# version: v.01 08aug02
#
# author: bb
#
# usage: greplog [keyword] [logpathname]
#
# bugs: does not check for correct number of arguments
# build report name using keyword search and date log_report=/tmp/$1.logreport.`date '+%m %d%y'`
# build report header with system type, hostname, date and time
echo '=============================================================='
>$log_report
echo ' S Y S T E M M O N I T O R L O G' >>$log_report
echo uname -a >>$log_report
echo 'Log report for' `hostname -f` 'on' `date '+%c'` >>$log_report
echo '=============================================================='
>>$log_report ; echo '' >>$log_report
# record log search start
echo 'Search for->' $1 'starting' `date '+%r'` >>$log_report
echo '' >>$log_report
# get and save grep results of keyword ($1) from logfile ($2)
grep -i $1 $2 >>$log_report
# build report footer with time echo '' >>$log_report
echo 'End of' $log_report at `date '+%r'` >>$log_report
# mail report to root
mail -s 'Log Analysis for $1' root <$log_report
# clean up and remove report
rm $log_report
exit 0
In this example, the script creates the variable $log_report, which will be the filename of the temporary report. The keyword ($1) and first argument on the command line is used as part of the filename, along with the current date (with perhaps a better approach in using $$ instead of the date, which appends the script's PID as a file extension). Next, the report header containing some formatted text, the output of the uname command, and the hostname and date is added to the report. The start of the search is then recorded, and any matches of the keyword in the log are added to the report. A footer containing the name of the report and the time is then added. The report is mailed to root with the search term as the subject of the message, and the temporary file is deleted.
By default, Fedora uses the logwatch log monitoring command (actually a Perl script) in your system's /etc/cron.daily directory to generate various reports each day at 0402 (4:02 a.m.). Configure logwatch by editing the file /etc/log.d/logwatch.conf. Other system monitoring tools are included, such as tripwire. You can control system logging by editing /etc/syslog.conf.
You can test the script by running it manually and feeding it a keyword and a pathname to the system log, /var/log/messages, like this:
# greplog FAILED /var/log/messages
Note that your system should be running the syslogd daemon. If any login failures have occurred on your system, the root operator might get an email message that looks like this:
Date: Mon, 12 Nov 2007 16:23:24 -0000
From: root <[email protected]>
Subject: FAILED
==============================================================
S Y S T E M M O N I T O R L O G
Linux werewolf 2.6.23-1.41 #1 Thu Nov 8 21:41:26 EST 2007 i686 i686 i386
+GNU/Linux
Log report for werewolf.hudson.com on Tue 12 Nov 2007 04:23:24 PM GMT
==============================================================
Search for-> FAILED starting 04:23:24 PM
12 16:23:04 werewolf login[1769]: FAILED LOGIN 3 FROM (null) FOR ahudson,
+Authentication failure
End of /tmp/FAILED.logreport.102303 at 04:23:24 PM
To further automate the process, you can include command lines using the script in another script to generate a series of searches and reports.
Built-In Variables
Built-in variables are special variables provided to the shell by Linux that can be used to make decisions within a shell program. You cannot modify the values of these variables within the shell program.
Some of these variables are the following:
> $# — Number of positional parameters passed to the shell program
> $? — Completion code of the last command or shell program executed within the shell program (returned value)
> $0 — The name of the shell program
> $* — A single string of all arguments passed at the time of invocation
