Sawmill Documentation
Technical ManualFAQUser GuideWWW Sawmill

Newsletters



Sawmill Newsletter

  May 15, 2007



Welcome to the Sawmill Newsletter!

 You're receiving this newsletter because during the downloading or purchase of Sawmill, you checked the box to join our mailing list. If you wish to be removed from this list, please send an email, with the subject line of "UNSUBSCRIBE" to newsletter@sawmill.net .


News

 We are currently shipping Sawmill 7.2.9. You can get it from http://sawmill.net/download.html .

This issue of the Sawmill Newsletter explores using Log Filters to send alerts with Sawmill. Sawmill can be used to monitor a stream of log data, in real time, and send alert emails (or perform other actions) based on the content of the log data. This has multiple uses, including looking for security issues, like port scans. This edition of Tips & Techniques describes implementing an alert to inform you immediately when a web site visitor looks at a particular page of your site.


Get the Most out of Sawmill with Professional Services

Looking to get more out of your statistics from Sawmill? Running short on time, but need the information now to make critical business decisions? Our Professional Service Experts are available for just this situation and many others. We will assist in the initial installation of Sawmill using best practices; work with you to integrate and configure Sawmill to generate reports in the shortest possible time. We will tailor Sawmill to your environment, create a customized solution, be sensitive to your requirements and stay focused on what your business needs are. We will show you areas of Sawmill you may not even be aware of, demonstrating these methods will provide you with many streamlined methods to get you the information more quickly. Often you'll find that Sawmill's deep analysis can even provide you with information you've been after but never knew how to reach, or possibly never realized was readily available in reports. Sawmill is an extremely powerful tool for your business, and most users only exercise a fraction of this power. That's where our experts really can make the difference. Our Sawmill experts have many years of experience with Sawmill and with a large cross section of devices and business sectors. Our promise is to very quickly come up with a cost effective solution that fits your business, and greatly expand your ROI with only a few hours of fee based Sawmill Professional Services. For more information, a quote, or to speak directly with a Professional services expert contact consulting@flowerfire.com.


Tips & Techniques: Sending Email Alerts Based on Real-Time Log Data Scanning

Suppose we have a web site, with a particularly important page, and we want to know immediately when someone looks at it. In this example, we'll assume that we want to inform our government sales agent any time someone logs in to the site and looks at the page /sales/government.html . We'd like to email govsales@mydomain.com every time this page is accessed, with the username and IP of the logged-in user who accessed the page. For example, we want to send an alert when a particular condition is met.

This can be done in Sawmill using Log Filters. Almost any condition can be defined in a Log Filter, and the Log Filter can be used to send email using the send_email() function, when the condition is met. In this case, we'll assume we're analyzing Apache data on a Linux system, so the condition we want is:

  page eq "/sales/government.html"

For IIS, replace page with cs_uri_stem.

The full Log Filter which you would enter as an advanced expression in a new Log Filter, in Config -> Log Processing -> Log Filters would then be:


  if (page eq "/sales/government.html") then (
     send_email("govsales@mydomain.com",
                "govsales@mydomain.com",
                "Subject: Government Sales access detected from " . authenticated_user . "\r\n" .
                "To: govsales@mydomain.com\r\n" .
                "\r\n" .
                "Sawmill has detected an access to /sales/government.html;\r\n" .
                "the username is " . authenticated_user . ", and the hostname is " . hostname . ".\r\n",
                "smtp.mydomain.com");
  );

The parameters to send_email() are:

  1. govsales@mydomain.com: the sender address.
  2. govsales@mydomain.com: the recipient address. Use commas between multiple addresses.
  3. The message body. This is in SMTP format. For example, it starts with SMTP headers , Subject and To should probably be present, Date will be added automatically, with each followed by \r\n.  Then there is another \r\n and then the body of the message.
  4. smtp.mydomain.com: the SMTP server. This server must accept unauthenticated SMTP delivery for the recipient(s).

When you rebuild or update the database, Sawmill will send an email for each occurrence of /sales/government.html in the data it processes.


Sending Alerts in Real Time

Database builds or updates are typically done periodically, which introduces a delay between the time the data is logged, and the time the alert is sent. Furthermore, a database isn't needed at all for an alert; Sawmill doesn't need to build a database to parse logs and run log filters. For true real-time alerts, you should not build or update a database--you should use the "process_logs" command-line action, with a command-line log source that streams data as it is logged. This means that you would have a profile dedicated to alerts; if you also want to do reporting, you would do it in a separate profile.

The first step is to create a command-line log source to stream the data. The best approach depends on the environment, but it needs to be a script or program or command which, when run, immediately prints a line of log data each time a new line is logged. In a simple Apache/Linux environment, with the log data written continually to /var/log/httpd/access-log, no script is necessary; you can just use the built-in tail command as the command line log source:

  tail -f /var/log/httpd/access-log

The tail option with the -f flag will watch the file (/var/log/httpd/access-log), and will print each new line that appears at the end of it. This command never completes; it keeps watching the file forever, which is exactly what we want for a real-time alerting log source. tail -f is available natively on all platforms except Windows, and is available on Windows with Cygwin.

Now that we have set up the log source in the profile, we can run it with this command:

  nohup ./sawmill -p profilename -a pl &

The -a pl option is the process_logs action, and tells Sawmill to process all the log data in the log source, and run the log filters against it. It does not build a database, so it uses no disk space; and with a command-line log source which never completes (like the one we created above), it will never complete either. It will just run the new log data against the filters forever, processing each line as it comes in, and sending alerts as specified in the Log Filters. Thus, it is a real-time alerting system.

Because this never completes, it is best to background it, which is why we're using nohup in front, and & in back.

On Windows, this could be run like this:

  SawmillCL -p profilename -a pl

and the window would need to be kept open. Or, it could be run from the Windows Scheduler, which will cause it run as a background process.


Reducing buffering with "Log reading block size"

By default, Sawmill buffers incoming log data in blocks of 100KB, which means that 100KB of log data must be generated before Sawmill will start running the filters against it. For very low-volume log sources, this can substantially delay alerts; if it takes 60 seconds to generate 100KB of log data, alerts might occur as much as 60 seconds after the log data is generated. To get faster alert times, in this case, you can set the "Log reading block size" option to a small value, like 1KB, in the Config -> Log Data -> Log Processing page of the Sawmill web interface:

lrbs


Other Examples of Alerts

Log Filters are written in Salang, which is a general programming language, so almost any condition is possible. You can save results from previous lines (in a node, typically), to look for alert conditions involving multiple lines; for instance, you can send an alert if there are more than 50 accesses to a particular port in the past 60 seconds (DOS attack), or in the past 1000 lines, or if there are more than 1000 different ports accessed by a particular IP in the past 60 seconds (port scanning detection).

In addition, send_email() is only one possible action that can be taken by a filter. In particular, a Log Filter can run any command line using the exec() function, so for instance, it could use a firewall command line to automatically (and immediately) block access from a particular IP, when it detects that the IP is performing port scanning or a DOS attack.


Questions or suggestions? Contact support@sawmill.net . If would you like a Sawmill Professional Services expert to implement this, or another customization, contact consulting@sawmill.net .


[Article revision v1.1]
[ClientID: ]