LoGS. October 21st 2007 James E. Prewett PGP: F F 5FB8 918E C1F

Similar documents
5/10/2009. Introduction. The light-saber is a Jedi s weapon not as clumsy or random as a blaster.

Custom Specializers in Object-Oriented Lisp

MITOCW watch?v=zm5mw5nkzjg

minit Felix von Leitner September 2004 minit

Computer Science Department 2 nd semester- Lecture13

Stacking LAMPs. Tom Ryder

Who am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration

Replication. Feb 10, 2016 CPSC 416

Can t Believe It s Linux. a totally different and hypothetical linux distribution

PROFESSOR: Well, yesterday we learned a bit about symbolic manipulation, and we wrote a rather stylized

Kolmo. Making automation & configuration easier. bert hubert. -

MASSACHVSETTS INSTITVTE OF TECHNOLOGY Department of Electrical Engineering and Computer Science. Issued: Wed. 26 April 2017 Due: Wed.

Part 3: Chromium in Practice

INSRUCTION SHEET Video 1 Using Windows Movie Maker. Star Wars Video Mix

Erlang in the battlefield. Łukasz Kubica Telco BSS R&D Department Cracow Erlang Factory Lite, 2013

ECE 471 Embedded Systems Lecture 12

1 Introduction to Networking

Subcontractors. bc math help for the shell. interactive or programatic can accept its commands from stdin can accept an entire bc program s worth

PROFESSOR: Last time, we took a look at an explicit control evaluator for Lisp, and that bridged the gap between

PROBLEM SOLVING 11. July 24, 2012

Outline. Announcements. Homework 2. Boolean expressions 10/12/2007. Announcements Homework 2 questions. Boolean expression

Access 2013: The Missing Manual PDF

Staleness and Isolation in Prometheus 2.0. Brian Brazil Founder

CS 360 Programming Languages Interpreters

Computer Science 61 Scribe Notes Tuesday, November 25, 2014 (aka the day before Thanksgiving Break)

Git Resolve Conflict Using Mine Command Line

Remote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

I'm Andy Glover and this is the Java Technical Series of. the developerworks podcasts. My guest is Brian Jakovich. He is the

Using GitHub to Share with SparkFun a

About this exam review

C++ Programming Lecture 1 Software Engineering Group

A Brief Introduction to Common Lisp

============================================================================

Robot Programming with Lisp

Table of Contents. Part 1 Postcard Marketing Today Brief History of Real Estate Postcards Postcard Marketing Today...

Civil Engineering Computation

CSE341: Programming Languages Lecture 17 Implementing Languages Including Closures. Dan Grossman Autumn 2018

Exploring UNIX: Session 5 (optional)

Chapter 6 Control Flow. June 9, 2015

How to: Ripping Audio CDs to Mp3 on Microsoft Windows XP / Vista / 7 - CDEx Audio CD Rip free software

Remote Exploit. compass-security.com 1

Programming Languages

Student 1 Printer Issues

Closures. Mooly Sagiv. Michael Clarkson, Cornell CS 3110 Data Structures and Functional Programming

Common Lisp. In Practical Usage

COMS 6100 Class Notes 3

A Pragmatic Case For. Static Typing

CSE 505: Programming Languages. Lecture 10 Types. Zach Tatlock Winter 2015

Intro. Speed V Growth

PROFESSOR: Well, now that we've given you some power to make independent local state and to model objects,

Architectural Code Analysis. Using it in building Microservices NYC Cloud Expo 2017 (June 6-8)

Introduction to Access 97/2000

CSCC24 Functional Programming Scheme Part 2

Read & Download (PDF Kindle) Programming: C ++ Programming : Programming Language For Beginners: LEARN IN A DAY! (C++, Javascript, PHP, Python, Sql,

Lecture Topics. Administrivia

Lesson 4 Transcript: DB2 Architecture

Today: VM wrap-up Select (if time) Course wrap-up Final Evaluations

Instructor: Craig Duckett. Lecture 14: Tuesday, May 15 th, 2018 Stored Procedures (SQL Server) and MySQL

WMQ for z/os Auditing and Monitoring

Mastering Data Abstraction or Get nit-picky on design advantages

Recap: Functions as first-class values

CSE413: Programming Languages and Implementation Racket structs Implementing languages with interpreters Implementing closures

Sorting the post An introduction to the Perforce Broker

The name of our class will be Yo. Type that in where it says Class Name. Don t hit the OK button yet.

