-----------
logparse(8)
-----------

.. _synopsis:

========
Synopsis
========

`logparse` [options]

.. _description:

===========
Description
===========

Logparse is a simple and extensible log analyser which parses and summaries medium-term server logs (up to around 30 days old). It reports notable events and statistics reported from common server programs, and has a comprehensive API to allow users to write their own parsers for custom services.

Logparse is also integrated with systemd's `logrotate` to optionally rotate logs only after they have been summarised, and the user may choose to get an email (requires postfix) or a static HTML/plaintext file with the log summary. As an added feature, IP addresses from ssh/samba/apache logs may be resolved to either hostnames or FQDNs.

Configuration is through the file `/etc/logparse.conf`, in INI format. A description of the configuration variables is shown below at :ref:`configuration`.

Some features require logparse to be run as root (primarily log rotation). It is recommended to set it up on a cron job on a weekly basis.

.. _usage:

======
Usage
======
.. argparse::
   :module: logparse.interface
   :func: get_argparser
   :prog: logparse
   :nodescription: True

.. _parsers:

=======
Parsers
=======

The program is based on a model of independent **parsers** (consisting of Python modules) which analyse logs from a particular service. Logparse comes with a range of these built in, but additional parsers can be written in Python and placed in `/usr/share/logparse/parsers`. At the moment, the built-in parsers are:

- cron (DEPRECATED) - number of commands, list commands (root user only)
- cron-journald - number of commands, list commands, list commands per user (requires libsystemd)
- httpd - list requests, clients, user agents, bytes transferred, no. of errors
- mem - get installed/usable/free memory
- postfix - list recipients and bytes sent
- smbd - number of logins, list users & clients
- sshd (DEPRECATED) - logins by user/hostname, attempted root logins, invalid users
- sshd-journald - logins by user/hostname, attempted root logins, invalid users (requires libsystemd)
- sudo (DEPRECATED)- number of sessions, list users and commands
- sudo-journald - number of sessions, list users and commands (requires libsystemd)
- sysinfo - hostname, OS, OS version, platform, processors
- systemctl - system status, running/failed units (requires libsystemd)
- temperature - instantaneous temperatures of motherboard, CPU, cores, disks
- ufw - blocked packets, port and IP data (requires libsystemd)
- zfs - zpool scrub reports, disk usage

.. _configuration:

=============
Configuration
=============

Logparse can be configured with various options in the file `/etc/logparse/logparse.conf`. Alternatively, the configuration file may be placed elsewhere and referenced with the `-c|--config` command line option.

Configuration files are written in INI format and interpreted using the standard Python :py:mod:`configparser` module. The file is divided into sections denoted by a line with the section name in square brackets, e.g. `[logparse]` for the section called logparse (this is the main section where global options are placed). Other sections are defined for each parser, e.g. `[httpd]` for the section of configuration values for the httpd parser. For more information on configuration syntax, see <https://docs.python.org/3/library/configparser.html#supported-ini-file-structure>.

############################################
General configuration (`[logparse]` section)
############################################

output
  File to which the logparse output (HTML or plaintext) is saved. If empty, no output is written. Analogous to the command line option -d|--destination which overrides this config value. Default: empty
overwrite
  Whether to automatically overwrite an existing output file. Default: false
title
  Title for HTML and plaintext, shown at the top of the output. This string supports the standard variables which are substituted for various metadata in the program (see :ref:`variables`). Default: logparse
maxlist
  Maximum number of regular text items to show in bulleted lists, e.g. user agents for the httpd parser. Default: 10
maxcmd
  Maximum number of command items to show in bulleted lists, e.g. recently executed commands in the cron parser. Default: 6
resolve-domains
  Global setting for resolution of IP addresses into domains. If set to `ip`, logparse will never resolve IP addresses into domains. If set to `fqdn`, IPs will be resolved to show full the full hostname and domain. If set to `fqdn-implicit`, FQDNs will be shown except for local addresses which just show the hostname. If set to `host-only`, only the first segment of the FQDN is shown (i.e. the hostname). This configuration value is passed to the :py:meth:`logparse.util.resolve` function which can be implemented by parsers. This option can also be set in individual parsers, where it is called `resolve-domains-x` where x is the name of the parser. These parser-specific declerations override the global one. Default: fqdn
rotate
  Whether to rotate logs using systemd's logrotate utility. Analogous to the command line option -r|--rotate and -nr|--no-rotate which override this configuration value. Default: false
verbose
  High level of debug output. Analogous to the command line option -v|--verbose. Default: false
quiet
  No output to stdout except for printing the resulting output (enabled with the `-p|--print` command line option) and critical errors. Analogous to the command line option -q|--quiet. Default: false
hostname-path
  Path to file containing the hostname of the current machine (FQDN or not). This is used to identify the machine in the log output. Default: /etc/hostname
parsers
  Space-separated list of parsers to enable. If empty, all the included parsers are run except for deprecated ones. Analogous to the command line option -l|--logs. Default: empty
ignore-parsers
  Space-separated list of parsers to ignore (i.e. not execute). If empty, no parsers are ignored. Analogous to the command line option -nl|--ignore-logs. Default: empty

##############################################
HTML specific configuration (`[html]` section)
##############################################

header
  Path to a header template which will be prepended to HTMl files and HTML emails. This template includes the entire <head> section and the <body> tag, and by default it outputs a title and some basic metadata at the top of the page. The template file can include variables for substitution, see :ref:`variables`. Default: /etc/logparse/header.html
css
  Path to a CSS stylesheet which will be linked or converted to inline tags for all HTML output (files and email). Default: /etc/logparse/main.css
embed-styles
  Whether to convert the stylesheet to inline tags. This is enforced for all HTML emails, and this option allows this same conversion for standalone files. This is done using the :py:mod:`premailer` package. Default: false
css-relpath
  If embed-styles is set to false, this option will convert the URL of the stylesheet (supplied by the css option) into a path relative to the output directory (if writing to a file) or the current directory (if outputting to stdout). Otherwise, the stylesheet is linked to exactly as supplied in the css option. Default: true

