From 7d52a9eed1783f368fb042de0e9df5996dfbd155 Mon Sep 17 00:00:00 2001 From: Peter Baumann Date: Tue, 4 Jun 2013 15:30:42 +0200 Subject: [PATCH] added syslog scripts --- syslog/.AppleDouble/.Parent | Bin 0 -> 741 bytes syslog/relogger.pl | 147 +++++++++++++++++++++ syslog/replay-log.pl | 248 ++++++++++++++++++++++++++++++++++++ 3 files changed, 395 insertions(+) create mode 100644 syslog/.AppleDouble/.Parent create mode 100755 syslog/relogger.pl create mode 100755 syslog/replay-log.pl diff --git a/syslog/.AppleDouble/.Parent b/syslog/.AppleDouble/.Parent new file mode 100644 index 0000000000000000000000000000000000000000..8303a9a89371b59065c36bdd03bce1dac13ec509 GIT binary patch literal 741 zcmZQz6=P>$V!#BvKp~(w(^IGvGmzc}#B4y!!oa||6)MgFR8tFN3ji@EklhQU6@Zu< z$UX?9f$|JMvzTD&`GD+=Krx^h4E#X$S`fRz#Wf7bJ_%-f`uPLd7s2e{NIxL^CXmh1 z5FAzqWIqIn7grYN. Made available to the +# public courtesy of PANIX (http://www.panix.com). +# This script is licensed under the GPL. +# Requires Date::Parse and Time::HiRes modules + + +my $usage= + "relogger.pl [--facility fac] [--priority pri] [--replayspeed factor]\n"; + +use strict; +use Sys::Syslog qw(:DEFAULT setlogsock); +use Getopt::Long; + +use Date::Parse; # for str2time +use Time::HiRes qw ( sleep ); + +my %opt; +die $usage unless + GetOptions (\%opt, "debug", "facility=s", "priority=s", "replayspeed=s"); + +setlogsock('unix') + if grep /^ $^O $/xo, ("linux", "openbsd", "freebsd", "netbsd"); + +my $facility= $opt{'facility'} || "mail"; +my $priority= $opt{'priority'} || "info"; +my $replayspeed= $opt{'replayspeed'} || 0; +my $debug= $opt{'debug'} || 0; + +die "$0: Option 'replayspeed' must be a valid floating point number\n" + unless $replayspeed =~ /^[0-9]*\.?[0-9]*$/; +my $progname= ""; + +# Aug 5 20:28:17 grand-central postfix/qmgr[4389]: AC2BB7F9A: removed +# my $thistime= str2time($date); +# warn "$0: cannot parse date '$date'\n" if !$thistime; + +my $lasttimestamp= 0; +my $timestamp; +my $timestep= 0; + +while(<>) +{ + if ( ((my ($timestr, $process, $msg))= /^(.*) \S+ ([^ []*)\[\d+\]: (.*)$/ ) == 3) + { + $timestamp= str2time($timestr) || + warn "$0: cannot parse timestamp '$timestr'\n"; + if ($progname ne $process) + { + closelog; + openlog "$process", 'ndelay,pid', $facility or die "$0: openlog: $!\n"; + $progname= $process; + } + + $timestep= $timestamp - $lasttimestamp; + if ($replayspeed and $timestep > 0 and $lasttimestamp > 0) + { + warn "sleeping for " . $timestep * $replayspeed . " seconds...\n" if $debug; + sleep( $timestep * $replayspeed); + } + + syslog $priority, "%s", $msg unless $debug; + warn "$process $facility/$priority $msg\n" if $debug; + $lasttimestamp= $timestamp; + } + else + { + warn "$0: cannot parse input line $.: $_\n"; + } +} + + +__END__ + +=head1 NAME + +relogger.pl - re-inject syslog log files back into syslog + +=head1 SYNOPSIS + +B [I<--facility fac>] [I<--priority pri>] [I<--replayspeed factor>] [I<--debug]>] + +=head1 DESCRIPTION + +B takes syslog-formatted messages on standard input and re-sends +them via the default syslog mechanism. The existing timestamps are stripped +off the message before it is re-sent. Delays between messages can be enabled +with the I<--replayseed> option (see B below to simulate the +arrival times of the original messages. + + was written to help test configurations for programs +like B or B that parse log output and take +actions based on what messages appear in the logs. + +=head1 OPTIONS + +=item B<--facility> I specify the syslog facility to log the messages +to. Standard syslog messages do not store the facility the message was +logged on, so this cannot be determined from the input. The default is the +B facility. + +=item B<--priority> I specify the syslog