The program is based on a model of independent **parsers** (consisting of Python modules) which analyse logs from a particular service. Logparse comes with a range of these built in, but additional parsers can be written in Python and placed in `/usr/share/logparse/parsers`. At the moment, the built-in parsers are:
-- cron (DEPRECATED) - number of commands, list commands (root user only)
-- cron-journald - number of commands, list commands, list commands per user (requires libsystemd)
-- httpd - list requests, clients, user agents, bytes transferred, no. of errors
+####
+cron
+####
+
+.. automodule:: logparse.parsers.cron
+
+####
+httpd
+####
+
+.. automodule:: logparse.parsers.httpd
+
- mem - get installed/usable/free memory
- postfix - list recipients and bytes sent
- smbd - number of logins, list users & clients
- sudo (DEPRECATED)- number of sessions, list users and commands
- sudo-journald - number of sessions, list users and commands (requires libsystemd)
- sysinfo - hostname, OS, OS version, platform, processors
-- systemctl - system status, running/failed units (requires libsystemd)
+- systemd - system status, running/failed units (requires libsystemd)
- temperature - instantaneous temperatures of motherboard, CPU, cores, disks
- ufw - blocked packets, port and IP data (requires libsystemd)
- zfs - zpool scrub reports, disk usage
Space-separated list of parsers to enable. If empty, all the included parsers are run except for deprecated ones. Analogous to the command line option -l|--logs. Default: empty
ignore-parsers
Space-separated list of parsers to ignore (i.e. not execute). If empty, no parsers are ignored. Analogous to the command line option -nl|--ignore-logs. Default: empty
+datetime-format
+ String representing the format for dates and times in the logfiles (when using plain logfiles, not journald parsers). This should be a standard Python strptime format (see <https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior>). Supported parsers allow the datetime-format to be set in their individual sections, which overrides this global value. Default: %b %d %H:%M:%S
##############################################
HTML specific configuration (`[html]` section)
Each parser has its own set of options in a section with the name of the parser. In the case of multiple versions of the same parser (e.g. sshd and sshd-journald), the configuration section goes by the base name (e.g. sshd). Options defined in individual parser sections override those defined in the global configuration.
-####
-cron
-####
+######################
+cron and cron_journald
+######################
+commands
+ Regular expression string for which commands to include when parsing logs. If `truncate-commands` is set to true, then the truncated command will be compared against the regex pattern, not the full command. Default: `.*`
+datetime-format
+ String representing the format for dates and times in the logfiles (when using cron, not cron_journald). This should be a standard Python strptime format (see <https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior>). Reverts to the global config if empty. Default: empty
+list-users
+ Display a list of the most common commands run by each user (this may be combined with the `summary` option below). Default: true
period
- Maximum age of logs to analyse. Overrides global config. Only used in cron-journald at the moment. See :ref:`period` for more information. Default: empty
+ Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+summary
+ Show a summary of cron sessions. This consists of the total number of sessions, total number of users, and a list of the most popular commands and who executed them. Default: false
+truncate-commands
+ Whether to remove absolute directory paths in commands. When set to true, a command such as `/usr/bin/cat` will become `cat`. Default: true
+users
+ Regular expression string for which usernames to include when parsing logs. This could be used to exclude cron sessions from trusted users. Default: `.*`
-.. _period:
-####
-sshd
-####
+######################
+sshd and sshd_journald
+######################
period
Maximum age of logs to analyse. Overrides global config. Only used in sshd-journald at the moment. See :ref:`period` for more information. Default: empty
sshd-resolve-domains
DNS lookup configuration for sshd parsers only (overrides global config). Accepted values are `ip`, `fqdn`, `fqdn-implicit`, and `host-only`. See the global setting `resolve-domains` for more information. Default: empty
-####
-smbd
-####
+######################
+smbd and smbd_journald
+######################
shares
Regular expression string for which Samba shares to include when parsing logs. To consider all shares, set this to `.*`. To exclude a certain share, use negative lookaround. Default: `^((?!IPC\$).)*$`
period
Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
-####
-sudo
-####
+######################
+sudo and sudo_journald
+######################
+list-users
+ Display a list of the most common commands initiated by each user (this may be combined with the `summary` option below). Default: true
period
Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
+summary
+ Show a summary of sudo sessions and most popular commands. Default: false
+truncate-commands
+ Whether to remove absolute directory paths in commands. When set to true, a command such as `/usr/bin/cat` will become `cat`. Default: true
-#########
-systemctl
-#########
+#######
+systemd
+#######
period
Maximum age of logs to analyse. Overrides global config. See :ref:`period` for more information. Default: empty
Whether to include services which are running but okay in the output. Default: true
+.. _period:
========================
Log period configuration