would expect from doing the same with a Syslog.
- Now does specialized output for some events, such as those gen-
erated by snort and iptables (only in HTML, ANSI, and
ASCII modes though).
- Now handles completely unknown and unformatted input. (will
colorize it and or ignore it based on the usual REGEX's,
but will not try to put it into formatted or colorized or
other kinds of colums)
- Will (hopefully) never leave you wondering where your data went
if you feed it input that's not strictly a syslog-ish
format.
- Now (hopefully) will never barf uppon being unable to read a
config or regex (or other) file.
- Now does hostname lookup's for iptables and snort (and possibly
other) events in your syslog's.
- Please see 'logtool -h' for a new listing of the command line.
In truth, all old options from 1.0.7 have been kept in
place for compatability with any scripts you may have
written using said, but I hope you make note and update
your scripts and such to avoid any of the depreciated op-
tions (depreciated options are not listed :). Someday, I'll re-
move the depreciated options entirely. You have been
warned!
Interesting stuff for the more technicly inclined:
- Oh wow, where to start? Sooo many changes to the internals,
that you might as well sit down and commence to reading
the code and comments, as big big big chunks of it hardly
resemble anything that came before. If you don't believe
me, do a diff with a logtool-1.0.x tree. :) However, I
suppose I would be remiss if I didn't give you at least a
few of the highlights.
- src/Makefile has changed quite a bit to (hopefully) be more dy-
namic in how it does the build. (IE: I've discovered
some new macro's :)
- A whole new environment based config file reader has been im-
plemented. Syntax in config files is now MUCH more le-
nient on users, and lends itself better to the following
new feature. See readconf.c.
- See logtool.h for the new data struct's. Very little remains
of the old variables and structs and such.
- Note the following two terms: "Output Modules" and "Event Mod-
ules". They are separate things; where once they were
not. :)
- Moved to a modular system, whereby we can do customized col-
orizations in output depending on what kind of messages
are input. (current modules are: UNKNOWN, SYSLOG,
SNORT_SYSLOG, and IPTABLES_SYSLOG). The modules in
essence return a string in event.pmsg with embedded 33's,
which are parsed into whatever color format a given out-
put module might needs. NOTE: Modules
will take config directives in the config file instead of
the command line. The cmdline switches for this program are
getting just too ridiculous.
NOTE: CSV output module isn't really smart enough to know
what to do with modules just yet, so all it still does is
syslog-like format. NOTE: I was very bad, and
used 33's that aren't standard to any other known for-
mat, just because it seemed like the thing to do, and it was
easier than reading up on another encoding method :)
- Relating to modules, the internal code has changed regarding
parsing of events. Instead of each module doing some of
it's own output setup, the various modules are now re-
sponsible for doing the parsing, and the output code for
the various output formats just parses what the modules
generate. This is simpler to write output modules, and
harder to code event modules.
- Changed a lot of the strncpy() calls to strcpy() calls in the
name of efficiency and performance. Calls which rely on
user input remain as strncpy(); however, to (we hope)
avoid crashes. :)
- A bunch of other stuff I'm no doubt not remembering (or going
to). I hate to admit it, but I've reached the point
where I can't be bothered to do much documentation, and
you should just "use the source Luke" if you need to
know/do more with logtool than is immediately apparent
without mucking with the source.
- Best of luck, and God bless you all.
Man(1) output converted with
man2html