vlog - Logfile viewer for IP-Filter
1.1
| vlog | [ -r ] [ -i ] [ -g regexp ] [ -v regexp ] |
| [ -l logfile or -l{imsxladcq} ] [ -[<nn>]f or -f ] | |
| [ -<nn> or -n <nn> ] [ -s <date> ] [ -e <date> ] | |
| [ -o{dtuhfrilan} ] [ -t ] [ -d ] [ -w <nn> ] |
vlog is a text-based real-time logfile viewer.
Its primary aims are:
Additionnally:
vlog can mimic the `tail -f' behaviour. Log lines are formatted and printed
on stdout (no curses) as soon as they are generated (option -[<nnn>]f)
vlog can extract a specified set of log lines (print mode: no curses). Start date, end date,
and/or a fixed number of lines can be given on command line (options
-s, -e and -<nnn>)
vlog can be used to view any syslogd-type log file (option -l).
If an ipfilter logfile is being viewed, vlog's formatting process renders ipmon informations with some slight differences:
SA....' is a Syn/Ack packet).
Additionnally, flags S, F and R are (arbitrarily)
displayed bold, as they represent the start/end of a connection.
vlog recognizes flags S, A, P, U, F, R only.
vlog tries to guess the service involved in each log line and prints it between
parentheses at the end of the line. If possible, its name is printed instead of
the port number.
If it's a block log line, the service is printed bold, so that one can
see blocked services at a glance.
logfile.0, logfile.1, ...).
Note: gzipped rotated files are not supported: if you want to be able to browse them, you must first gunzip them, then eventually remove automatic compression option (maybe in /etc/newsyslog.conf).
/var/log/ipflog. The logfile path can be
fully specified on command line, or a single letter can be used:
i = /var/log/ipflog (default),
m = /var/log/messages (or /var/adm/messages on Solaris),
s = /var/log/syslog,
x = /var/log/xferlog,
l = /var/log/maillog,
a = /var/log/authlog,
d = /var/log/daemon,
c = /var/cron/log (or /var/cron/olog on Solaris),
q = /var/log/squid.
For instance, vlog -lm shows system messages.
You can define your own key-to-logfile mapping in /etc/vlog.conf or ~/.vlogrc. See vlogrc.sample for the syntax (which is rather strict).
vlog -s Jul 21) (ex: vlog -s 12:30)
vlog -s 12:30 -e 13:00)
For ipfilter logfiles the following fields are available: d=date, t=time, u=microseconds, h=hostname, f=interface, r=rule/group number, i=isba source rule number, l=IP header length.
For non-ipfilter logfiles the following fields are available: d=date, t=time, h=hostname, p=process name, i=pid of process.
Additionnally a=all optional fields and n=no optional fields.
If this option is not given, vlog arbitrarily chooses
which fields to display according to window width. In curses mode this choice
can be modified with the key o.
vlog output to be nn chars max.
Option -ww tells vlog to print full loglines whatever length
they are.
vlog enters curses mode if none of the following options are given:
-<nn>f, -<nn> or -n <nn>,
-e <date>.
In curses mode, the terminal window is split into three areas:
10.0.1.12') and column-aligned
(each of the four numbers is on three chars for units, tens and
hundreds to be vertically aligned, e.g. ' 10. 0. 1. 12')
vlog is used for watching logfile once in a while, such marks
can be useful to remember where you were last time you looked at it.
vlog.
When option -f or -<nn>f is given on command line,
vlog behaves like a ``tail -<nn>f logfile'' (see tail(1)).
The only difference is that loglines are pretty-printed.
This mode doesn't use curses.
If current logfile is rotated, vlog silently switches to new logfile.
For instance: vlog -12f prints the last twelve lines of /var/log/ipflog,
then wait and print new log lines as soon as they're appended to logfile.
This mode is entered when option -n <nn> or -<nn>
or -e is given on command line. vlog simply prints out the specified
lines and exits. Examples:
vlog -n 12 or vlog -12 print the last 12 lines of /var/log/ipflog.
vlog -s Jul 1 -e Jul 14 print log lines between specified dates.
Each IP-Filter log line contains the number of the group and rule that generated this log line.
If the ruleset currently loaded in kernel has been generated
by the IP-Filter GUI isba (http://inc2.com/isba),
which uses ``composite'' rules (one isba source rule may be compiled into
many ipfilter rules), it is interesting to know which isba rule
generated a given logline.
vlog can display the isba source rule number for each log line
(optional field: key i) if the ruleset was generated by isba-1.1 or later.
In case the machine you run vlog on is a log-centralizing machine,
vlog can show the isba rule number only for log lines generated by this machine,
not foreign ones, because vlog needs to read the ipf.conf file.
vlog isn't optimized at all for slow links.
It has been tested in an xterm, in a dtterm and in a Sun VT100 console.
vlog can consume
a lot of memory (sum of logfiles sizes + 40%).
vlog doesn't format ipfilter NAT and STATE log lines, nor 'frag' log lines.
They're displayed as is.
vlog can't read gzipped logfiles (logfile.0.gz, etc.).
See option -r above.
Vlog's home page is http://inc2.com/vlog.
vlog uses the hash table data type provided by the Kazlib package written by Kaz Kylheku
(see http://users.footprints.net/~kaz/kazlib.html).