HAAGE&PARTNER Computer GmbH  HAAGE&PARTNER

Sawmill Analytics

Analyse und Reporting
für Web | Netzwerk | Sicherheit

Zugriffs- und Datenanalyse von Server-Logs (Proxy, Mailserver, Firewall, Webserver) und Überwachung der Sicherheit & Performance, Schwachstellenanalyse.

Sawmill Analytics 8 | Loganalyse

Sawmill-Tutorial

Sending Email Alerts Based on Real-Time Log Data Scanning


site visitor looks at a particular page of your site.


Get the Most out of Sawmill with Professional Services

Looking to get more out of your statistics from Sawmill? Running short on time, but need the information now to make critical business decisions? Our Professional Service Experts are available for just this situation and many others. We will assist in the initial installation of Sawmill using best practices; work with you to integrate and configure Sawmill to generate reports in the shortest possible time. We will tailor Sawmill to your environment, create a customized solution, be sensitive to your requirements and stay focused on what your business needs are. We will show you areas of Sawmill you may not even be aware of, demonstrating these methods will provide you with many streamlined methods to get you the information more quickly. Often you'll find that Sawmill's deep analysis can even provide you with information you've been after but never knew how to reach, or possibly never realized was readily available in reports. Sawmill is an extremely powerful tool for your business, and most users only exercise a fraction of this power. That's where our experts really can make the difference. Our Sawmill experts have many years of experience with Sawmill and with a large cross section of devices and business sectors. Our promise is to very quickly come up with a cost effective solution that fits your business, and greatly expand your ROI with only a few hours of fee based Sawmill Professional Services.


Suppose we have a web site, with a particularly important page, and we want to know immediately when someone looks at it. In this example, we'll assume that we want to inform our government sales agent any time someone logs in to the site and looks at the page /sales/government.html . We'd like to email govsales@mydomain.com every time this page is accessed, with the username and IP of the logged-in user who accessed the page. For example, we want to send an alert when a particular condition is met.

This can be done in Sawmill using Log Filters. Almost any condition can be defined in a Log Filter, and the Log Filter can be used to send email using the send_email() function, when the condition is met. In this case, we'll assume we're analyzing Apache data on a Linux system, so the condition we want is:

  page eq "/sales/government.html"

For IIS, replace page with cs_uri_stem.

The full Log Filter which you would enter as an advanced expression in a new Log Filter, in Config -> Log Processing -> Log Filters would then be:


  if (page eq "
/sales/government.html") then (
     send_email("govsales@mydomain.com",
                "
govsales@mydomain.com",
                "Subject: Government Sales access detected from " . authenticated_user . "\r\n" .
                "To:
govsales@mydomain.com\r\n" .
                "\r\n" .
                "Sawmill has detected an access to /sales/government.html;\r\n" .
                "the username is " . authenticated_user . ", and the hostname is " . hostname . ".\r\n",
                "smtp.mydomain.com");
  );


The parameters to send_email() are:

  1. govsales@mydomain.com: the sender address.
  2. govsales@mydomain.com: the recipient address. Use commas between multiple addresses.
  3. The message body. This is in SMTP format. For example, it starts with SMTP headers , Subject and To should probably be present, Date will be added automatically, with each followed by \r\n.  Then there is another \r\n and then the body of the message.
  4. smtp.mydomain.com: the SMTP server. This server must accept unauthenticated SMTP delivery for the recipient(s).

When you rebuild or update the database, Sawmill will send an email for each occurrence of /sales/government.html in the data it processes.


Sending Alerts in Real Time

Database builds or updates are typically done periodically, which introduces a delay between the time the data is logged, and the time the alert is sent. Furthermore, a database isn't needed at all for an alert; Sawmill doesn't need to build a database to parse logs and run log filters. For true real-time alerts, you should not build or update a database--you should use the "process_logs" command-line action, with a command-line log source that streams data as it is logged. This means that you would have a profile dedicated to alerts; if you also want to do reporting, you would do it in a separate profile.

The first step is to create a command-line log source to stream the data. The best approach depends on the environment, but it needs to be a script or program or command which, when run, immediately prints a line of log data each time a new line is logged. In a simple Apache/Linux environment, with the log data written continually to /var/log/httpd/access-log, no script is necessary; you can just use the built-in tail command as the command line log source:

  tail -f /var/log/httpd/access-log


The tail option with the -f flag will watch the file (/var/log/httpd/access-log), and will print each new line that appears at the end of it. This command never completes; it keeps watching the file forever, which is exactly what we want for a real-time alerting log source. tail -f is available natively on all platforms except Windows, and is available on Windows with Cygwin.

Now that we have set up the log source in the profile, we can run it with this command:

  nohup ./sawmill -p profilename -a pl &

The -a pl option is the process_logs action, and tells Sawmill to process all the log data in the log source, and run the log filters against it. It does not build a database, so it uses no disk space; and with a command-line log source which never completes (like the one we created above), it will never complete either. It will just run the new log data against the filters forever, processing each line as it comes in, and sending alerts as specified in the Log Filters. Thus, it is a real-time alerting system.

Because this never completes, it is best to background it, which is why we're using nohup in front, and & in back.

On Windows, this could be run like this:

  SawmillCL -p profilename -a pl

and the window would need to be kept open. Or, it could be run from the Windows Scheduler, which will cause it run as a background process.


Reducing buffering with "Log reading block size"

By default, Sawmill buffers incoming log data in blocks of 100KB, which means that 100KB of log data must be generated before Sawmill will start running the filters against it. For very low-volume log sources, this can substantially delay alerts; if it takes 60 seconds to generate 100KB of log data, alerts might occur as much as 60 seconds after the log data is generated. To get faster alert times, in this case, you can set the "Log reading block size" option to a small value, like 1KB, in the Config -> Log Data -> Log Processing page of the Sawmill web interface:

lrbs


Other Examples of Alerts

Log Filters are written in Salang, which is a general programming language, so almost any condition is possible. You can save results from previous lines (in a node, typically), to look for alert conditions involving multiple lines; for instance, you can send an alert if there are more than 50 accesses to a particular port in the past 60 seconds (DOS attack), or in the past 1000 lines, or if there are more than 1000 different ports accessed by a particular IP in the past 60 seconds (port scanning detection).

In addition, send_email() is only one possible action that can be taken by a filter. In particular, a Log Filter can run any command line using the exec() function, so for instance, it could use a firewall command line to automatically (and immediately) block access from a particular IP, when it detects that the IP is performing port scanning or a DOS attack.




Professionelle Dienstleistungen

Sollten Sie die Anpassung von Sawmill Analytics nicht selbst vornehmen wollen, können wir Ihnen dies als Dienstleisung anbieten. Unsere Experten setzen sich gerne mit Ihnen in Verbindung, um die Reports oder sonstige Aspekte von Sawmill Analytics an Ihre Gegebenheiten und Wünsche anzupassen. Kontakt

Zur Tutorial-Übersicht

Weitere Informationen

      Live-Demonstrationen »    
© 1995-2011 HAAGE & PARTNER Computer GmbH · Impressum · Datenschutz · www.haage-partner.de