is part of Logcheck
+
+# Logcheck is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# Logcheck is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with Logcheck; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+set -u
+
+FILE=
+PREFIX=
+SUFFIX=
+RULEFILE=
+INVERT=
+RULE=
+
+NOTQUIET=true
+
+trap 'cleanup; trap - 1 2 3 4 5 6 7 8 10 11 12 13 14 15 16' 1 2 3 4 5 6 7 8 10 11 12 13 14 15 16
+
+cleanup() { :; }
+
+usage() {
+ cat<<EOF
+usage: logcheck-test
+-h|--help : Show usage information
+-a|--auth.log : Parse /var/log/auth.log
+-s|--syslog : Parse /var/log/syslog
+-l|--log-file LOGFILE : Parse LOGFILE
+-i|--invert-match : Show lines that don't match the RULE or RULEFILE
+-q|--quiet : Suppress rule summary
+
+-e|--surround-rule : Surround RULE with standard prefix and suffix
+-P|--append-prefix PREFIX : Append PREFIX to rule prefix
+-S|--prepend-suffix SUFFIX : Prepend SUFFIX to rule suffix
+
+-r|--rule-file RULEFILE : Use file RULEFILE for rule input
+EOF
+}
+
+err() {
+ echo "ERROR: $@!" >&2
+}
+
+warn() {
+ echo "WARNING: $@!" >&2
+}
+
+while [ -n "${1:-}" ]; do
+ ARGUMENT="$1"
+ shift
+ case "$ARGUMENT" in
+ -r|--rule-file)
+ if [ -z "${1:-}" ] ; then
+ err "$ARGUMENT needs an rule file as argument"
+ exit 4
+ else
+ RULEFILE="$1"
+ if ! [ -f "$RULEFILE" ] ; then
+ err "'$RULEFILE' is no regular file"
+ exit 5
+ elif ! [ -r "$RULEFILE" ] ; then
+ err "'$RULEFILE' permission denied"
+ exit 6
+ fi
+ shift
+ fi
+ ;;
+ -l|--log-file)
+ if [ -z "${1:-}" ] ; then
+ err "$ARGUMENT needs a log file as argument"
+ exit 7
+ else
+ if [ -z "$FILE" ] ; then
+ FILE="$1"
+ if ! [ -f "$FILE" ] ; then
+ err "'$FILE' is no regular file"
+ exit 8
+ fi
+ else
+ warn "option -l $1 ignored"
+ fi
+ shift
+ fi
+ ;;
+ -a|--auth.log)
+ if [ -z "$FILE" ] ; then
+ FILE="/var/log/auth.log"
+ else
+ warn "option -a ignored"
+ fi
+ ;;
+ -s|--syslog)
+ if [ -z "$FILE" ] ; then
+ FILE="/var/log/syslog"
+ else
+ warn "option -s ignored"
+ fi
+ ;;
+ -q|--quiet)
+ NOTQUIET=false
+ ;;
+ -i|--invert-match)
+ INVERT="-v"
+ ;;
+ -e|--surround-rule)
+ if [ -n "$PREFIX" ] ; then
+ err "-e option must precede -P option"
+ exit 9
+ elif [ -n "$SUFFIX" ] ; then
+ err "-e option must precede -S option"
+ exit 10
+ else
+ PREFIX="^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ "
+ SUFFIX="\$"
+ fi
+ ;;
+ -P|--append-prefix)
+ if [ -z "${1:-}" ] ; then
+ err "-P needs an argument"
+ exit 11
+ else
+ PREFIX="$PREFIX$1"
+ shift
+ fi
+ ;;
+ -S|--prepend-suffix)
+ if [ -z "${1:-}" ] ; then
+ err "-S needs an argument"
+ exit 12
+ else
+ SUFFIX="$SUFFIX$1"
+ shift
+ fi
+ ;;
+ -h|--help)
+ usage
+ exit 0
+ ;;
+ -*)
+ err "$ARGUMENT: invalid option"
+ exit 13
+ ;;
+ *)
+ if [ -n "$RULEFILE" ] ; then
+ err "you cannot use both RULE and RULEFILE"
+ exit 16
+ fi
+ RULE="$ARGUMENT"
+ if [ -n "${1:-}" ] ; then
+ err "options must preceed RULE"
+ exit 14
+ fi
+ ;;
+ esac
+done
+
+if [ -z "$FILE" ] ; then
+ err "no log file specified, please choose -a or -s or -l LOGFILE"
+ exit 2
+elif ! [ -r "$FILE" ] ; then
+ err "'$FILE' permission denied"
+ exit 3
+else
+ if [ -n "$RULEFILE" ] ; then
+ CLEANRULE="$(mktemp --tmpdir logcheck-test.XXXXXXXXXX)"
+ cleanup() { rm -rf $CLEANRULE; }
+ egrep --text -v '^[[:space:]]*$|^#' "$RULEFILE" >> $CLEANRULE
+ sed -e 's/[[:space:]]*$//' $FILE | egrep $INVERT -f "$CLEANRULE"
+ GREP="$?"
+ cleanup
+ else
+ if [ -n "$RULE" ] ; then
+ sed -e 's/[[:space:]]*$//' $FILE | egrep $INVERT "$PREFIX$RULE$SUFFIX"
+ GREP="$?"
+ else
+ err "no RULE specified"
+ exit 15
+ fi
+ fi
+ [ $GREP -ne 0 ] && EXIT="1" || EXIT="0"
+ if $NOTQUIET ; then
+ echo "================================================================================"
+ echo "parsed file: $FILE"
+ if [ -n "$RULEFILE" ] ; then
+ echo "used rule file: $RULEFILE"
+ else
+ echo "used rule: '$PREFIX$RULE$SUFFIX'"
+ fi
+ fi
+ exit $EXIT
+fi
More information about the Logcheck-commits
mailing list