grok 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/.document ADDED
@@ -0,0 +1,5 @@
1
+ README.rdoc
2
+ lib/**/*.rb
3
+ bin/*
4
+ features/**/*.feature
5
+ LICENSE
data/.gitignore ADDED
@@ -0,0 +1,21 @@
1
+ ## MAC OS
2
+ .DS_Store
3
+
4
+ ## TEXTMATE
5
+ *.tmproj
6
+ tmtags
7
+
8
+ ## EMACS
9
+ *~
10
+ \#*
11
+ .\#*
12
+
13
+ ## VIM
14
+ *.swp
15
+
16
+ ## PROJECT::GENERAL
17
+ coverage
18
+ rdoc
19
+ pkg
20
+
21
+ ## PROJECT::SPECIFIC
data/LICENSE ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2009 Tim Sharpe
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,55 @@
1
+ = Grok
2
+
3
+ Grok aims to be a replacement for the now antiquated SEC (Simple Event
4
+ Correlator).
5
+
6
+ == Usage
7
+ A simple Grok watcher needs very little in the way of configuration
8
+ require 'grok'
9
+
10
+ configure do |c|
11
+ c.file = "/var/log/auth.log"
12
+ c.interval = 2
13
+ c.replay = 0
14
+ end
15
+
16
+ The above script won't do very much, though.
17
+
18
+ === Configuration
19
+ There's only a few configuration parameters for Grok at this stage
20
+
21
+ * file: The log file to watch
22
+ * interval: How often to check the log file for changes (in seconds)
23
+ * replay: The number of lines to read from the bottom of the file on startup
24
+
25
+ === Responding to log events
26
+ At it's most basic, you can simply get Grok to print a message as it
27
+ receives them (pretty pointless)
28
+ on :log do
29
+ puts "I just got a log message"
30
+ end
31
+
32
+ Lets try something a bit more useful though. Lets say I want to know every
33
+ time there's an SSH authenitcation failure. For that, we can make use of the
34
+ RegExp functionality in the event handlers
35
+
36
+ on :log, /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/ do |username, ip|
37
+ puts "SSH authentication failure for #{username} from #{ip}
38
+ end
39
+
40
+ This is a bit better. You could go further to have it automatically block the
41
+ IP with iptables if you wanted (see examples/ssh_sentry.rb).
42
+
43
+ == Note on Patches/Pull Requests
44
+
45
+ * Fork the project.
46
+ * Make your feature addition or bug fix.
47
+ * Add tests for it. This is important so I don't break it in a
48
+ future version unintentionally.
49
+ * Commit, do not mess with rakefile, version, or history.
50
+ (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
51
+ * Send me a pull request. Bonus points for topic branches.
52
+
53
+ == Copyright
54
+
55
+ Copyright (c) 2010 Tim Sharpe. See LICENSE for details.
data/Rakefile ADDED
@@ -0,0 +1,54 @@
1
+ require 'rubygems'
2
+ require 'rake'
3
+
4
+ begin
5
+ require 'jeweler'
6
+ Jeweler::Tasks.new do |gem|
7
+ gem.name = "grok"
8
+ gem.summary = %Q{A ruby log event correlator}
9
+ gem.description = %Q{A more featureful replacement for SEC (Simple Event Correlator) in Ruby.}
10
+ gem.email = "tim@sharpe.id.au"
11
+ gem.homepage = "http://github.com/rodjek/grok"
12
+ gem.authors = ["Tim Sharpe"]
13
+ gem.add_development_dependency "thoughtbot-shoulda", ">= 0"
14
+ gem.add_dependency "file-tail", ">= 0"
15
+ # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
16
+ end
17
+ Jeweler::GemcutterTasks.new
18
+ rescue LoadError
19
+ puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
20
+ end
21
+
22
+ require 'rake/testtask'
23
+ Rake::TestTask.new(:test) do |test|
24
+ test.libs << 'lib' << 'test'
25
+ test.pattern = 'test/**/test_*.rb'
26
+ test.verbose = true
27
+ end
28
+
29
+ begin
30
+ require 'rcov/rcovtask'
31
+ Rcov::RcovTask.new do |test|
32
+ test.libs << 'test'
33
+ test.pattern = 'test/**/test_*.rb'
34
+ test.verbose = true
35
+ end
36
+ rescue LoadError
37
+ task :rcov do
38
+ abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
39
+ end
40
+ end
41
+
42
+ task :test => :check_dependencies
43
+
44
+ task :default => :test
45
+
46
+ require 'rake/rdoctask'
47
+ Rake::RDocTask.new do |rdoc|
48
+ version = File.exist?('VERSION') ? File.read('VERSION') : ""
49
+
50
+ rdoc.rdoc_dir = 'rdoc'
51
+ rdoc.title = "grok #{version}"
52
+ rdoc.rdoc_files.include('README*')
53
+ rdoc.rdoc_files.include('lib/**/*.rb')
54
+ end
data/VERSION ADDED
@@ -0,0 +1 @@
1
+ 0.0.0
@@ -0,0 +1,11 @@
1
+ require 'grok'
2
+
3
+ configure do |c|
4
+ c.file = "/var/log/auth.log"
5
+ c.interval = 5
6
+ c.replay = 0
7
+ end
8
+
9
+ on :log, /Failed password for root from ([\d\.]+)/ do |ip|
10
+ ret = `/sbin/iptables -I INPUT --source #{ip} -j REJECT`
11
+ end
data/lib/grok.rb ADDED
@@ -0,0 +1,18 @@
1
+ require 'grok/watcher'
2
+
3
+ $watcher = Grok::Watcher.new
4
+
5
+ %w(configure on).each do |method|
6
+ eval(<<-EOF)
7
+ def #{method}(*args, &block)
8
+ $watcher.#{method}(*args, &block)
9
+ end
10
+ EOF
11
+ end
12
+
13
+ at_exit do
14
+ unless defined?(Test::Unit)
15
+ raise $! if $!