CS450: Structure of Higher Level Languages Spring 2018 Assignment 7 Due: Wednesday, April 18, 2018

Today. CISC101 Reminders & Notes. Searching in Python - Cont. Searching in Python. From last time

In our first lecture on sets and set theory, we introduced a bunch of new symbols and terminology.

The LAMP Batch OCR Handbook

Android Programming Family Fun Day using AppInventor

Environments

Making Friends with Broadcast. Administrivia

Chapter The Juice: A Podcast Aggregator

Mechanical Turk and AWS Workshop

EECS150 - Digital Design Lecture 20 - Finite State Machines Revisited

Intro. Scheme Basics. scm> 5 5. scm>

Programming: Computer Programming For Beginners: Learn The Basics Of Java, SQL & C Edition (Coding, C Programming, Java Programming, SQL

Closures. Mooly Sagiv. Michael Clarkson, Cornell CS 3110 Data Structures and Functional Programming

AWK: The Duct Tape of Computer Science Research. Tim Sherwood UC San Diego

Working with Objects. Overview. This chapter covers. ! Overview! Properties and Fields! Initialization! Constructors! Assignment

Semantic Analysis. Outline. The role of semantic analysis in a compiler. Scope. Types. Where we are. The Compiler so far

Try typing the following in the Python shell and press return after each calculation. Write the answer the program displays next to the sums below.

Begin at the beginning

And Parallelism. Parallelism in Prolog. OR Parallelism

MITOCW watch?v=0jljzrnhwoi

Finding and Fixing Bugs

Text transcript of show #280. August 18, Microsoft Research: Trinity is a Graph Database and a Distributed Parallel Platform for Graph Data

TRANSPARENCY, CONSENT, AND CONTROL

The role of semantic analysis in a compiler

9-11 класс LISTENING COMPREHENSION (15 minutes)

CS61C : Machine Structures

Overview. Rationale Division of labour between script and C++ Choice of language(s) Interfacing to C++ Performance, memory

Lecture 4. The Substitution Method and Median and Selection

Hi everyone. Starting this week I'm going to make a couple tweaks to how section is run. The first thing is that I'm going to go over all the slides

A PROGRAM IS A SEQUENCE of instructions that a computer can execute to

COMP 250 Winter generic types, doubly linked lists Jan. 28, 2016

MITOCW watch?v=flgjisf3l78

Needle in a Haystack. Improving Intrusion Detection Performance in University settings by removing good traffic to better focus on bad traffic

Processing Troubleshooting Guide

Parallel Algorithm Engineering

Topic 6 loops, figures, constants

Transcription:

LoGS October 21st 2007 James E. Prewett PGP: F618 949F 5FB8 918E 8378 8C1F

On System Administration: We seem to be made to suffer. It's our lot in life. --C-3PO Star Wars (1977)

Log Analysis: cat /var/log/messages grep -v... grep -v... grep -v... grep -v... grep -v...

Real-Time Log Analysis: tail -f /var/log/messages grep -v... grep -v... grep -v... grep -v... grep -v...

LoGS History: Thou Shalt analyze thine logfiles... --NCSA 2000-2001... With SWATCH... Give it to the new guy -- my (then) co-workers Working with Logsurfer in 2001-2004 Started discussing LoGS Jan/Feb 2003 Began LoGS in June 2003

Logsurfer:

What s wrong with Logsurfer? Syntax can be less than clear ala: '.*' - - - 0 exec "/bin/echo $0" Too much fork()-ing around! (Logsurfer+ helps a little) Traversing a linear ruleset is less-than efficient Dynamic rules can get hairy: rules that create rules... escaping horrors! No way to extend Logsurfer (without hacking the source) A real programming language would be nice

Whats wrong with Logsurfer? (cont) Regular expressions are nice, but... Compiling is pretty cool! CL-PPRE is the fastest regex engine out there... suck it, Perl! (C is slow! ;) ruleset language is hard to write maintainable rulesets Kludges using M4 (and similar) macro processors

