The program is based on a model of independent **parsers** (consisting of Python modules) which analyse logs from a particular service. Logparse comes with a range of these built in, but additional parsers can be written in Python and placed in `/usr/share/logparse/parsers`. At the moment, the built-in parsers are:
-- cron (DEPRECATED) - number of commands, list commands (root user only)
-- cron-journald - number of commands, list commands, list commands per user (requires libsystemd)
-- httpd - list requests, clients, user agents, bytes transferred, no. of errors
+####
+cron
+####
+
+.. automodule:: logparse.parsers.cron
+
+####
+httpd
+####
+
+.. automodule:: logparse.parsers.httpd
+
- mem - get installed/usable/free memory
- postfix - list recipients and bytes sent
- smbd - number of logins, list users & clients
- sshd (DEPRECATED) - logins by user/hostname, attempted root logins, invalid users
- sshd-journald - logins by user/hostname, attempted root logins, invalid users (requires libsystemd)
-- sudo - number of sessions, list users and commands
+- sudo (DEPRECATED)- number of sessions, list users and commands
+- sudo-journald - number of sessions, list users and commands (requires libsystemd)
- sysinfo - hostname, OS, OS version, platform, processors
+- systemd - system status, running/failed units (requires libsystemd)
- temperature - instantaneous temperatures of motherboard, CPU, cores, disks
+- ufw - blocked packets, port and IP data (requires libsystemd)
- zfs - zpool scrub reports, disk usage
.. _configuration:
Space-separated list of parsers to enable. If empty, all the included parsers are run except for deprecated ones. Analogous to the command line option -l|--logs. Default: empty
ignore-parsers
Space-separated list of parsers to ignore (i.e. not execute). If empty, no parsers are ignored. Analogous to the command line option -nl|--ignore-logs. Default: empty
+datetime-format
+ String representing the format for dates and times in the logfiles (when using plain logfiles, not journald parsers). This should be a standard Python strptime format (see <https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior>). Supported parsers allow the datetime-format to be set in their individual sections, which overrides this global value. Default: %b %d %H:%M:%S
##############################################
HTML specific configuration (`[html]` section)
mailbin
Path to the MTA binary (usually Postfix). Default: /usr/bin/mail
+======================
+Default parser options
+======================
+
+Each parser has its own set of options in a section with the name of the parser. In the case of multiple versions of the same parser (e.g. sshd and sshd-journald), the configuration section goes by the base name (e.g. sshd). Options defined in individual parser sections override those defined in the global configuration.
+
+######################
+cron and cron_journald
+######################
+
+commands
+ Regular expression string for which commands to include when parsing logs. If `truncate-commands` is set to true, then the truncated command will be compared against the regex pattern, not the full command. Default: `.*`
+datetime-format
+ String representing the format for dates and times in the logfiles (when using cron, not cron_journald). This should be a standard Python strptime format (see <https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior>). Reverts to the global config if empty. Default: empty
+list-users
+ Display a list of the most common commands run by each user (this may be combined with the `summary` option below). Default: true
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+summary
+ Show a summary of cron sessions. This consists of the total number of sessions, total number of users, and a list of the most popular commands and who executed them. Default: false
+truncate-commands
+ Whether to remove absolute directory paths in commands. When set to true, a command such as `/usr/bin/cat` will become `cat`. Default: true
+users
+ Regular expression string for which usernames to include when parsing logs. This could be used to exclude cron sessions from trusted users. Default: `.*`
+
+
+######################
+sshd and sshd_journald
+######################
+
+period
+ Maximum age of logs to analyse. Overrides global config. Only used in sshd-journald at the moment. See :ref:`period` for more information. Default: empty
+sshd-resolve-domains
+ DNS lookup configuration for sshd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+
+######################
+smbd and smbd_journald
+######################
+
+shares
+ Regular expression string for which Samba shares to include when parsing logs. To consider all shares, set this to `.*`. To exclude a certain share, use negative lookaround. Default: `^((?!IPC\$).)*$`
+users
+ Regular expression string for which user@hostname values to include when parsing logs. This could be used to exclude logins from a trusted user or hostname. Default: `.*`
+smbd-resolve-domains
+ DNS lookup configuration for smbd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+period
+ Maximum age of logs to analyse. Overrides global config. Only used in smbd-journald at the moment. See :ref:`period` for more information. Default: empty
+
+#####
+httpd
+#####
+
+httpd-resolve-domains
+ DNS lookup configuration for httpd parser only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+
+###
+ufw
+###
+
+ufw-resolve-domains
+ DNS lookup configuration for ufw parser only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+
+######################
+sudo and sudo_journald
+######################
+
+list-users
+ Display a list of the most common commands initiated by each user (this may be combined with the `summary` option below). Default: true
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+summary
+ Show a summary of sudo sessions and most popular commands. Default: false
+truncate-commands
+ Whether to remove absolute directory paths in commands. When set to true, a command such as `/usr/bin/cat` will become `cat`. Default: true
+
+#######
+systemd
+#######
+
+period
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+show-all
+ Whether to include services which are running but okay in the output. Default: true
+
+
+.. _period:
+
+========================
+Log period configuration
+========================
+
+Some parsers support custom time periods to be searched for logs. This period is specified as a string in the configuration section of supported parsers, and is a timespan relative to the time when the parser is initialised. The time parsing functionality uses a modified version of `timeparse.py` originally written by Will Roberts under the MIT License. The following excerpt is taken from the documentation of `timeparse.py`:
+
+.. autofunction:: logparse.timeparse.strseconds
+
.. _variables:
=====================