search

fxnn / gowatch

Configurable logfile analysis for your server.
MIT License
8 stars 2 forks source link

Support listing summarizer #20

Open fxnn opened 9 years ago

fxnn commented 9 years ago

The main summarizer we currently have is the GrokCounter, allowing to have a set of patterns (each with a name), which counts the occurences of each pattern.

Dovecot: Failed Login Attempts
==============================
5.196.31.23: 1
49.248.147.211: 1
52.6.24.186: 4
52.6.71.222: 3
52.6.130.221: 2
54.208.194.166: 1

Now, what I'd like to see is that we not just only have the number of occurences per pattern, but that we can also see what happened. In the above example, we could list the user names per IP.

Dovecot: Failed Login Attempts
==============================
5.196.31.23: webmaster
49.248.147.211: admin
52.6.24.186: joe, webmaster, admin, adm
52.6.71.222: adm, admin, joe
52.6.130.221: frank, joe
54.208.194.166: user

It's yet unclear to me how to specify the match to be displayed. The configuration for the GrokCounter is

- summarizer: count
  config: {
    '%{login_host}': 'auth\(%{PROG}\): %{PROG}\(%{USER},%{IPORHOST:login_host}\): unknown user'
  }

Guess we need a tuple or something, so that we can specify the pattern and the match to be displayed:

- summarizer: count
  config: {
    '%{login_host}': ['%{user}', 'auth\(%{PROG}\): %{PROG}\(%{USER:user},%{IPORHOST:login_host}\): unknown user']
  }

Unfortunately, tuples are bad to read. So, another map?

- summarizer: count
  config: {
    '%{login_host}': {
      list: '%{user}',
      for: 'auth\(%{PROG}\): %{PROG}\(%{USER:user},%{IPORHOST:login_host}\): unknown user'
    }
  }
fxnn commented 9 years ago

Guess the most consequent would be another map:

config: {
  '%{Login_host}': {
    '%{user}': 'auth\(%{PROG}\): %{PROG}\(%{USER:user},%{IPORHOST:login_host}\): unknown user'
  }
}