Monitors a syslog file or pipe for events and generates tokens out of them. Note that this module reads the file right from the top.

Configuration Tokens:

logifile: Path to file that syslogd writes to. syslog_in reads and parses this file.
sleeptime: Seconds to sleep before checking for updates.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

date: Date and time of syslog event
node: Hostname where event came from
desc: Description of event

Continuously polls netcool for new events. Can be used to feed to file or database.

Configuration Tokens:

server: Server Name (NCOMS)
username: Login username (only set if using secure mode)
password: Login password (only set if using secure mode)
sybasehome: Path to FreeTDS home dir. Usually /opt/looper/freetds.
sleeptime: Seconds to sleep before checking for updates.
filter: Netcool gateway style filter (eg., Type = 1 AND Node = 'prometheus')
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

This module populates the %inputTokens hash with field/value pairs from the database.

Monitors the Apache HTTP error_log file for events and returns tokens related to the event.

Configuration Tokens:

logifile: Path to file that Apache writes to. apacheerrorlog_in reads and parses this file.
sleeptime: Seconds to sleep before checking for updates.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

date: Date and time of error event
level: Error level
desc: Description of error
client: Client IP address (if available)

A concurrent forking socket server that listens for Token / Value information on the specified port and feeds it into Looper.

Configuration Tokens:

port: Listen port allow: Comma separated regexes of allowed IP addresses. Set to '*' for any. Eg. '127.0.0.1, 192.168.1.2'
lockfile: Lock file to use for concurrent event feeds; if unset defaults to '/tmp/socket_in.lock'
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

_host: Hostname:Port of received event
This is followed token value pairs depending on what is received by the socket server.

Monitors a file for new log entries and sends the line to Looper based on a regex match.

Configuration Tokens:

logfile: File name
pipe: set to '1' if reading from a named pipe.
reopen_pipe: set to '1' if pipe should be reopened after a process disconnects from it.
sleeptime: Block time for reads
regexp: Regular expression which is applied every time an entry is received; only matching lines are fed to Looper.
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

line: The entire matched line.

Monitors a Snort IDS CSV file or pipe. Make sure the the line "output alert_CSV: /path/to/file default" is set in your snort rules file.

Configuration Tokens:

logfile: File name
pipe: set to '1' if reading from a named pipe.
reopen_pipe: set to '1' if pipe should be reopened after a process disconnects from it.
sleeptime: Block time for reads
tailstyle: Specifies when to start reading the file. '0' for end of file, 'n' for a number of lines before the end, or a negative number to read the whole file. regexp: Regular expression which is applied every time an entry is received; only matching lines are fed to Looper.
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Generated Tokens:

src, srcport, dst, dstport, id, msg etc. etc. See snort manual section "CSV output" for a list and description of the tokens.

snmptrap_out : SNMP Writer / Forwarder / Exploder

Used to generate SNMP traps. Traps can be user-defined, or forwarded in the raw using the 'rawtrap' token.

Configuration Tokens:

managementstation: Station to send traps to.
port: UDP port number (162)
community: Community name
debugmode: Debug Level
debugmessages: Path to file to log debug messages
rawmode: Set to '1' to ignore all tokens and process in "RAW" mode. Useful for trap forwarding. Ripe mode tokens are ignored. See the sample trapfwd conf and rules files for examples.(v0.6 and higher)

RIPE mode configuration tokens: agentaddress: Local agent IP address
enterprise: Private enterprise number (1.3.6.1.4.1.xxx)
varbindoids: Varbind OID prefix
varbinddelimeter: Delimeter to use in varbind token

Output Tokens:

RIPE Mode:
generictrap: Generic trap number
specifictrap: Specific trap number
varbinds: Varbinds delimeted by varbinddelimeter.

RAW Mode:
rawtrap: Base64 encoded raw trap data. enhancetrap: Additional (string) data to add to the varbinds. This is used to enhance the raw trap with additional information.

socket_out : TCP/IP socket writer

Sends Token / Value information to a remote socket reader.

Configuration Tokens:

host: Hostname to connect to.
port: Port number.
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Any token / value pairs are forwarded.

email_out : E-Mail Gateway

Sends e-mail to the specified user based on token information.

Configuration Tokens:

mailpath: Path to mailer (/bin/mail)
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

mailto: Address of recipient. mailsubject: Subject Text. mailbody: Rest of e-mail.

Sends log events to the local syslog daemon.

Configuration Tokens:

ident: Identifying string in log file (looper).
facility: Syslog facility (local7).
logopt: Comma separated log options. Defaults to "pid, cons".
sockettype: Socket type (unix). debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

priority: Syslog priority. text: Log Text.

Updates mysql database with log events. The database maintains realtime status information of the network (similar to looperdb, netcool etc.). The required schema is in conf/mysql/create_db.sql. The mechanism used to insert / update / correlate / prevent duplicate events in the database is similar to what is used by looperdb and Netcool.

Configuration Tokens:

host: Hostname or IP address of MySQL host.
port: MySQL listen port address (3306).
database: Database name (netmanager).
statetable: Table name (events_state).
username: User Name (nmuser).
password: Password (nmuser).
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Include all fields required for insertion / update in the hash. See schema for more details.

__update__: Comma separated list of fields for which updates are forced.

Updates a logfile with event information. Useful debugging aid.

Configuration Tokens:

filename: Path to file.
append: Set to 1 to append to the file (as opposed to overwriting existing file.)
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Any token/value pairs are written directly to the file.

Sends events to LooperDB.

Configuration Tokens:

host: IP address or hostname of LooperDB server.
port: Port on which stunnel is listening and forwarding events to LooperDB.
user: Username (system).
password: Password (buggeroff).
debugmode: Debug Level
debugmessages: Path to file to log debug messages

Output Tokens:

Any token/value pairs are sent as field value pairs to LooperDB.