16
+ $watcher.start
17
+ end
18
+ end
@@ -0,0 +1,69 @@
1
+ require 'rubygems'
2
+ require 'file/tail'
3
+
4
+ module Grok
5
+ Config = Struct.new(:file, :interval, :replay)
6
+
7
+ class Watcher
8
+ attr_accessor :config, :file, :interval, :match, :replay
9
+
10
+ def initialize(&b)
11
+ @events = {}
12
+ @config = Config.new("/var/log/messages", 10)
13
+
14
+ #instance_eval(&b) if block_given?
15
+ end
16
+
17
+ def configure(&b)
18
+ b.call(@config)
19
+ end
20
+
21
+ def on(event, match=//, &block)
22
+ match = match.to_s if match.is_a? Integer
23
+ (@events[event] ||= []) << [Regexp.new(match), block]
24
+ end
25
+
26
+ def dispatch(event, log)
27
+ if handler = find(event, log)
28
+ regexp, block = *handler
29
+ self.match = log.match(regexp).captures
30
+ invoke block
31
+ end
32
+ end
33
+
34
+ def start
35
+ File.open(@config.file) do |log|
36
+ log.extend(File::Tail)
37
+ log.interval = @config.interval
38
+ log.backward(@config.replay)
39
+ log.tail { |line|
40
+ dispatch(:log, line)
41
+ }
42
+ end
43
+ end
44
+
45
+ private
46
+ def find(type, log)
47
+ if events = @events[type]
48
+ events.detect {|regexp,_|
49
+ log.match(regexp)
50
+ }
51
+ end
52
+ end
53
+
54
+ def invoke(block)
55
+ mc = class << self; self; end
56
+ mc.send :define_method, :__grok_event_handler, &block
57
+
58
+ bargs = case block.arity <=> 0
59
+ when -1; match
60
+ when 0; []
61
+ when 1; match[0..block.arity-1]
62
+ end
63
+
64
+ catch(:halt) {
65
+ __grok_event_handler(*bargs)
66
+ }
67
+ end
68
+ end
69
+ end
data/test/helper.rb ADDED
@@ -0,0 +1,10 @@
1
+ require 'rubygems'
2
+ require 'test/unit'
3
+ require 'shoulda'
4
+
5
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
6
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
7
+ require 'grok'
8
+
9
+ class Test::Unit::TestCase
10
+ end
data/test/test_grok.rb ADDED
@@ -0,0 +1,7 @@
1
+ require 'helper'
2
+
3
+ class TestGrok < Test::Unit::TestCase
4
+ should "probably rename this file and start testing for real" do
5
+ flunk "hey buddy, you should probably rename this file and start testing for real"
6
+ end
7
+ end
metadata ADDED
@@ -0,0 +1,87 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: grok
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Tim Sharpe
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+
12
+ date: 2010-02-14 00:00:00 +11:00
13
+ default_executable:
14
+ dependencies:
15
+ - !ruby/object:Gem::Dependency
16
+ name: thoughtbot-shoulda
17
+ type: :development
18
+ version_requirement:
19
+ version_requirements: !ruby/object:Gem::Requirement
20
+ requirements:
21
+ - - ">="
22
+ - !ruby/object:Gem::Version
23
+ version: "0"
24
+ version:
25
+ - !ruby/object:Gem::Dependency
26
+ name: file-tail
27
+ type: :runtime
28
+ version_requirement:
29
+ version_requirements: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: "0"
34
+ version:
35
+ description: A more featureful replacement for SEC (Simple Event Correlator) in Ruby.
36
+ email: tim@sharpe.id.au
37
+ executables: []
38
+
39
+ extensions: []
40
+
41
+ extra_rdoc_files:
42
+ - LICENSE
43
+ - README.rdoc
44
+ files:
45
+ - .document
46
+ - .gitignore
47
+ - LICENSE
48
+ - README.rdoc
49
+ - Rakefile
50
+ - VERSION
51
+ - examples/ssh_sentry.rb
52
+ - lib/grok.rb
53
+ - lib/grok/watcher.rb
54
+ - test/helper.rb
55
+ - test/test_grok.rb
56
+ has_rdoc: true
57
+ homepage: http://github.com/rodjek/grok
58
+ licenses: []
59
+
60
+ post_install_message:
61
+ rdoc_options:
62
+ - --charset=UTF-8
63
+ require_paths:
64
+ - lib
65
+ required_ruby_version: !ruby/object:Gem::Requirement
66
+ requirements:
67
+ - - ">="
68
+ - !ruby/object:Gem::Version
69
+ version: "0"
70
+ version:
71
+ required_rubygems_version: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - ">="
74
+ - !ruby/object:Gem::Version
75
+ version: "0"
76
+ version:
77
+ requirements: []
78
+
79
+ rubyforge_project:
80
+ rubygems_version: 1.3.5
81
+ signing_key:
82
+ specification_version: 3
83
+ summary: A ruby log event correlator
84
+ test_files:
85
+ - test/helper.rb
86
+ - test/test_grok.rb
87
+ - examples/ssh_sentry.rb