Difference between revisions of "Multitail"
(→Multitail Color Schemes: Added some information on regexp coloring and colorschemes) |
|||
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | == Multitail == | ||
+ | |||
+ | * See the author's official page at [http://www.vanheusden.com/multitail/ http://www.vanheusden.com/multitail/] to get multitail. | ||
+ | |||
== Multitail Color Schemes == | == Multitail Color Schemes == | ||
Multitail allows you to color lines in a couple ways: | Multitail allows you to color lines in a couple ways: | ||
Line 42: | Line 46: | ||
cs_re_s:red:...\[(failure)\] | cs_re_s:red:...\[(failure)\] | ||
cs_re_s:red:...\[(error)\] | cs_re_s:red:...\[(error)\] | ||
+ | cs_re:red:Logon\ Failure | ||
+ | cs_re_s:red:User\ Name:([A-Za-z0-9]+)\ \ | ||
+ | cs_re_s:red:Workstation\ Name:([A-Za-z0-9]+) | ||
+ | cs_re_s:blue,,bold:...:[0-9][0-9]\ [A-Za-z0-9]+\ ([-A-Za-z0-9_ ]+) | ||
+ | |||
+ | === ra (Argus) === | ||
+ | |||
+ | This colorscheme is a bit more complicated, due to multitail's limitations multiple groups of rules based on protocol are defined. Each group contains a rule to highlight the port (except ICMP), make the bytecount red if it's greater than 20,000, and color the directional markers (<-, <?, <->, ?> and ->). The last set of rules set the background color for the entire line. Multitail does not allow you to overwrite the background color set by a previous rule so this is why the 3 groups of rules which do identical things except for the background color are needed. | ||
+ | |||
+ | '''NOTE:''' these problems were addressed by Folkert van Heusden (the multitail author) after he somehow found this page. Many thanks to him for writing a solution and letting me test it for him. | ||
+ | |||
+ | This colorscheme is in production use at a medium sized facility, see the [[Argus]] page for more info. | ||
+ | |||
+ | This one is for really decent displays: it runs together otherwise, see the next one for average displays. | ||
+ | |||
+ | # | ||
+ | # multitail -cS ra -l 'ra -n -S localhost' | ||
+ | # | ||
+ | # ra (argus) | ||
+ | colorscheme:ra:ra | ||
+ | #ICMP | ||
+ | cs_re_val_bigger:red,cyan:20000:.*icmp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,cyan,bold:.*icmp.*(<->) | ||
+ | cs_re_s:blue,cyan,bold:.*icmp.*(<[-?]) | ||
+ | cs_re_s:yellow,cyan,bold:.*icmp.* ([-?]>) | ||
+ | #TCP | ||
+ | cs_re_s:,blue,bold:.*tcp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) | ||
+ | cs_re_val_bigger:red,blue,bold:20000:.*tcp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,blue,bold:.*tcp.*(<->) | ||
+ | cs_re_s:cyan,blue,bold:.*tcp.*(<[-?]) | ||
+ | cs_re_s:yellow,blue,bold:.*tcp.* ([-?]>) | ||
+ | #UDP | ||
+ | cs_re_s:,green,bold:.*udp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) | ||
+ | cs_re_val_bigger:red,green,bold:20000:.*udp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,green,bold:.*udp.*(<->) | ||
+ | cs_re_s:cyan,green,bold:.*udp.*(<[-?]) | ||
+ | cs_re_s:yellow,green,bold:.*udp.*([-?]\>) | ||
+ | #background coloring | ||
+ | cs_re:,blue:.*tcp.* | ||
+ | cs_re:,green:.*udp.* | ||
+ | cs_re:,cyan:.*icmp.* | ||
+ | cs_re:,,inverse:.*man.* | ||
+ | |||
+ | |||
+ | This one is high-contrast: | ||
+ | |||
+ | # | ||
+ | # ra (argus) (jon) | ||
+ | colorscheme:ra:ra | ||
+ | #ICMP | ||
+ | cs_re_val_bigger:red,black:20000:.*icmp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,black,bold:.*icmp.*(<->) | ||
+ | cs_re_s:blue,black,bold:.*icmp.*(<[-?]) | ||
+ | cs_re_s:yellow,black,bold:.*icmp.* ([-?]>) | ||
+ | #TCP | ||
+ | cs_re_s:,blue,bold:.*tcp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) | ||
+ | cs_re_val_bigger:red,blue,bold:20000:.*tcp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,blue,bold:.*tcp.*(<->) | ||
+ | cs_re_s:cyan,blue,bold:.*tcp.*(<[-?]) | ||
+ | cs_re_s:yellow,blue,bold:.*tcp.* ([-?]>) | ||
+ | #UDP | ||
+ | cs_re_s:,magenta,bold:.*udp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) | ||
+ | cs_re_val_bigger:red,magenta,bold:20000:.*udp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:green,magenta,bold:.*udp.*(<->) | ||
+ | cs_re_s:cyan,magenta,bold:.*udp.*(<[-?]) | ||
