Homepage: log_analysis
Current version: 0.46
Download: log_analysis-0.46.tar.gz
Requires: perl 5.00503


I like to go through my system logs. This often lets me know if there's a system problem before it becomes a major issue, and it shows me security issues.

Reviewing system logs has problems:

log_analysis is my solution to these problems. It goes through several different kinds of logs (currently syslog, wtmp, and sulog), over some period (defaults to yesterday). It strips out the date and PID, and throws away certain entries. Then it tries each entry against a list of perl regular expressions. Each perl regular expression is associated with a category name and a rule for extracting data. When there's a match, the data-extracting rule is applied, and filed under the category. If a log entry is unknown, it's filed under a special category for unknowns. Identical entries for a given category are sorted and counted. There's an option to mail the output, so you can just run it out of cron. You can also save a local copy of the output. If you prefer to PGP-mail yourself the output, you can do this, too. The whole thing is designed to be easily extended, complete with an easy plug-in interface. The default mode is for reporting, but it also "real" and "gui" modes for continuous monitoring, complete with action support. Oh, and you can edit patterns in a GUI that helps write regular expressions quickly and easily.


The program needs to run with permissions to read your log files in order to be useful, which usually means root. It does not default to SUID root, and I recommend not making it SUID, so just run it as root (ie. manually or out of cron). I've tried to avoid temp files everywhere that I can, and in the one case where I do use a temp file, I make sure to use the POSIX tmpnam function instead of trying to make up my own temp file algorithm. The default umask is 077. If you use action commands, there is nothing to stop you from using parts of the log message in insecure ways, so for goodness' sake, be careful.

Local extensions

log_analysis already has lots of rules, but chances are that you have log entries that aren't already covered. So, log_analysis can easily be extended via a local config file, as documented in the log_analysis manpage. There's even an easy way to do modular plug-ins.

Mailing list

We have a mailing list. It's run by majordomo, off the frakir.org server, and it's called log_analysis. That should give you enough info to figure out how to subscribe. :)

Change Log

Here is the ChangeLog.

Incompatible changes


Future plans/TODO

Major things I would really like to see happen, but don't necessarily have time to implement in the foreseeable future:

by Mordechai T. Abzug <morty+www@frakir.org>
Main page