Fish
About This program parses syslog events from a Barracuda Spam firewall and puts the results into a MySQL database. It requires PHP CLI. The table structure looks like this:
You can grab it here: Fish.zip Examples mysql> SELECT COUNT(*) AS count, r_code.meaning FROM event, r_code WHERE FROM_UNIXTIME(timestamp)BETWEEN '2010-04-01 00:00:00' AND '2010-05-01 00:00:00' AND (event.reason = r_code.id) AND action = '2' GROUP BY event.reason ORDER BY count DESC; +---------+-----------------------------+ | count | meaning | +---------+-----------------------------+ | 3766392 | Barracuda Blocklist | | 247963 | RBL Match | | 69529 | Spam Fingerprint Found | | 63371 | Intention Analysis Match | | 21916 | Score | | 11731 | No Such User | | 7238 | No Such Domain | | 7018 | Realtime Intent | | 5645 | Need Fully Qualified Sender | | 5429 | Virus | | 4336 | Multi-Level Intent | | 3688 | Timeout Exceeded | | 10 | Client IP | | 7 | Message Size Bypass | | 3 | Barracuda Whitelist | +---------+-----------------------------+ mysql> SELECT COUNT(*) AS count, INET_NTOA(client) FROM event WHERE from_unixtime(timestamp) BETWEEN '2010-05-01 00:00:00' AND '2010-05-02 00:00:00' AND action = '2' GROUP BY client ORDER BY count DESC limit 10; +-------+-------------------+ | count | INET_NTOA(client) | +-------+-------------------+ | 276 | 62.111.138.130 | | 226 | 200.74.249.27 | | 143 | 112.153.203.62 | | 142 | 72.55.141.20 | | 132 | 64.22.65.181 | | 129 | 64.22.65.182 | | 126 | 64.22.65.183 | | 109 | 93.32.186.103 | | 105 | 202.156.81.220 | | 103 | 89.171.120.66 | +-------+-------------------+ Setup 1) Configure your Barracuda to export syslogs. 2) On your collector edit your syslog.conf and add something like this (I have 2 devices): +192.168.1.10 *.* /var/log/spam.log +192.168.1.11 *.* /var/log/spam.log 3) Create a database called "spam" ~$ mysql -N -B --user=root --password=toor -e "CREATE DATABASE spam;" 4) Create the reason code mappings: ~$ cat r_code.sql | mysql -uroot -ptoor -D spam 5)Create a writer for the spam database: ~$ mysql -N -B --user=root --password=toor -e "GRANT ALL PRIVILEGES ON spam.* TO 'spamwriter'@'localhost' IDENTIFIED BY 'apassword';" 6) Open fish.php and modify the database settings to suit. 7) To start the program just do something like this: ~$ ./fish.php /var/log/spam.log& and it will happily chug away as long as the file exists. If you are dealing with a lot of data create something like this: #!/usr/local/bin/bash # Delete old spam log and restart syslogd and fish # Check the commands of course, this is for FreeBSD log="/var/log/spam.log" if [ -e "$log" ]; then rm -f $log sleep 2 fi; touch $log /etc/rc.d/syslogd restart sudo -u alittleuser fish.php $log& # End and put this in root's crontab: 0 0 * * * fish.sh Changelog 2010-06-08: Explode delimiter on subject line was changed from ":" to "SUBJ:". This still may fail but I don't have a better solution just yet. |