+ | cs_re_s:yellow,magenta,bold:.*udp.*([-?]\>) | ||
+ | #background coloring | ||
+ | cs_re:,blue:.*tcp.* | ||
+ | cs_re:,magenta:.*udp.* | ||
+ | cs_re:,black:.*icmp.* | ||
+ | cs_re:,,inverse:.*man.* | ||
+ | |||
+ | This is for multitail versions >= 4.3.6 | ||
+ | |||
+ | # | ||
+ | # ra (argus) | ||
+ | colorscheme:ra:argus | ||
+ | cs_re_s:,,bold:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) | ||
+ | cs_re_val_bigger:red,,bold:20000:([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,,bold: (<->) | ||
+ | cs_re_s:cyan,,bold: (<[-?] ) | ||
+ | cs_re_s:yellow,,bold: ([-?]>) | ||
+ | mcsre:,blue:.*tcp.* | ||
+ | mcsre:,green:.*udp.* | ||
+ | mcsre:,cyan:.*icmp.* | ||
+ | mcsre:,,inverse:.*man.* | ||
+ | |||
+ | This one is for black-bg/grey-fg displays, multitail versions >= 4.3.6 (fairly good contrast) | ||
+ | |||
+ | # | ||
+ | # Argus | ||
+ | colorscheme:argus:Argus http://qosient.com/argus/ | ||
+ | cs_re_s:,,bold:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) | ||
+ | cs_re_val_bigger:red,,bold:20000:([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] | ||
+ | cs_re_s:magenta,,bold: (<->) | ||
+ | cs_re_s:cyan,,bold: (<[-?] ) | ||
+ | cs_re_s:yellow,,bold: ([-?]>) | ||
+ | mcsre:,blue:.*tcp.* | ||
+ | mcsre:black,green:.*udp.* | ||
+ | mcsre:black,cyan:.*(icmp|ipv6-i).* | ||
+ | mcsre:,,inverse:.*man.* | ||
+ | |||
+ | === qmail === | ||
+ | |||
+ | This one highlights the delivery success/failures in a multilog/qmail-smtpd logfile. | ||
+ | |||
+ | Run like this: | ||
+ | $ multitail -cS qmaildelivery -e 'delivery' -f current | ||
+ | |||
+ | # | ||
+ | # qmail delivery nonsense | ||
+ | colorscheme:qmaildelivery:qmail delivery lines | ||
+ | cs_re:green:success\: | ||
+ | cs_re:red:deferral\: |
Latest revision as of 10:43, 15 January 2013
Multitail
- See the author's official page at http://www.vanheusden.com/multitail/ to get multitail.
Multitail Color Schemes
Multitail allows you to color lines in a couple ways:
- cs_re - this colors the *entire* match for the regexp
- cd_re_s - this colors any substrings that are matched by the subpatterns
The available colors are red, green, yellow, blue, magenta, cyan and white. Additionally you can specify a background color and an attribute using the format [fg-color][,bg-color][,attribute].
The attributes that I've found that seem to work are bold, underline and inverse. The example config uses blink but that attribute doesn't seem to work in my terminal. Additional valid attributes may be lurking in the source.
Some examples:
- red - simply make the text red
- red,blue - red with a blue background
- red,,bold - red with a bold background
- ,blue - blue background
- ,blue,bold - default text color with a blue background and bold text
- ,,bold - bold text
pflog
# multitail -cS pflog -l 'tcpdump -n -s0 -i pflog0' colorscheme:pflog:pflog cs_re:cyan:^[0-9][0-9]:[0-9][0-9]:[0-9][0-9]\.[0-9]+\ cs_re:green:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ cs_re_s:yellow:....(\.[0-9]+):\ cs_re_s:yellow:....(\.[0-9]+\ ) cs_re_s:magenta::\ (.*),\ cs_re:red:\ [SRPF]\ cs_re_s:red:length\: (.*)$
ntsyslog
# # Windows (NTsyslog) colorscheme:ntsyslog:Windows NTsyslog cs_re:cyan:^[A-Z][a-z][a-z]\ [0-9][0-9]\ [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\ cs_re_s:magenta:...:[0-9][0-9]\ ([A-Za-z0-9]+) cs_re_s:green:...\[(info)\] cs_re_s:yellow:...\[(warning)\] cs_re_s:red:...\[(failure)\] cs_re_s:red:...\[(error)\] cs_re:red:Logon\ Failure cs_re_s:red:User\ Name:([A-Za-z0-9]+)\ \ cs_re_s:red:Workstation\ Name:([A-Za-z0-9]+) cs_re_s:blue,,bold:...:[0-9][0-9]\ [A-Za-z0-9]+\ ([-A-Za-z0-9_ ]+)
ra (Argus)
This colorscheme is a bit more complicated, due to multitail's limitations multiple groups of rules based on protocol are defined. Each group contains a rule to highlight the port (except ICMP), make the bytecount red if it's greater than 20,000, and color the directional markers (<-, <?, <->, ?> and ->). The last set of rules set the background color for the entire line. Multitail does not allow you to overwrite the background color set by a previous rule so this is why the 3 groups of rules which do identical things except for the background color are needed.
