Difference between revisions of "Multitail"

From WTFwiki
Jump to navigation Jump to search
(→‎ntsyslog: quick additions for authentication failures, service name highlight (blue/bold))
(Added ra/argus colorscheme)
Line 46: Line 46:
 
   cs_re_s:red:Workstation\ Name:([A-Za-z0-9]+)
 
   cs_re_s:red:Workstation\ Name:([A-Za-z0-9]+)
 
   cs_re_s:blue,,bold:...:[0-9][0-9]\ [A-Za-z0-9]+\ ([-A-Za-z0-9_ ]+)
 
   cs_re_s:blue,,bold:...:[0-9][0-9]\ [A-Za-z0-9]+\ ([-A-Za-z0-9_ ]+)
 +
 +
=== ra (Argus) ===
 +
 +
This colorscheme is a bit more complicated, due to multitail's limitations multiple groups of rules based on protocol are defined. Each group contains a rule to highlight the port (except ICMP), make the bytecount red if it's greater than 20,000, and color the directional markers (<-, <?, <->, ?> and ->). The last set of rules set the background color for the entire line. Multitail does not allow you to overwrite the background color set by a previous rule so this is why the 3 groups of rules which do identical things except for the background color are needed.
 +
 +
  #
 +
  # ra (argus)
 +
  colorscheme:ra:ra
 +
  #ICMP
 +
  cs_re_val_bigger:red,cyan:20000:.*icmp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z]
 +
  cs_re_s:magenta,cyan,bold:.*icmp.*(<->)
 +
  cs_re_s:blue,cyan,bold:.*icmp.*(<[-?])
 +
  cs_re_s:yellow,cyan,bold:.*icmp.* ([-?]>)
 +
  #TCP
 +
  cs_re_s:,blue,bold:.*tcp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+)
 +
  cs_re_val_bigger:red,blue,bold:20000:.*tcp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z]
 +
  cs_re_s:magenta,blue,bold:.*tcp.*(<->)
 +
  cs_re_s:cyan,blue,bold:.*tcp.*(<[-?])
 +
  cs_re_s:yellow,blue,bold:.*tcp.* ([-?]>)
 +
  #UDP
 +
  cs_re_s:,green,bold:.*udp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+)
 +
  cs_re_val_bigger:red,green,bold:20000:.*udp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z]
 +
  cs_re_s:magenta,green,bold:.*udp.*(<->)
 +
  cs_re_s:cyan,green,bold:.*udp.*(<[-?])
 +
  cs_re_s:yellow,green,bold:.*udp.*([-?]\>)
 +
  #background coloring
 +
  cs_re:,blue:.*tcp.*
 +
  cs_re:,green:.*udp.*
 +
  cs_re:,cyan:.*icmp.*
 +
  cs_re:,,inverse:.*man.*

Revision as of 18:54, 23 January 2007

Multitail Color Schemes

Multitail allows you to color lines in a couple ways:

  • cs_re - this colors the *entire* match for the regexp
  • cd_re_s - this colors any substrings that are matched by the subpatterns

The available colors are red, green, yellow, blue, magenta, cyan and white. Additionally you can specify a background color and an attribute using the format [fg-color][,bg-color][,attribute].

The attributes that I've found that seem to work are bold, underline and inverse. The example config uses blink but that attribute doesn't seem to work in my terminal. Additional valid attributes may be lurking in the source.

Some examples:

  • red - simply make the text red
  • red,blue - red with a blue background
  • red,,bold - red with a bold background
  • ,blue - blue background
  • ,blue,bold - default text color with a blue background and bold text
  • ,,bold - bold text

pflog

 # multitail -cS pflog -l 'tcpdump -n -s0 -i pflog0'
 colorscheme:pflog:pflog
 cs_re:cyan:^[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\.[0-9]+\
 cs_re:green:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
 cs_re_s:yellow:....(\.[0-9]+):\
 cs_re_s:yellow:....(\.[0-9]+\ )
 cs_re_s:magenta::\ (.*),\
 cs_re:red:\ [SRPF]\
 cs_re_s:red:length\: (.*)$


ntsyslog

 #
 # Windows (NTsyslog)
 colorscheme:ntsyslog:Windows NTsyslog
 cs_re:cyan:^[A-Z][a-z][a-z]\ [0-9][0-9]\ [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\
 cs_re_s:magenta:...:[0-9][0-9]\ ([A-Za-z0-9]+)
 cs_re_s:green:...\[(info)\]
 cs_re_s:yellow:...\[(warning)\]
 cs_re_s:red:...\[(failure)\]
 cs_re_s:red:...\[(error)\]
 cs_re:red:Logon\ Failure
 cs_re_s:red:User\ Name:([A-Za-z0-9]+)\ \
 cs_re_s:red:Workstation\ Name:([A-Za-z0-9]+)
 cs_re_s:blue,,bold:...:[0-9][0-9]\ [A-Za-z0-9]+\ ([-A-Za-z0-9_ ]+)

ra (Argus)

This colorscheme is a bit more complicated, due to multitail's limitations multiple groups of rules based on protocol are defined. Each group contains a rule to highlight the port (except ICMP), make the bytecount red if it's greater than 20,000, and color the directional markers (<-, <?, <->, ?> and ->). The last set of rules set the background color for the entire line. Multitail does not allow you to overwrite the background color set by a previous rule so this is why the 3 groups of rules which do identical things except for the background color are needed.

 #
 # ra (argus)
 colorscheme:ra:ra
 #ICMP
 cs_re_val_bigger:red,cyan:20000:.*icmp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z]
 cs_re_s:magenta,cyan,bold:.*icmp.*(<->)
 cs_re_s:blue,cyan,bold:.*icmp.*(<[-?]) 
 cs_re_s:yellow,cyan,bold:.*icmp.* ([-?]>)
 #TCP
 cs_re_s:,blue,bold:.*tcp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+)
 cs_re_val_bigger:red,blue,bold:20000:.*tcp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z]
 cs_re_s:magenta,blue,bold:.*tcp.*(<->)
 cs_re_s:cyan,blue,bold:.*tcp.*(<[-?]) 
 cs_re_s:yellow,blue,bold:.*tcp.* ([-?]>)
 #UDP
 cs_re_s:,green,bold:.*udp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+)
 cs_re_val_bigger:red,green,bold:20000:.*udp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z]
 cs_re_s:magenta,green,bold:.*udp.*(<->)
 cs_re_s:cyan,green,bold:.*udp.*(<[-?]) 
 cs_re_s:yellow,green,bold:.*udp.*([-?]\>)
 #background coloring
 cs_re:,blue:.*tcp.*
 cs_re:,green:.*udp.*
 cs_re:,cyan:.*icmp.*
 cs_re:,,inverse:.*man.*