SourceForge.net Logo

LMF: Log Monitoring Framework

By Max Schubert a.k.a. "perldork"


Who cares? What good is this anyway?

  • Tired of seeing 245 lines of brute force SSH attemps against your system in your Logwatch reports everyday (and concerned that so many attempts against your system are occuring)? LMF can help.
  • Want a way to temporarily dissallow access to your server when someone fails to provide valid credentials to program P without having to figure out how to customize that program? LMF can help.
  • Want to be notified when user U logs in via ssh or when anyone becomes root using 'su'? LMF can help.

Why is this better than the other ninety-eight log monitoring frameworks I have seen and used?

  • I make no claim that LMF is better than other log monitoring programs, there is plenty of room for log monitoring programs and each has it's place and use.

What makes LMF different than the other ninety-eight log monitoring frameworks I have seen and used?

  • Some of the features I like about LMF that I did not see in other existing programs:

  • Matched lines only count towards a hit if the parts you specify as needing to be unique (using capturing parentheses) match.
  • The unique parts that you specified with back references can be used in other parts of the rule containing them.
  • Matches are bounded by time (do not have to be), so you can have a rule that only is triggered if 8 matches are found in 10 minutes.
  • Each rule can have a duration; so rule X, once triggered, can have a lifetime of 60 seconds or 6 hours or 2 days.
  • Each rule has an optional trigger and release; the trigger is run when the match conditions are met, the release is met when the duration of the rule expires (duration is optional as well for cases where you want a rule to be a one off action. LMF comes with one trigger, writing new ones is easy.

Whine - Why is this written in perl? Perl SUCKS!

  • There are many scripting languages out there, many that I really enjoy as much as or more than perl, but perl is ubiquitous, especially when it comes to *nix hosts.