Log Filters and the logdump Command

Filtering Screen's logs employs a common filtering mechanism and language, regardless of the context in which it is used, that is embodied in the logdump command. logdump is based on, and is a superset of, the snoop program, which is provided with the standard Solaris operating system platform.

logdump can be used on an Administration Station to filter and inspect logs during active retrieval or on logs previously retrieved and stored. In conjunction with the logmacro facility, pre-defined filters can be employed to simplify and regularize routine log processing tasks.

The general usage for logdump is as a sub-command of ssadm. ssadm provides character-set translation between strings embedded in log events and the local character set of the Solaris system on which it runs.

Reminder: although logdump is used directly as an ssadm sub-command, all other places in SunScreen where log filtering is allowed employ the same filter specification language. Hence, examples in this manual section should be viewed as prototypical of these other usage contexts.

Nominally, logdump input is either a log record stream directly from a possibly remote Screen, or captured log records from a file. This source of input is specified by the -i option.

The following is an example of what you type to process (piped-in) records from the standard input:

% ssadm -r Screen log get | ssadm logdump -i- [output args ...] [filter args ...]

The following is an example of what you type to process local file log record input:

% ssadm logdump -i locallogfile [output args ...] [filter args ...]

logdump fundamentally outputs either a stream of log records, or readable text in various formats (after applying specified filters).

The presence of the -o option causes (binary) log records to be produced, for example:

% ... ssadm logdump -iinput arg -o- [filter args ...] | ...
or:
% ... ssadm logdump -iinput arg -olocallogfile [filter args ...]

To output readable text, omit the -o option.

The formatting options for readable text are common to snoop; these are -v, -V, -t[r|a|d], and -xoffset[,length].

logdump Extensions

logdump is an extension of the standard snoop packet monitoring tool provided with the Solaris operating system. In general, any expertise in the use of snoop is directly applicable to use of logdump.

The facilities of logdump that are common to snoop are not detailed here; refer to the ssadm-logdump(1m) man page.

logdump has been extended to provide for the special additional needs of the SunScreen system. These extensions are summarized as:

• Extensions to the format of network packets logged: inclusion of the interface on which logged packets arrive inclusion of the reason (why) packets are logged

• Provisions for SUMMARY logging (wherein only a size-limited packet preamble is logged)

• Logging of network packets on routing mode (ROUTING) interfaces removes the MAC-layer header

• Addition of session- and extended-log events (previously described)

• Enforcement and synthesis of unique timestamps

• True filter (pipeable) processing (standard snoop can process a captured packet stream, or produce a captured packet stream, but not both -- logdump allows both)

• Addition of filtering operators for selection of various log event types (loglvl), event severity (logsev), logging program component (logapp), packet log interface (logiface), and packet log reason (logwhy)

• Addition of range operands for IP addresses and port numbers to mirror the semantics of SunScreen address objects

• Display of SKIP packet encapsulations

• Display of all extensions listed above

logdump is also fundamentally different from snoop in the respect that it is not involved in decisions as to what is logged by SunScreen (rules and variables previously described provide this control). Rather logdump serves as a means to post-process log file content only. (snoop is often used to filter network input during the process of capture or direct display.)

SunScreen logs and snoop capture files are not interoperable.