Maintainability? divert(0)dnl # $Id: sendmail,v 1.3 2002/09/23 22:52:27 emf Exp $ # Sendmail MTA divert(-1)dnl define(`have_sendmail')dnl define(`one',`undivert(1)')dnl define(`two',`undivert(2)')dnl divert(1)dnl 'sendmail' - - - 0 ignore divert(2)dnl '^.{16}(.*) sendmail\[[0-9]+\]: My unqualified host name.*unknown; sleeping for retry' - - - 0 ignore '^.{16}(.*) sendmail\[[0-9]+\]: unable to qualify my own domain name.*using short name' - - - 0 ignore '^.{16}(.*) sendmail\[[0-9]+\]: gethostbyaddr\(.*\) failed:' - - - 0 ignore '^.{16}(.*) sendmail\[[0-9]+\]: rejecting connections on daemon (.*): load average: (.*)' - - - 0 exec "/usr/local/bin/surf_genericmsg -k logsurfer -h ````$2'''' -s 5 -m \"sendmail $3 rejecting connections; load average $4 too high! \"sendmail timeout waiting for input from $3 during $4\""

On Lisp: "This is the weapon of a Jedi Knight. Not as clumsy or as random as a blaster, but an elegant weapon for a more civilized age." --Obi-Wan

What is LoGS? I know you want to read messages sequentially from a data source and do (one or more) things in response to finding interesting messages I don t know how to find an interesting message I don t know what to do in response I ve got some guesses that may help you... You can hack it when my guesses are wrong.

LoGS Components Messages Rules Rulesets These are all CLOS Objects Contexts Windows Actions (Actions are just Lisp Functions)

What does this look like? ;;; create a rule that prints every message (make-instance rule :match ;; match every message (lambda (message) t) :actions (list ;; print the message (lambda (message environment) (format t ~A% (message message))))) *declarations are good, but make slides harder to read

OMG THATS UGLY!!! (how about the RDL instead?) (rule matching (lambda (message) t) doing (lambda (message) (format t ~A~% (message message))))

On Lisp s Syntax: "No different. Different only in your mind. You must unlearn what you have learned" --Yoda Star Wars Episode V: The Empire Strikes Back (1980)

RDL is under construction Steal liberally from LOOP Montpellier France, Fresh Air, Red Wine, & Practical Common Lisp Make RDL very similar to English Lots of stuff left to add! Make it hackable! (like old-school LOOP) I also don t know how you want to express your rulesets :P RDL is a half-finished guess

LoGS Rulesets Rulesets are: A doubly linked list containing: Rules and or Linked lists containing:... Rulesets may contain other rulesets This leads us to a tree sort of shape for our ruleset Compare the performance with Logsurfer s linear list

Worst-Case Scenario: The last rule matches Logsurfer config: 117 regular expressions tested before match found LoGS config to implement identical ruleset: 13 functons ran with message as input => Trees good!

Dynamically Created Rules Rules may be: * Created * Deleted * Modified while LoGS is running

LoGS Contexts Contexts are known by their names LoGS Contexts are *PASSIVE* Message stores In Logsurfer, they are *ACTIVE* message stores This leads us to a linear list of contexts that must be queried for each line of input There is no short circuiting!!!!! LoGS contexts are simular to SEC s Contexts

Basic Context Usage (make-instance rule :match # match-all-messages :actions (list (lambda (message env) (add-to-context (ensure-context :name all-messages) message))))

On the Learning Curve of LoGS: Listen, I can't get involved. I've got work to do. It's not that I like the Empire; I hate it. But there's nothing I can do about it right now... It's all such a long way from here. --Luke Star Wars (1977)

What is wrong with (just) regular expressions? You cannot correlate information not in the log stream* correlate errors with system maintenance periods find time synchronization problems correlate batch scheduler information... They can be less than clear *I am aware that Perl Compatable Regular Expressions are Turing Complete - I m just not /that/ twisted

Why an Action List? I often want 2 or more things done in response to a given message Mark the node offline AND send the admin an email Conceptually, 2 rules to implement the above feels icky

Lisp is cool! You can put this in your ruleset file: (defmethod get-line :AFTER ((ff file-follower)) (with-open-file (f "/var/run/logs/f.pos" :direction :output :if-exists :rename) (format f "~A~%" (file-position (filestream ff)))))

Immediate Future: More stuff in the RDL Better SBCL support CMUCL is best supported today CMUCL does not work on my Intel Mac! LoGS binary./logs --ruleset /path/to/ruleset.lisp...

Further Future: Real Thread support consensus on use of SPECIAL variables Is dynamic scoping inherently evil? 2 forks in LoGS CVS tree Support for more Lisp implementations LoGS support for many (non-cmucl, non-sbcl) has crumbled...

Recent Developments:

On Lisp Being an Old language: "When nine hundred years old you reach, look as good you will not." --Yoda Star Wars Episode VI: Return of the Jedi (1983)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback