Linux
Background
The Linux Servers logs analysis App automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and widgets to visualize and address the system software, code written, and infrastructure during development, testing, and production. This Linux logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with the several visualization and investigation dashboards.
Steps:
The Linux App is running on messages/syslog, auth/secure, mail, kern and cron standard logs.
When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:linux - all logs that the application will analyze must have linux as a log type
messages/syslog - only the messages/syslog logs must also be configured to have messages as a log type
auth/secure - only the auth/secure logs must also be configured to have auth as a log type
cron - only the cron log must also be configured to have cron as a log type
mail - only the mail log must also be configured to have mail as a log type
kernel - only the kern log must also be configured to have kernel as a log type
audit - only the audit log must also be configured to have audit as a log type
Once the required information is set, on each log click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Linux App. Use the following patterns for each of the logs:
messages/syslog log:
First Pattern:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}: [{text:time-taken,ftype=time-taken;,}] {text:Message,ftype=message}
Second Pattern:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{regexp:User,ftype=accountid;refName=message,([passed|failed|closed|opened] for user |password for invalid user |password for |USER=| user \u0027| user )[XPLG_PARAM([^\s\.\u005D\u0027]+)].*}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*} {text:Message,ftype=message;,}auth/secure log:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}:{regexp:User,ftype=accountid;refName=message,([passed|failed|closed|opened] for user |password for invalid user |password for |USER=|user \u0027|user | user:\sname=)[XPLG_PARAM([^\s\.\u005D\u0027\,]+)].*}{regexp:Sourceip,ftype=sourceip;refName=Message,(\d+\.\d+\.\d+\.\d+).*}{regexp:Group,ftype=group;refName=Message,(group\s'|group:\sname=)[XPLG_PARAM([^'\s,]+)].*} {text:Message,ftype=message;,}cron log:
{date:Date,MMM dd HH:mm:ss} {text:Server,ftype=server} {text:Process,ftype=process}{block,start,emptiness=true}[{text:pid,ftype=pid}]{block,end,emptiness=true}: {text:Message,ftype=message}mail log:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}{block,start,emptiness=true}[{number:process id}]{block,end,emptiness=true}: {regexp:session,refName=Message;ftype=session,^(\w+):}{regexp:From,refName=Message;ftype=from,\s+from=\u003C?([^\u003E,]+)}{regexp:To,refName=Message;ftype=to,\s+to=\u003C?([^\u003E,]+)}{regexp:Size,refName=Message;ftype=size,size=([^\s,]+).*}{regexp:Class,refName=Message;ftype=class,class=([^\s,]+).*}{regexp:nrcpts,refName=Message;ftype=nrcpts,nrcpts=([^\s,]+).*}{regexp:msgID,refName=Message;ftype=msgid,msgid=<([^>]+).*}{regexp:Proto,refName=Message;ftype=protocol,proto=([^\s,]+).*}{regexp:Stat,refName=Message;ftype=status,stat=([^\s,]+).*}{regexp:Relay,refName=Message;ftype=relay,relay=([^\s,]+).*}{string:Message,ftype=message;,}kernel log:
{date:Date,MMM dd HH:mm:ss} {text:source,ftype=source} {text:process name,ftype=process;,}:{block,start,emptiness=true} [{text:time-taken,ftype=time-taken;,}]{block,end,emptiness=true} {text:Message,ftype=message}audit log:
type={text:type,ftype=eventid} msg=audit({timestamp:Date,yyyy-MM-dd HH:mm:ss.SSS}:{text:ID}):{regexp:pid,refName=Message,\spid=([0-9]*)}{regexp:uid,ftype=uid;refName=Message,[^a,s]uid=([0-9]*)[^:]}{regexp:auid,ftype=auid;refName=Message,(new auid=|[^old] auid=)[XPLG_PARAM([0-9]*)]}{regexp:old auid,refName=Message,old auid=([0-9]*)}{regexp:ses,ftype=sessionid;refName=Message,(new ses=|[^old] ses=)[XPLG_PARAM([0-9]*)]}{regexp:old ses,refName=Message,old ses=([0-9]*)}{regexp:subj,refName=Message,subj=([^ ]*)}{regexp:kind,refName=Message,kind=([^\s]+).*}{regexp:fp,refName=Message,fp=([^\s]*)}{regexp:direction,ftype=direction;refName=Message,direction=([^\s]*)}{regexp:spid,refName=Message,spid=([0-9]*)}{regexp:suid,ftype=suid;refName=Message,suid=([0-9]*)}{regexp:acct,ftype=accountid;refName=Message,acct="([^"]*)}{regexp:rport,ftype=rport;refName=Message,rport=([0-9]*)}{regexp:lport,ftype=lport;refName=Message,lport=([0-9]*)}{regexp:port,ftype=port;refName=Message,\sport=([0-9]*)}{regexp:exe,ftype=exe;refName=Message,exe="([^"]*)}{regexp:New Name,ftype=newname;refName=Message,new name:\s+([^\s]+).*}{regexp:New GID,ftype=newgid;refName=Message,new gid:\s+([^\s]+).*}{regexp:UID,ftype=uid;refName=Message,msg=\u0027op.*id=([^\s]+).*}{regexp:OP,ftype=operation;refName=Message,\u0027op=([^\u003B]+).*(id|acct)}{regexp:hostname,ftype=machine;refName=Message,hostname=([^,\s]*)}{regexp:addr,ftype=sourceip;refName=Message,[^l]addr=([^\s]*)}{regexp:terminal,ftype=terminal;refName=Message,terminal=([^\s ]*)}{regexp:res,ftype=status;refName=Message,res=(.*)\u0027}{string:Message,ftype=message}