#####################################################
Plain-text specific configuration (`[plain]` section)
#####################################################
plain
  Enable plaintext output instead of HTML. Analogous to the -p|--print command line option. Default: false

linewidth
  Limit regular text lines to this number of characters. Note tables do not obey this variable (this is on the todo list). Default: 80

#####################################
Log file locations (`[logs]` section)
#####################################

This section defines paths to log files used for each parser. These paths may vary depending on the operating system and service configuration. Any value can be added to this section, so user-supplied parsers can get their logfile locations from here as well. However, there is currently no mechanism of setting default values for user-supplied parsers, so defaults must be set in the parser files themselves.

auth
  Path to the system's authentication log. Default: /var/log/auth.log
cron
  Path to the cron log. Default: /var/log/cron.log
cpuinfo
  Path to the system's CPU info file in procfs. Default: /proc/cpuinfo
meminfo
  Path to the system's memory info file in procfs. Default: /proc/meminfo
sys
  Path to the system's primary syslog. Default: /var/log/syslog
smbd
  Path to the directory for Samba logfiles. Default: /var/log/samba
zfs
  Path to a file which contains the output of `zpool status`. Default: /var/log/zpool.log
postfix
  Path to the postfix log. Default: /var/log/mail.log
httpd-access
  Path to Apache's access log. Default: /var/log/apache2/access.log
httpd-error
  Path to Apache's error log. Default: /var/log/apache2/error.log

######################################
Email configuration (`[mail]` section)
######################################

Email is sent using the default mail transfer agent (usually Postfix).

to
  Recipient address. If empty, no email is sent. Analogous to the -t|--to command line option. Default: empty
from
  Sender address. If empty, default sender address is determined by the MTA. Default: empty
subject
  Text to use as the subject of the message. Variables may be substituted with metadata (see :ref:`variables`). Default: logparse from $hostname
mailbin
  Path to the MTA binary (usually Postfix). Default: /usr/bin/mail

======================
Default parser options
======================

Each parser has its own set of options in a section with the name of the parser. In the case of multiple versions of the same parser (e.g. sshd and sshd-journald), the configuration section goes by the base name (e.g. sshd). Options defined in individual parser sections override those defined in the global configuration.

####
cron
####

period
  Maximum age of logs to analyse. Overrides global config. Only used in cron-journald at the moment. See :ref:`period` for more information. Default: empty

.. _period:

####
sshd
####

period
  Maximum age of logs to analyse. Overrides global config. Only used in sshd-journald at the moment. See :ref:`period` for more information. Default: empty
sshd-resolve-domains
  DNS lookup configuration for sshd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty

####
smbd
####

shares
  Regular expression string for which Samba shares to include when parsing logs. To consider all shares, set this to `.*`. To exclude a certain share, use negative lookaround. Default: `^((?!IPC\$).)*$`
users
  Regular expression string for which user@hostname values to include when parsing logs. This could be used to exclude logins from a trusted user or hostname. Default: `.*`
smbd-resolve-domains
  DNS lookup configuration for smbd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
period
  Maximum age of logs to analyse. Overrides global config. Only used in smbd-journald at the moment. See :ref:`period` for more information. Default: empty

#####
httpd
#####

httpd-resolve-domains
  DNS lookup configuration for httpd parser only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
period
  Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty

###
ufw
###

ufw-resolve-domains
  DNS lookup configuration for ufw parser only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
period
  Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty

####
sudo
####

period
  Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty

#########
systemctl
#########

period
  Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
show-all
  Whether to include services which are running but okay in the output. Default: true 



========================
Log period configuration
========================

Some parsers support custom time periods to be searched for logs. This period is specified as a string in the configuration section of supported parsers, and is a timespan relative to the time when the parser is initialised. The time parsing functionality uses a modified version of `timeparse.py` originally written by Will Roberts under the MIT License. The following excerpt is taken from the documentation of `timeparse.py`:

.. autofunction:: logparse.timeparse.strseconds

.. _variables:

=====================
Variable substitution
=====================

In some configuration options, variables may be used to substitute values at runtime. Variable syntax is simply a dollar sign ($) followed by the variable name. The following variables are supported:

`$css`
  Path to the CSS stylesheet as determined by the css configuration option
`$date`
  Date when processing was started
`$time`
  Time when processing was started
`$hostname`
  Hostname as specified by the hostname configuration option
`$title`
  Value of the title variable as determined by the title option
`$version`
  Version of logparse


.. _api:

=============
API structure
=============

Due to the extensible nature of logparse, many of the core functions can be used in user-supplied parsers. Each parser is written in Python as a single-file module which defines a derivative of the Parser class (see `logparse.load_parsers.Parser` below). Therefore parser classes which inherit the base class have access to all the normal formatting and I/O functions which are documented below.

If logparse is to be imported as a Python package into another project for some reason, you can control the general operations with the `logparse.interface` module.

##################
logparse.interface
##################

.. automodule:: logparse.interface
   :members:

#####################
logparse.load_parsers
#####################

.. automodule:: logparse.load_parsers
   :members:

###################
logparse.formatting
###################

.. automodule:: logparse.formatting
   :members:

================
More information
================
| Readme    https://git.lorimer.id.au/logparse.git/about
| Source    https://git.lorimer.id.au/logparse.git/tree
| Contact   mailto:bugs@lorimer.id.au