Hi
> When it comes to system administration and diagnostics, it is quite
> common to use standard Linux utilities for debugging. Things like grep,
> awk, sed, cut, etc. The CAS logs make this quite difficult. Could we
> maybe start composing the logs into single line "records" of a sort?
>
> for example, the following is not easily processed using the cli...
>
> =
> WHO: someone
> WHAT: ST-54765-7eEtYFJT1VBZ2Ssexczzf7FE5ow-tst-cas-01
> ACTION: SERVICE_TICKET_VALIDATED
> APPLICATION: CAS
> WHEN: Mon Aug 26 15:27:53 MDT 2019
> CLIENT IP ADDRESS: 123.123.123.123
> SERVER IP ADDRESS: server.example.com
> =
The only way I know to process multiline log files properly is to use a
programming language like AWK, Perl, Python… You won't make it with grep &
friends.
Here is a sample AWK program you can adapt to your needs:
--
BEGIN {
eot = ":"; eor = "\r";
eol = "\r";
}
FNR == 1 {
if (_filename_ != "")
endfile(_filename_)
_filename_ = FILENAME
beginfile(FILENAME)
}
END { endfile("finished"); }
/^WHO: / {
sub(/^WHO: /,"");
WHO = $0; next
}
/^WHAT: / {
sub(/^WHAT: /,""); # WHAT
WHAT = $0; next
}
/^ACTION: / {
sub(/^ACTION: /,"");# ACTION
ACTION = $0; next
}
/^APPLICATION: / {
sub(/^APPLICATION: /,""); # APPLICATION
APPLICATION = $0; next
}
/^WHEN: / {
sub(/^WHEN: /,""); # WHEN
APPLICATION = $0; next
}
/^CLIENT IP ADDRESS: / {
sub(/^CLIENT IP ADDRESS: /,""); # CLIENT IP ADDRESS
CLIENT_IP_ADDRESS = " "$0; next
}
/^SERVER IP ADDRESS: / {
sub(/^SERVER IP ADDRESS: /,""); # SERVER IP ADDRESS
SERVER_IP_ADDRESS = " "$0; next
}
$0 !~/.+/ {
prfields();
WHO=""; WHAT =""; APPLICATION = ""; ACTION=""; CLIENT_IP_ADDRESS="";
SERVER_IP_ADDRESS="";
}
# fonctions =
function beginfile(fichier) {
# init
WHO = ""; WHAT =""; APPLICATION = ""; ACTION=""; CLIENT_IP_ADDRESS="";
SERVER_IP_ADDRESS="";
}
function endfile(fichier) { # end of file
printf("%s",eor); nfich++;
printf(".") > "/dev/stderr";
}
function prfields() { # output to stdout
printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", WHO, eot, WHAT, eot,
APPLICATION, eot, APPLICATION, eot,
ACTION,",",SERVER_IP_ADDRESS,",",APPLICATION,",",CLIENT_IP_ADDRESS":", "\n");
}
--
You save it as foo.awk on your server, and use it like this:
awk -f /path/to/foo.awk /path/to/cas.log
To change the output, just tweak function prfields and eot. It needs testing,
it's a quick & dirty script.
If you don't have more than 500 MB of cas.log daily, I would suggest you give
Splunk a try. Under 500 MB per day you wont need a paid licence and can live
with a free licence. It's incredibly powerful and will allow you to parse your
log with great efficiency: no more headaches and 100% of your time on valuable
task ;)
Patrick PRONIEWSKI
--
Chef du Service Opérations - DSI - Université Lumière Lyon 2
Responsable Sécurité des Systèmes d'Information
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BC3EDF92-8F9D-4CB7-9587-7D6EB16FCBF8%40univ-lyon2.fr.