priority to log the messages +to. The default is the B priority. As with B<--facility>, this +information cannot be discovered from the input. + +=item B<--replayspeed> I attempt to parse the timestamps +of the input messages, and simulate the original arrival times by sleeping +between each message. The sleep time is multiplied by I. To send +simulated log events with time spacing at the same time as the original +arrival times, use a I of 1. To send simulated log events at twice +the speed of the original logs, use a I of 0.5 (i.e. sleep only +half the original time between log messages). + +=item B<--debug> send all output to standard error, rather than to syslog. +Also prints an extra diagnostic message or two. + +=head1 BUGS + +B is a beta-quality tool for testing logging configurations. +It is not yet recommended for production use. + +It would be nice to be able to specify the input filename on the command +line, instead of requiring it to be on standard input. + +It would be nice to be able to control the syslog mechanism on the +command line (i.e. specify whether to use a local or remote host) +rather than just using the system default. + +The original PID in the message is replaced by the current PID of +B in the simulated message. Also, the PID of B +will appear in the simulated message even if the original one did not +supply a PID. + +In spite of using Time::HiRes to enable sleeping in fractional seconds, +some environments seem to still round off to seconds. This needs a bit +more investigation. + +=head1 AUTHOR + +B was written by Ed Ravin , and is made +available to the public by courtesy of PANIX (http://www.panix.com). +This script is licensed under the GPL. B requires the +Date::Parse and the Time::HiRes Perl modules. + diff --git a/syslog/replay-log.pl b/syslog/replay-log.pl new file mode 100755 index 0000000..8087efd --- /dev/null +++ b/syslog/replay-log.pl @@ -0,0 +1,248 @@ +#!/usr/bin/perl -w +# +# $Id: replay-log,v 1.9 2005/08/06 21:00:00 jmates Exp $ +# +# The author disclaims all copyrights and releases this script into the +# public domain. +# +# Replays logs, simulating the time delays present in the source +# data. Only supports the standard Unix syslogd(8) format at present. +# +# Run perldoc(1) on this script for additional documentation. + +use POSIX qw(strftime); +use Time::Local qw(timelocal); +use Time::HiRes qw(sleep); + +use Getopt::Std; +my %opts; +getopts 'h?r:f:o:s:', \%opts; + +print_help() if exists $opts{h} or exists $opts{'?'}; + +my ( $previous_epoch, $random_seed, $speed_factor ); + +# increase playback speed +if ( exists $opts{f} and defined $opts{f} and $opts{f} > 1 ) { + $speed_factor = $opts{f}; +} else { + $speed_factor = 1; +} + +# use random seed to determine delay for next log entry +if ( exists $opts{r} + and defined $opts{r} + and $opts{r} > 0 ) { + + $random_seed = $opts{r}; + $previous_epoch = time; +} + +# use custom output file +if ( exists $opts{o} ) { + open STDOUT, '>', $opts{o} + or die "error: could not open: errno=$!, file=$opts{o}\n"; +} + +# leading delay (good if need time to get something else running) +if ( exists $opts{s} and defined $opts{s} and $opts{s} > 0 ) { + sleep $opts{s}; +} + +# force flush on output for better replay of logs +$| = 1; + +while (<>) { + chomp; + + # TODO will need to read different log formats (standard syslog, squid, + # apache, custom...): split into "time, rest of data" and have means to + # output "time with format, rest of data" + my %data; + + ( $data{rawtime}, $data{suffix} ) = + $_ =~ m/^ (\w{3} \s\s? \d\d? \s [\d:]{8}) (.