grok 0.0.0 → 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +5 -5
- data/VERSION +1 -1
- data/examples/ssh_sentry.rb +1 -1
- data/lib/grok.rb +6 -6
- data/lib/grok/watcher.rb +10 -9
- metadata +1 -1
data/README.rdoc
CHANGED
|
@@ -23,18 +23,18 @@ There's only a few configuration parameters for Grok at this stage
|
|
|
23
23
|
* replay: The number of lines to read from the bottom of the file on startup
|
|
24
24
|
|
|
25
25
|
=== Responding to log events
|
|
26
|
-
At it's most basic, you can simply get Grok to print
|
|
26
|
+
At it's most basic, you can simply get Grok to print out each message as it
|
|
27
27
|
receives them (pretty pointless)
|
|
28
|
-
on
|
|
29
|
-
puts
|
|
28
|
+
on /(.*)/ do |line|
|
|
29
|
+
puts line
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
Lets try something a bit more useful though. Lets say I want to know every
|
|
33
33
|
time there's an SSH authenitcation failure. For that, we can make use of the
|
|
34
34
|
RegExp functionality in the event handlers
|
|
35
35
|
|
|
36
|
-
on
|
|
37
|
-
puts "SSH authentication failure for #{username} from #{ip}
|
|
36
|
+
on /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/ do |username, ip|
|
|
37
|
+
puts "SSH authentication failure for #{username} from #{ip}"
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
This is a bit better. You could go further to have it automatically block the
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.0.
|
|
1
|
+
0.0.1
|
data/examples/ssh_sentry.rb
CHANGED
data/lib/grok.rb
CHANGED
|
@@ -2,14 +2,14 @@ require 'grok/watcher'
|
|
|
2
2
|
|
|
3
3
|
$watcher = Grok::Watcher.new
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
def #{method}(*args, &block)
|
|
8
|
-
$watcher.#{method}(*args, &block)
|
|
9
|
-
end
|
|
10
|
-
EOF
|
|
5
|
+
def configure(*args, &block)
|
|
6
|
+
$watcher.configure(*args, &block)
|
|
11
7
|
end
|
|
12
8
|
|
|
9
|
+
def on(match, opts={}, &block)
|
|
10
|
+
$watcher.on(match, opts, &block)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
13
|
at_exit do
|
|
14
14
|
unless defined?(Test::Unit)
|
|
15
15
|
raise $! if $!
|
data/lib/grok/watcher.rb
CHANGED
|
@@ -18,19 +18,12 @@ module Grok
|
|
|
18
18
|
b.call(@config)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
def on(
|
|
21
|
+
def on(match, opts={}, &block)
|
|
22
|
+
event = :log
|
|
22
23
|
match = match.to_s if match.is_a? Integer
|
|
23
24
|
(@events[event] ||= []) << [Regexp.new(match), block]
|
|
24
25
|
end
|
|
25
26
|
|
|
26
|
-
def dispatch(event, log)
|
|
27
|
-
if handler = find(event, log)
|
|
28
|
-
regexp, block = *handler
|
|
29
|
-
self.match = log.match(regexp).captures
|
|
30
|
-
invoke block
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
|
|
34
27
|
def start
|
|
35
28
|
File.open(@config.file) do |log|
|
|
36
29
|
log.extend(File::Tail)
|
|
@@ -65,5 +58,13 @@ module Grok
|
|
|
65
58
|
__grok_event_handler(*bargs)
|
|
66
59
|
}
|
|
67
60
|
end
|
|
61
|
+
|
|
62
|
+
def dispatch(event, log)
|
|
63
|
+
if handler = find(event, log)
|
|
64
|
+
regexp, block = *handler
|
|
65
|
+
self.match = log.match(regexp).captures
|
|
66
|
+
invoke block
|
|
67
|
+
end
|
|
68
|
+
end
|
|
68
69
|
end
|
|
69
70
|
end
|