                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #14 - Article 14 of 15
          '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

One of the best ways to know whats going in with your *nix box is to
watch your logs. But which logs are most important? Depends on your
logging setup. Most distro's come set up with decent logging
configuration but if its not good enough for you you can allways edit
your logging config file. I use metalog and the config file is in
/etc/metalog/metalog.conf if you use sysklogd(which most distro's do)
you can edit /etc/syslog.conf ... There is usually an "everything" type
log that logs most of the important stuff in one file. Stuff like PAM
logins and login failures, sudo logins/failures, kernel
warnings/errors, stuff like that.

As most people will notice logs aren't the prettiest things to look at
and dont really look good sitting on your desktop. For this there is a
program called colortail. You can get it here.

http://www.student.hk-r.se/~pt98jan/colortail.html

As with most programs this one has a few bugs. The main problem with
this program is when reading a log line with certain punctuation in it
the program crashes. It doesn't happen very often though. Colortail is
exactly what it implies, its the tail program with colorizing from
config files builtin. It uses regexp's to color logs. Here is an
example section from a config file.

COLOR magenta
{
^(... ..) ..:..:.. \[.*\] [^ ]+ .*
}

That may look daunting but its actually really simple. Unfortunately
teaching regexp's is beyond my ability and I actualy suck at
regexp's but I will do my best. The ^ indicates it must be matched from
the beginning of the line. anything inside parenthesis will be colored
the color specefied. You can have more than one colored section in each
line. The .'s indicate any one(non-space?) character. The :'s just
match themselves, nothing special there you can have any amount of
specific text to match which is what makes this so powerful. Now to the
third part. \[.*\] .. the \'s are excape characters, that means instead
of parsing the character directly preceding the escape character it is
matched as plain text. The .* basically matches anything. The tailing
\] makes it so that the .* doesn't catch the whole line making it east
to match lines you dont want it to match. This part matches an opening
bracket and anything between it and the next closing bracket. The
fourth part is also pretty simple. [^ ]+ Notice this one doesn't have
escape characters. Now as I said im no expert in regexp's and I cant
explain how this one works but I know what it does. It captures the
next block of text up until a space. So basically the next word. The
last part may look familiar, its the .* again, it matched the rest of
the line this time. Here is a line from a log file that this would
match.

Feb 17 09:19:42 [fetchmail] awakened at Mon, 17 Feb 2003 09:19:42 -0700 (MST) 

This will match the regexp above and color the "Feb 17" part magenta.
Following is the config file this example came out of so you can see
what the whole thing will look like and how it will color the entire
line and make it look all perdy.

COLOR magenta
{
^(... ..) ..:..:.. \[.*\] [^ ]+ .*
}

COLOR brightgreen
{
^... .. (..:..:..) \[.*\] [^ ]+ .*
^... .. ..:..:.. \[.*\] ([^ ]+) .*
}

COLOR brightblack
{
^... .. ..:..:.. (\[.*\]) [^ ]+ .*
}

COLOR brightblue
{
^... .. ..:..:.. \[.*\] [^ ]+(.*)
}

Hopefully this will lead you on your way to colorizing your logs to
match the look of your desktop and keeping watch on your system(s). If
you have any other questions you can email me at snoogans@qwest.net and
if you want to see some logging in action check out my screenshots at
http://130.13.102.100:8090