*) $/x; + + $data{epoch} = + $random_seed + ? $previous_epoch + rand $random_seed + : syslog_to_epoch( $data{rawtime} ); + + if ( defined $previous_epoch ) { + my $delay = ( $data{epoch} - $previous_epoch ) / $speed_factor; + + # KLUGE syslog messages may have different timezones, which results + # in negative time differences. Workaround: detect and sleep random + # time value. (TODO use moving average instead?) + if ( $delay < 0 ) { + $delay = rand ($random_seed || 3); + } + + sleep $delay; + } + + # TODO for output, either want original string, or rework with new + # timestamp based on the current time. Allow templating off %data, + # different time formatting via strftime. + if ($random_seed) { + print epoch_to_str( $data{epoch} ), $data{suffix}, $/; + } else { + print $_, $/; + } + + $previous_epoch = $data{epoch}; +} + +sub epoch_to_str { + # epoch may have .123 microseconds (squid logs), so whack that off + strftime "%b %d %H:%M:%S", localtime( int $_[0] || 0 ); +} + +# convert default syslog timestamp into epoch seconds. Uses current +# year, as syslog does not record the year (nor the timezone, but that's +# another rant). +sub syslog_to_epoch { + my $date = shift; + my $epoch; + + my %month_map; + @month_map{qw(Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec)} = 0 .. 11; + + my ( $month, $day, $hour, $min, $sec ) = + $date =~ m/^(\w{3}) \s\s? (\d\d?) \s (\d\d):(\d\d):(\d\d)/x; + $epoch = timelocal $sec, $min, $hour, $day, $month_map{$month}, + 1900 + (localtime)[5]; + + return $epoch; +} + +sub print_help { + print <<"HELP"; +Usage: $0 [-o output-file] [-f factor] [-r random-seed] < input-file + +Replays logs, simulating the time delays present in the source data. + +Options: + -h/-? Display this message. + + -o ff Write output to this file instead of standard out. + + -f nn Numeric factor to speed replay up by, such as 3600. + -r nn Specify random seed to rand() for random replay speed. + -s nn Sleep this long before starting. + +Run perldoc(1) on this script for additional documentation. + +HELP + exit 100; +} + +__DATA__ + +=head1 NAME + +replay-log - replays logs with simulated time delays + +=head1 SYNOPSIS + +Replay logs from C (may take some time!): + + $ replay-log logs to a named pipe, read them with C: + + $ mkfifo logfile + $ grep sshd or SEC: + +http://swatch.sourceforge.net/ + +http://kodu.neti.ee/~risto/sec/ + +Only supports Unix syslogd(8) data at present. + +=head2 Normal Usage + + $ replay-log [-o output-file] [-f factor] [-r random-seed] < input-file + +See L<"OPTIONS"> for details on the command line switches supported. + +Log data is read from standard input, and sent to standard output, +unless a custom output file is specified. + +=head1 OPTIONS + +This script currently supports the following command line switches: + +=over 4 + +=item B<-h>, B<-?> + +Prints a brief usage note about the script. + +=item B<-o> I + +Send output to I instead of standard out. + +=item B<-r> I + +Use I as the random seed to C; logs will playback +using a random delay based on the seed. + +=item B<-f> I + +Speed playback of logs. I must be a number greater than one; +higher values lead to faster replays. + +=item B<-s> I + +Sleep I seconds before replaying any logs. + +=back + +=head1 BUGS + +=head2 Reporting Bugs + +If the bug is in the latest version, send a report to the author. +Patches that fix problems or add new features are welcome. + +=head2 Known Issues + +Only supports Unix syslogd(8) data at present. Output could be formatted +in different ways and offer better control of timestamp display. + +=head1 SEE ALSO + +perl(1) + +=head1 AUTHOR + +Jeremy Mates, http://sial.org/contact/ + +=head1 COPYRIGHT + +The author disclaims all copyrights and releases this script into the +public domain. + +=head1 VERSION + + $Id: replay-log,v 1.9 2005/08/06 21:00:00 jmates Exp $ + +=cut