Hack84.Send Log Messages to Your Jabber Client

Hack 84. Send Log Messages to Your Jabber Client

Use hidden features of syslog and a quick script to send syslog messages straight to your desktop.

So you've finally gotten your machine room set up with centralized logging. Now you no longer need to open 50 different terminal windows to tail logs on all of your web servers. Instead, you just open one session to the central log host, tail the log, and go about your business.

But what if you could have the really important log messages, maybe only those going to the auth.warning facility, sent directly to your desktop in a way that will catch your attention even if you leave and come back only after the message has already scrolled by in your tail session?

You can actually accomplish this in a number of ways, but my favorite is by sending anything that comes through my syslog filter to my Jabber client. As most of you probably know, Jabber is an open source instant messaging protocol supported by Linux clients such as GAIM and Kopete.

This hack works because it turns out that syslog has the ability to send or copy messages to a named pipe (or FIFO). A pipe in the Linux world is a lot like a pipe in a plumber's world: you send something in one end, and it comes out (or is accessible through) the other end. By this logic, you can see that if I can have warnings sent to a pipe, I should be able to attach to that pipe some form of faucet from which I can access those messages. This is exactly what we'll do. For example, to send only those messages that pertain to failed login attempts (auth.warning) to a named pipe, you'd put the following line in /etc/syslog.conf:

 auth.warning |/var/log/log-fifo 

With that in place, you next need to create the log-fifo named pipe, which you can do with the following command:

 # mkfifo /var/log/log-fifo 

The next time you restart your syslog daemon, messages will be sent to log-fifo. You can quickly test that it's working by running the following command and watching the output:

 # less -f /var/log/log-fifo 

To get these messages to an open Jabber client, you can have a script read from log-fifo, wrap it in the appropriate XML, and send it off for routing to your target Jabber account. The script I use is a hacked up version of DJ Adams's original jann Perl script and requires the Net::Jabber module, which is readily available for (if not already installed on) most distributions. I call it jann-log.

9.8.1. The Code

This script reads syslog output from a FIFO and forwards it as a Jabber message:

 #!/usr/bin/perl use Net::Jabber qw(Client); use strict; # Announce resources my %resource = (   online => "/announce/online", ); # default options my %option = (   server => "moocow:5222",   user => "admin",   type => "online", ); # Default port if none specified $option{server} = "moocow:5222"; # Ask for password if none given unless ($option{pass}) {   print "Password: ";   system "stty -echo";   $option{pass} = <STDIN>;   system "stty echo";   chomp $option{pass};   print "\n"; } # Connect to Jabber server my ($host, $port) = split(":", $option{server}, 2); print "Connecting to $host:$port as $option{user}\n"; my $c = new Net::Jabber::Client; $c->Connect( hostname => $host, port => $port, ) or die "Cannot connect to Jabber server at $option{server}\n"; my @result; eval {   @result = $c->AuthSend(     username => $option{user}, password => $option{pass}, resource => "GAIM",   ); }; die "Cannot connect to Jabber server at $option{server}\n" if $@; if ($result[0] ne "ok") {   die "Authorisation failed ($result[1]) for user $option{user} on $option{server}\n"; } print "Sending $option{type} messages\n"; # The message. Change the file name in this 'open' line to # the name of your fifo. open(STATUS, "cat /var/log/log-fifo 2>&1 |") || die "UGH: there's issues: $!"; while (<STATUS>) {    my $xml .= qq[<subject>] . ($option{type} eq "online" ? "Admin Message" : "MOTD") . qq[</subject>];    my $to = $host . $resource{$option{type}};    $xml .= qq[<message to="$to">];    $xml .= qq[<body>];    my $message = $_; $xml .= XML::Stream::EscapeXML($message); $xml .= qq[</body>]; $xml .= qq[</message>] ; $c->SendXML($xml); print $xml; } 

9.8.2. Running the Code

Place this script in a place accessible only by you and/or your admin team (for example, /var/local/adm/bin/jann-log) and change the permissions so that the script is writable and executable only by your admin group. Then open up a Jabber client on your desktop and connect to your Jabber server. Once that's done, run the script. It should confirm that it has connected to the Jabber server and is awaiting messages from the FIFO.

A simple way to test your auth.warning facility on the server where jann-log is listening for messages is to SSH to the host and purposely use the wrong password to try to log in.