grok 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.rdoc +14 -1
- data/VERSION +1 -1
- data/lib/grok.rb +7 -1
- data/lib/grok/watcher.rb +31 -11
- metadata +3 -3
data/README.rdoc
CHANGED
|
@@ -21,6 +21,7 @@ There's only a few configuration parameters for Grok at this stage
|
|
|
21
21
|
* file: The log file to watch
|
|
22
22
|
* interval: How often to check the log file for changes (in seconds)
|
|
23
23
|
* replay: The number of lines to read from the bottom of the file on startup
|
|
24
|
+
* process: Spawn this process and feed the output into grok
|
|
24
25
|
|
|
25
26
|
=== Responding to log events
|
|
26
27
|
At it's most basic, you can simply get Grok to print out each message as it
|
|
@@ -48,7 +49,7 @@ Getting there. What if our user failed a couple of times over the past month?
|
|
|
48
49
|
We don't really want to him out for that, so we'll put a time limit on the rule
|
|
49
50
|
so only 3 incorrect login attempts within the past 2 minutes will trigger it.
|
|
50
51
|
|
|
51
|
-
on /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/, :times => 3, :
|
|
52
|
+
on /sshd\[\d+\]: Failed password for ([\d\w]+) from ([\d\.]+)/, :times => 3, :within => '2m' do |username, ip|
|
|
52
53
|
puts "SSH authentication failure for #{username} from #{ip}"
|
|
53
54
|
end
|
|
54
55
|
|
|
@@ -58,6 +59,18 @@ weeks (w), days (d), hours (h), minutes (m) and seconds (s). For example
|
|
|
58
59
|
'1d2h3s' => 1 day, 2 hours and 3 seconds
|
|
59
60
|
'2y3m' => 2 years and 3 minutes
|
|
60
61
|
|
|
62
|
+
=== Other events
|
|
63
|
+
==== Exit
|
|
64
|
+
You can also define event handlers to run when your script exits (for the
|
|
65
|
+
purposes of printing a summary, or whatever you want).
|
|
66
|
+
|
|
67
|
+
exit do
|
|
68
|
+
puts "Done"
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
You can define as many of these handlers as you'd like and they'll be run
|
|
72
|
+
when the Ruby process has been sent a SIGINT.
|
|
73
|
+
|
|
61
74
|
== Note on Patches/Pull Requests
|
|
62
75
|
|
|
63
76
|
* Fork the project.
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.0.
|
|
1
|
+
0.0.3
|
data/lib/grok.rb
CHANGED
|
@@ -10,7 +10,13 @@ end
|
|
|
10
10
|
def on(match, opts={}, &block)
|
|
11
11
|
$watcher.on(match, opts, &block)
|
|
12
12
|
end
|
|
13
|
-
|
|
13
|
+
|
|
14
|
+
def exit(&block)
|
|
15
|
+
$watcher.exit(&block)
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
trap "SIGINT", proc { $watcher.stop }
|
|
19
|
+
|
|
14
20
|
at_exit do
|
|
15
21
|
unless defined?(Test::Unit)
|
|
16
22
|
raise $! if $!
|
data/lib/grok/watcher.rb
CHANGED
|
@@ -2,7 +2,7 @@ require 'rubygems'
|
|
|
2
2
|
require 'file/tail'
|
|
3
3
|
|
|
4
4
|
module Grok
|
|
5
|
-
Config = Struct.new(:file, :interval, :replay)
|
|
5
|
+
Config = Struct.new(:file, :interval, :replay, :process)
|
|
6
6
|
|
|
7
7
|
class Watcher
|
|
8
8
|
attr_accessor :config, :file, :interval, :match, :replay
|
|
@@ -10,7 +10,7 @@ module Grok
|
|
|
10
10
|
def initialize(&b)
|
|
11
11
|
@events = {}
|
|
12
12
|
@event_log = {}
|
|
13
|
-
@config = Config.new(
|
|
13
|
+
@config = Config.new(nil, 10, 0, nil)
|
|
14
14
|
|
|
15
15
|
#instance_eval(&b) if block_given?
|
|
16
16
|
end
|
|
@@ -20,23 +20,38 @@ module Grok
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def on(match, opts={}, &block)
|
|
23
|
-
event = :log
|
|
24
23
|
match = match.to_s if match.is_a? Integer
|
|
25
24
|
within = opts[:within] ? Grok.parse_time_string(opts[:within]) : nil
|
|
26
|
-
(@events[
|
|
25
|
+
(@events[:log] ||= []) << [Regexp.new(match), block, opts[:times], within]
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def exit(&block)
|
|
29
|
+
(@events[:exit] ||= []) << block
|
|
27
30
|
end
|
|
28
31
|
|
|
29
32
|
def start
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
33
|
+
if !@config.file.nil?
|
|
34
|
+
File.open(@config.file) do |log|
|
|
35
|
+
log.extend(File::Tail)
|
|
36
|
+
log.interval = @config.interval
|
|
37
|
+
log.backward(@config.replay)
|
|
38
|
+
log.tail { |line|
|
|
39
|
+
dispatch(:log, line)
|
|
40
|
+
}
|
|
41
|
+
end
|
|
42
|
+
elsif !@config.process.nil?
|
|
43
|
+
IO.popen(@config.process) { |fd|
|
|
44
|
+
while line = fd.gets
|
|
45
|
+
dispatch(:log, line)
|
|
46
|
+
end
|
|
36
47
|
}
|
|
37
48
|
end
|
|
38
49
|
end
|
|
39
50
|
|
|
51
|
+
def stop
|
|
52
|
+
dispatch(:exit)
|
|
53
|
+
end
|
|
54
|
+
|
|
40
55
|
private
|
|
41
56
|
def find(type, log)
|
|
42
57
|
if events = @events[type]
|
|
@@ -61,7 +76,12 @@ module Grok
|
|
|
61
76
|
}
|
|
62
77
|
end
|
|
63
78
|
|
|
64
|
-
def dispatch(event, log)
|
|
79
|
+
def dispatch(event, log=nil)
|
|
80
|
+
if event == :exit
|
|
81
|
+
@events[:exit].each { |block| invoke block }
|
|
82
|
+
Process.exit
|
|
83
|
+
end
|
|
84
|
+
|
|
65
85
|
if handler = find(event, log)
|
|
66
86
|
regexp, block, times, within = *handler
|
|
67
87
|
self.match = log.match(regexp).captures
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: grok
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Sharpe
|
|
@@ -9,7 +9,7 @@ autorequire:
|
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
11
|
|
|
12
|
-
date: 2010-02-
|
|
12
|
+
date: 2010-02-18 00:00:00 +11:00
|
|
13
13
|
default_executable:
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
@@ -83,6 +83,6 @@ signing_key:
|
|
|
83
83
|
specification_version: 3
|
|
84
84
|
summary: A ruby log event correlator
|
|
85
85
|
test_files:
|
|
86
|
-
- test/helper.rb
|
|
87
86
|
- test/test_grok.rb
|
|
87
|
+
- test/helper.rb
|
|
88
88
|
- examples/ssh_sentry.rb
|