[Logcheck-devel] tool: rulefiles analyzer
Todd Troxell
ttroxell at debian.org
Tue Sep 27 06:14:35 UTC 2005
Hi,
Seeing that we have 1000+ rules, I became curious about utilization.
I came up with a cheap program[0] to check. The current output looks like
this:
*cut*
file: rulefiles/linux/ignore.d.server/dhclient:
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 124, 124, 0, 0, 0, 0, 0, 0, 124]
file: rulefiles/linux/violations.d/logcheck:
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
file: rulefiles/linux/ignore.d.server/policyd:
[0, 0]
file: rulefiles/linux/ignore.d.workstation/winbind:
[0]
file: rulefiles/linux/violations.ignore.d/logcheck-cyrus:
[0, 0, 0]
file: rulefiles/linux/ignore.d.paranoid/cron:
[0, 0, 18, 0, 0, 0, 0, 0]
file: rulefiles/linux/ignore.d.server/nscd:
[0]
*cut*
The array numbers correspond to line numbers in the rulefiles. This output
will be improved eventually. It should also calculate the top N and bottom N
matched rules.
Right now it just looks at /var/log/syslog. This should be getopt'd.
Run it from directory logcheck/
[0] http://rapidpacket.com/~xtat/analyzeRules * unfortunately requires
Python2.4 for subprocess
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list