On 14/02/13 11:48, Chris Barnes wrote: > Hi everyone, > > my firewall logs everything to a syslog server - new connections, > terminated connections, etc > > basically what im trying to do is analyse the syslog in realtime looking > for a specific string which indicates a new connection has been > established, and to count the number of occurrences of that string to get > an idea of how many connections per minute im getting for a particular > internet service so that I can graph it. > > An example of the significant line in syslog im looking for is: > > Feb 14 11:42:52 10.1.1.1 : Feb 14 11:19:47 EDT: %PIX-session-6-302015: > Built inbound UDP connection 3523357 for Outside:124.178.41.91/123 ( > 124.178.41.91/123) to svrdmz:NTP/123 (NTP/123) > > I can use the following to watch the log for the specific event > > tail -f /var/log/syslog | grep "to svrdmz:NTP/123 (NTP/123)" > > > But I cant figure out a way to programatically count how many of these > events occur per minute. > > any suggestions? > logstash and kibana (logstash web frontend)
logstash: http://logstash.net/ kibana: http://kibana.org/ <http://kibana.org/> Also relevant, the Logstash Book by James Turnbull: http://www.logstashbook.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
