>> On 26 Aug 2002 17:18:42 +1200, >> Russell Fulton <r.fultonat_private> said: R> I have recently reimplemented much of the functionality of Psionic's R> Logcheck in a perl script. [...] My immediate concern is that the perl R> scripts builds functions that apply lots of regular expressions (REs) to R> each line of log files. R> sub check { R> $_ = shift; R> study $_; #hopefully speed up matching... R> R> return 0 if /re1/; R> return 1 if /re2/; R> return 2 if /re3/; R> ... R> return 4; R> } I wrote a C program called "scansyslog" which uses some code and ideas from "The Practice of Programming" to look for a large number of semi-static patterns in the system log, and print only lines that *aren't* matched. Source code distributions of scansyslog are available for download via http from http://www.dnaco.net/~vogelke/Software/Code/C/Security/Log-Analysis/ See INSTALL for installation instructions. See LICENSE and COPYING for legal stuff. See README.htm for a more detailed description. Benchmark: Tested on a sample syslog file, 3.3 Mbytes, 31,799 lines using a Pentium-200 running FreeBSD-4.5. The pattern file contained 165 separate patterns that can be ignored. me% time ./scansyslog -p patterns < syslog 2.80s user 0.12s system 93% cpu 3.120 total Tested on Solaris and FreeBSD. Comments welcome. -- Karl Vogel ASC/YCOA, Wright-Patterson AFB, OH 45433 vogelkeat_private http://www.dnaco.net/~vogelke "But minister, it isn't like this film is the first troublesome thing to come out of Canada. Let us not forget Bryan Adams." "No, no. The Canadian government has apologized for Bryan Adams on several occasions." --"South Park, Bigger, Longer, and Uncut" _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 15:22:27 PDT