logparse

Logparse is a simple and extensible log analyser which parses and summaries medium-term server logs (up to around 30 days old). It reports notable events and statistics reported from common server programs, and has a comprehensive API to allow users to write their own parsers for custom services.

Logparse is also integrated with systemd's logrotate to optionally rotate logs only after they have been summarised, and the user may choose to get an email (requires postfix) or a static HTML/plaintext file with the log summary. As an added feature, IP addresses from ssh/samba/apache logs may be resolved to either hostnames or FQDNs.

Configuration is through the file /etc/logparse.conf, in INI format. A description of the configuration variables is shown below at :ref:configuration.

Some features require logparse to be run as root (primarily log rotation). It is recommended to set it up on a cron job on a weekly basis.

The program is based on a model of independent parsers (consisting of Python modules) which analyse logs from a particular service. Logparse comes with a range of these built in, but additional parsers can be written in Python and placed in /usr/share/logparse/parsers. At the moment, the built-in parsers are:

cron (DEPRECATED) - number of commands, list commands (root user only)
cron-journald - number of commands, list commands, list commands per user (requires libsystemd)
httpd - list requests, clients, user agents, bytes transferred, no. of errors
mem - get installed/usable/free memory
postfix - list recipients and bytes sent
smbd - number of logins, list users & clients
sshd (DEPRECATED) - logins by user/hostname, attempted root logins, invalid users
sshd-journald - logins by user/hostname, attempted root logins, invalid users (requires libsystemd)
sudo - number of sessions, list users and commands
sysinfo - hostname, OS, OS version, platform, processors
temperature - instantaneous temperatures of motherboard, CPU, cores, disks
zfs - zpool scrub reports, disk usage

For more information, see logparse(8) by running man logparse.

Website: https://git.lorimer.id.au/logparse.git

description	Simple and modular log analysis for Linux servers
last change	Fri, 27 Sep 2019 11:01:24 +0000 (21:01 +1000)

2019-09-27	•	rename parsers, better journald integration	diff \| tree
2019-09-21	•	add parser-specific docs & rewrite sudo parser for...	diff \| tree
2019-09-20	•	better log formatting and limit lines to 80 char	diff \| tree
2019-09-19	•	add systemctl and ufw parsers, support for varying...	diff \| tree
2019-09-16	•	bugfixing & add smbd_journald	diff \| tree
2019-09-09	•	add more docstrings	diff \| tree
2019-09-08	•	update readme & docs	diff \| tree
2019-09-05	•	add docs	diff \| tree
2019-09-05	•	rework parser loading interface	diff \| tree
2019-09-03	•	new parser class structure	diff \| tree
2019-09-02	•	migrate configuration system to the stdlib ConfigParser	diff \| tree
2019-08-31	•	fix logrotate functionality	diff \| tree
2019-08-30	•	bugfixing in config & add quiet mode	diff \| tree
2019-08-30	•	add journald communication capability	diff \| tree
2019-08-30	•	add parsers for memory info and system info	diff \| tree
2019-08-30	•	add table implementation	diff \| tree
show all commits

logparse

Commits

Branches