Plugin:check log


 * 1) ! /bin/sh
 * 2) Log file pattern detector plugin for Nagios
 * 3) Written by Ethan Galstad (nagios@nagios.org)
 * 4) Last Modified: 07-31-1999
 * 5) Usage: ./check_log  
 * 6) Description:
 * 7) This plugin will scan a log file (specified by the  option)
 * 8) for a specific pattern (specified by the option).  Successive
 * 9) calls to the plugin script will only report *new* pattern matches in the
 * 10) log file, since an copy of the log file from the previous run is saved
 * 11) to .
 * 12) Output:
 * 13) On the first run of the plugin, it will return an OK state with a message
 * 14) of "Log check data initialized".  On successive runs, it will return an OK
 * 15) state if *no* pattern matches have been found in the *difference* between the
 * 16) log file and the older copy of the log file.  If the plugin detects any
 * 17) pattern matches in the log diff, it will return a CRITICAL state and print
 * 18) out a message is the following format: "(x) last_match", where "x" is the
 * 19) total number of pattern matches found in the file and "last_match" is the
 * 20) last entry in the log file which matches the pattern.
 * 21) Notes:
 * 22) If you use this plugin make sure to keep the following in mind:
 * 23)    1.  The "max_attempts" value for the service should be 1, as this
 * 24)        will prevent Nagios from retrying the service check (the
 * 25)        next time the check is run it will not produce the same results).
 * 26)    2.  The "notify_recovery" value for the service should be 0, so that
 * 27)        Nagios does not notify you of "recoveries" for the check.  Since
 * 28)        pattern matches in the log file will only be reported once and not
 * 29)        the next time, there will always be "recoveries" for the service, even
 * 30)        though recoveries really don't apply to this type of check.
 * 31)    3.  You *must* supply a different  for each service that
 * 32)        you define to use this plugin script - even if the different services
 * 33)        check the same  for pattern matches.  This is necessary
 * 34)        because of the way the script operates.
 * 35) Examples:
 * 36) Check for login failures in the syslog...
 * 37)   check_log /var/log/messages ./check_log.badlogins.old "LOGIN FAILURE"
 * 38) Check for port scan alerts generated by Psionic's PortSentry software...
 * 39)   check_log /var/log/message ./check_log.portscan.old "attackalert"
 * 1)        though recoveries really don't apply to this type of check.
 * 2)    3.  You *must* supply a different  for each service that
 * 3)        you define to use this plugin script - even if the different services
 * 4)        check the same  for pattern matches.  This is necessary
 * 5)        because of the way the script operates.
 * 6) Examples:
 * 7) Check for login failures in the syslog...
 * 8)   check_log /var/log/messages ./check_log.badlogins.old "LOGIN FAILURE"
 * 9) Check for port scan alerts generated by Psionic's PortSentry software...
 * 10)   check_log /var/log/message ./check_log.portscan.old "attackalert"
 * 1)   check_log /var/log/messages ./check_log.badlogins.old "LOGIN FAILURE"
 * 2) Check for port scan alerts generated by Psionic's PortSentry software...
 * 3)   check_log /var/log/message ./check_log.portscan.old "attackalert"
 * 1) Check for port scan alerts generated by Psionic's PortSentry software...
 * 2)   check_log /var/log/message ./check_log.portscan.old "attackalert"
 * 1)   check_log /var/log/message ./check_log.portscan.old "attackalert"


 * 1) Paths to commands used in this script.  These
 * 2) may have to be modified to match your system setup.
 * TV: removed PATH restriction. Need to think more about what this means overall
 * 1) PATH=""

ECHO="/bin/echo" GREP="/bin/egrep" DIFF="/usr/bin/diff" TAIL="/usr/bin/tail" CAT="/bin/cat" RM="/bin/rm" CHMOD="/bin/chmod" TOUCH="/bin/touch"

PROGNAME=`/bin/basename $0` PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'` REVISION="1.4.16"

. $PROGPATH/utils.sh

print_usage { echo "Usage: $PROGNAME -F logfile -O oldlog -q query" echo "Usage: $PROGNAME --help" echo "Usage: $PROGNAME --version" }

print_help { print_revision $PROGNAME $REVISION echo "" print_usage echo "" echo "Log file pattern detector plugin for Nagios" echo "" support }


 * 1) Make sure the correct number of command line
 * 2) arguments have been supplied

if [ $# -lt 1 ]; then print_usage exit $STATE_UNKNOWN fi


 * 1) Grab the command line arguments

exitstatus=$STATE_WARNING #default while test -n "$1"; do   case "$1" in        --help)            print_help            exit $STATE_OK            ;;        -h) print_help exit $STATE_OK ;;       --version)            print_revision $PROGNAME $REVISION            exit $STATE_OK            ;;        -V) print_revision $PROGNAME $REVISION exit $STATE_OK ;;       --filename)            logfile=$2            shift            ;;        -F) logfile=$2 shift ;;       --oldlog)            oldlog=$2            shift            ;;        -O) oldlog=$2 shift ;;       --query)            query=$2            shift            ;;        -q) query=$2 shift ;;       -x)            exitstatus=$2            shift            ;;        --exitstatus) exitstatus=$2 shift ;;       *)            echo "Unknown argument: $1"            print_usage            exit $STATE_UNKNOWN            ;;    esac    shift done
 * 1) logfile=$1
 * 2) oldlog=$2
 * 3) query=$3


 * 1) If the source log file doesn't exist, exit

if [ ! -e $logfile ]; then $ECHO "Log check error: Log file $logfile does not exist!\n" exit $STATE_UNKNOWN elif [ ! -r $logfile ] ; then $ECHO "Log check error: Log file $logfile is not readable!\n" exit $STATE_UNKNOWN fi


 * 1) If the old log file doesn't exist, this must be the first time
 * 2) we're running this test, so copy the original log file over to
 * 3) the old diff file and exit

if [ ! -e $oldlog ]; then $CAT $logfile > $oldlog $ECHO "Log check data initialized...\n" exit $STATE_OK fi


 * 1) The old log file exists, so compare it to the original log now

if [ -x /bin/mktemp ]; then tempdiff=`/bin/mktemp /tmp/check_log.XXXXXXXXXX` else tempdiff=`/bin/date '+%H%M%S'` tempdiff="/tmp/check_log.${tempdiff}" $TOUCH $tempdiff $CHMOD 600 $tempdiff fi
 * 1) The temporary file that the script should use while
 * 2) processing the log file.

$DIFF $logfile $oldlog | $GREP -v "^>" > $tempdiff

count=`$GREP -c "$query" $tempdiff`
 * 1) Count the number of matching log entries we have

lastentry=`$GREP "$query" $tempdiff | $TAIL -1`
 * 1) Get the last matching entry in the diff file

$RM -f $tempdiff $CAT $logfile > $oldlog

if [ "$count" = "0" ]; then # no matches, exit with no error $ECHO "Log check ok - 0 pattern matches found\n" exitstatus=$STATE_OK else # Print total matche count and the last entry we found $ECHO "($count) $lastentry" exitstatus=$STATE_CRITICAL fi

exit $exitstatus