################################################################ # SEC ruleset for syslog-ng (contributed by Peter Straka) ################################################################ #date host proces[pid]: [ID number facility.level] txt ################################################################ # internal ################################################################ # setings parameters for next use # # %A,%B,%C,%D = parameters # %F = output file for write # %E = email list # %M = mail program ################################################################ #rule beno#1 type=Single ptype=RegExp pattern=(SEC_STARTUP|SEC_RESTART|SEC_SHUTDOWN) context=SEC_INTERNAL_EVENT desc=SEC internal action=shellcmd /bin/echo -- %t %s $0;\ assign %F /tmp/sec.out;\ assign %E root@localhost;\ assign %M /bin/mail -s "SEC production event";\ add OUT %t "starting";\ ################################################################ # statistics ################################################################ #rule beno#2 type=Single continue=TakeNext ptype=RegExp pattern=\s(\S+)\s(\S+)\[\d+\]\:\s\[ID \d+ (\S+)\.(\S+)\]\s desc=log level and facility counter + host and proces counter action= assign %A $1;\ assign %B $2;\ assign %C $3;\ assign %D $4;\ eval %Z ($host{"%A"}++; $proces{"%B"}++; $facility{"%C"}++; $level{"%D"}++;); #rule beno#3 #write statistics and null counters every hour type=Calendar time=0 * * * * desc=log level and facility counter + host and proces counter action=eval %Z (\ my @ret; \ push(@ret,"*******************************\n***** LEVEL:\n");\ foreach $x (keys %level) {push(@ret,sprintf "%%s=%d\n",$x,$level{$x}) if $level{$x}; $level{$x}=0}; \ push(@ret,"\n***** FACILITY:\n");\ foreach $x (keys %facility) {push(@ret,sprintf "%%s=%d\n",$x,$facility{$x}) if $facility{$x}; $facility{$x}=0}; \ push(@ret,"\n***** HOSTS:\n");\ foreach $x (keys %host) {push(@ret,sprintf "%%s=%d\n",$x,$host{$x}) if $host{$x}; $host{$x}=0}; \ push(@ret,"\n***** PROCES:\n");\ foreach $x (keys %proces) {push(@ret,sprintf "%%s=%d\n",$x,$proces{$x}) if $proces{$x}; $proces{$x}=0}; \ push(@ret,"\n********************************************************\n");\ return "@ret"); \ write %F %t %Z; \ add STAT %Z; \ report STAT %M %E; \ delete STAT ; ################################################################ # hourly statistics ################################################################ #rule beno#4 type=Single continue=TakeNext ptype=RegExp pattern=\S+\s+\d+\s+(\d+)\:\d+\:\d+\s desc=hourly counter action=assign %A H$1;\ eval %Z ($hour{%A}++;); #rule beno#5 #write statistics and null counters at midnight type=Calendar time=25 16 * * * desc=hourly counter action=eval %Z (\ my @ret; \ push(@ret,"*******************************\n");\ foreach $x (keys %hour) {push(@ret,sprintf "%%s:00=%d\n",$x,$hour{$x});$hour{$x}=0}; \ push(@ret,"\n********************************************************\n");\ return "@ret"); \ write %F %t %Z; \ add HOUR_STAT %Z; \ report HOUR_STAT %M %E; \ delete HOUR_STAT