logmon.sh

#!/bin/bash
#
# Version: 2.0
# Date: 19-01-2015
# Enhanced by: Paul van der Westhuizen
#
# Logmon.sh
# This script is designed to monitor error log files,
# and if any new lines are found, to email these to a chosen address
#
# I'm pretty sure I got part of this script from someone else,
# but I can't remember from whom, sorry.
#
# v2.0 Added ability to strip junk so as to reduce number of log reports
#
# TODO: 

# Variables
# To monitor more files add another entry to the MONFILES list.
# All files in the MONDIRS array will be monitored.
FROM="email@example.com"
NOTIFY="email@example.com"
#MONDIRS[1]=""
#get successful logins, failed attempts caught by fail2ban
grep "sshd:session" /var/log/auth.log > /var/log/sshd.log
MONFILES[0]="/var/log/sshd.log"
MONFILES[2]="/var/log/mysql/error.log"
# Regex string run by sed again log files. Can be used to strip junk from log.
REGEXES[1]="/File\ does\ not\ exist/d"
REGEXES[2]="/request[ ]without[ ]hostname/d"
REGEXES[3]="/Invalid URI in request/d"
REGEXES[4]="/request failed\: error reading the headers/d"
REGEXES[5]="/does NOT match server name\!\?/d"
#REGEXES[2]="/^n/d"


###############################
## Do not modify below here. ##
###############################

# Length of REGEXES array. Spaces breaks for..in loop.
REGEXL = ${#REGEXES[@]}

# get all the files in dirs
for DIR in ${MONDIRS[@]}
do
	dirfiles=($(find $DIR -type f -name "*php" -mtime -1))
	# we'll only check files modified in the last 24hours.
	# this extra leeway allows for this script missing certain 
	# regular intervals due to server failure, etc.
	
	# clean up old junk
	find $DIR -type f -name "*body"  -mtime +1 -exec rm {} \;
	find $DIR -type f -name "*last"  -mtime +1 -exec rm {} \;
done

FILES=( ${dirfiles[@]} ${MONFILES[@]} )
#FILES="${dirfiles[@]} ${MONFILES}"

# process the files
for FILE in ${FILES[@]}
do

  LASTFILE="$FILE.last"
  BODY="$FILE.body"
  HOSTNAME=`hostname`
  DATE=`date`

  if [ ! -e "$FILE" ]       # Check if file exists.
  then
    #echo "$FILE does not exist."; echo
    touch $FILE
    continue                # On to next.
  fi

  # Run regexes to process log file
  # Use length of REGEXES array. Spaces breaks for..in loop.
  for (( r=1; r<=${#REGEXES[@]}; r++ ))
  do
    #echo "regex = ${REGEXES[$r]}"
    sed -i -e "${REGEXES[$r]}" $FILE
  done

  # Keep a count of number of lines
  # If file length reduces then we assume logrotate and reset our count back to 0
  CURLENGTH=`cat $FILE | wc -l`

  touch $LASTFILE
  LASTLENGTH=`cat $LASTFILE`
  if [ "$LASTLENGTH" == "" ]; then
    LASTLENGTH=0
  fi

  if [ $CURLENGTH -lt $LASTLENGTH ]; then
    # File is smaller than last time we processed, assume logrotate and we will start from 0
    #echo "File is smaller ! Assuming logrotate and resetting back to 0"
    LASTLENGTH=0
  fi

  #echo
  #echo "Current length of $FILE is $CURLENGTH"
  #echo "Last length of $FILE is $LASTLENGTH"

  TAIL=$(($CURLENGTH-$LASTLENGTH))

  #echo "Number of lines to tail are $TAIL"
  #echo

  # Generate the body for our alert email

  echo "From: $FROM" > $BODY
  echo "To: $NOTIFY" >> $BODY
  echo "Subject: ALERT: $TAIL new entries found in $FILE on $HOSTNAME at $DATE" >> $BODY

  echo "" >> $BODY
  echo "$TAIL new entries found in $FILE on $HOSTNAME at $DATE"  >> $BODY
  echo >> $BODY
  tail -n $TAIL $FILE >> $BODY
  echo "" >> $BODY

  # Email $BODY to $NOTIFY if there have been any changes

  if [ $TAIL != 0 ]; then
    /usr/sbin/sendmail -t < $BODY
    #echo "email sent to $NOTIFY"
    #remove log file
    #rm $FILE
  fi

  # Print the body

  #echo
  #cat $BODY
  #echo

  # Now reset the last known log position
  echo $CURLENGTH > $LASTFILE

# DEBUGGING
#echo "-----------------------"
#echo "FILE: $FILE"
#echo "CURLENGTH: $CURLENGTH"
#echo "LASTLENGTH: $LASTLENGTH"
#echo "TAIL: $TAIL"
#echo "BODY: $BODY"
#echo "-----------------------"
  
done

exit 0