NOTE: these problems were addressed by Folkert van Heusden (the multitail author) after he somehow found this page. Many thanks to him for writing a solution and letting me test it for him.
This colorscheme is in production use at a medium sized facility, see the Argus page for more info.
This one is for really decent displays: it runs together otherwise, see the next one for average displays.
# # multitail -cS ra -l 'ra -n -S localhost' # # ra (argus) colorscheme:ra:ra #ICMP cs_re_val_bigger:red,cyan:20000:.*icmp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,cyan,bold:.*icmp.*(<->) cs_re_s:blue,cyan,bold:.*icmp.*(<[-?]) cs_re_s:yellow,cyan,bold:.*icmp.* ([-?]>) #TCP cs_re_s:,blue,bold:.*tcp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) cs_re_val_bigger:red,blue,bold:20000:.*tcp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,blue,bold:.*tcp.*(<->) cs_re_s:cyan,blue,bold:.*tcp.*(<[-?]) cs_re_s:yellow,blue,bold:.*tcp.* ([-?]>) #UDP cs_re_s:,green,bold:.*udp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) cs_re_val_bigger:red,green,bold:20000:.*udp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,green,bold:.*udp.*(<->) cs_re_s:cyan,green,bold:.*udp.*(<[-?]) cs_re_s:yellow,green,bold:.*udp.*([-?]\>) #background coloring cs_re:,blue:.*tcp.* cs_re:,green:.*udp.* cs_re:,cyan:.*icmp.* cs_re:,,inverse:.*man.*
This one is high-contrast:
# # ra (argus) (jon) colorscheme:ra:ra #ICMP cs_re_val_bigger:red,black:20000:.*icmp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,black,bold:.*icmp.*(<->) cs_re_s:blue,black,bold:.*icmp.*(<[-?]) cs_re_s:yellow,black,bold:.*icmp.* ([-?]>) #TCP cs_re_s:,blue,bold:.*tcp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) cs_re_val_bigger:red,blue,bold:20000:.*tcp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,blue,bold:.*tcp.*(<->) cs_re_s:cyan,blue,bold:.*tcp.*(<[-?]) cs_re_s:yellow,blue,bold:.*tcp.* ([-?]>) #UDP cs_re_s:,magenta,bold:.*udp.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) cs_re_val_bigger:red,magenta,bold:20000:.*udp.*([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:green,magenta,bold:.*udp.*(<->) cs_re_s:cyan,magenta,bold:.*udp.*(<[-?]) cs_re_s:yellow,magenta,bold:.*udp.*([-?]\>) #background coloring cs_re:,blue:.*tcp.* cs_re:,magenta:.*udp.* cs_re:,black:.*icmp.* cs_re:,,inverse:.*man.*
This is for multitail versions >= 4.3.6
# # ra (argus) colorscheme:ra:argus cs_re_s:,,bold:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) cs_re_val_bigger:red,,bold:20000:([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,,bold: (<->) cs_re_s:cyan,,bold: (<[-?] ) cs_re_s:yellow,,bold: ([-?]>) mcsre:,blue:.*tcp.* mcsre:,green:.*udp.* mcsre:,cyan:.*icmp.* mcsre:,,inverse:.*man.*
This one is for black-bg/grey-fg displays, multitail versions >= 4.3.6 (fairly good contrast)
# # Argus colorscheme:argus:Argus http://qosient.com/argus/ cs_re_s:,,bold:[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+).*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.([0-9]+) cs_re_val_bigger:red,,bold:20000:([0-9]+)[ ]+([0-9]+)[ ]+[A-Z][A-Z][A-Z] cs_re_s:magenta,,bold: (<->) cs_re_s:cyan,,bold: (<[-?] ) cs_re_s:yellow,,bold: ([-?]>) mcsre:,blue:.*tcp.* mcsre:black,green:.*udp.* mcsre:black,cyan:.*(icmp|ipv6-i).* mcsre:,,inverse:.*man.*
qmail
This one highlights the delivery success/failures in a multilog/qmail-smtpd logfile.
Run like this:
$ multitail -cS qmaildelivery -e 'delivery' -f current
# # qmail delivery nonsense colorscheme:qmaildelivery:qmail delivery lines cs_re:green:success\: cs_re:red:deferral\: