Scroll to navigation

PETIT(1) User Commands PETIT(1)

NAME

petit - log analysis tool for systems administrators

SYNOPSIS

petit [OPTION] [FILE]

DESCRIPTION

petit was developed to quickly analyze syslog and Apache log files in large environments. It can also be used for word discovery within log data. It is a general purpose tool that can do hashing, word counts, and command line graphing of Apache and syslog files. It is designed to be a standard Unix tool that can be employed with pipes or by opening files. Petit works by sifting data with standard patterns and allows for custom filters and fingerprints. This leaves the analyst with data that is both varied and interesting.
 
FILE can be Syslog, Apache Access, Apache Error, Snort or Raw log files. Petit can also be used to analyze any type of file as a Raw log file, but since time/date is not understood, they cannot be graphed.

OPTIONS

-h, --help
Displays simple usage message
-v, --verbose
Adds verbose output to any function
--sample
Sample any line for which there are 3 or less entries found
--allsample
Show samples for all lines found
--filter
Force filter files to be used during processing because some functions do not filter by default.
--nofilter
Force filter files to be skipped during processing. This will work for any function.
--wide
Make graphing wider for bigger screens
--tick="%"
Change tick character from default of "#". This can be any single character.
--finterprint
Use fingerprinting to remove certain patterns from analysis. By default this is off for most or all functions. This is a safety feature to prevent an analyst from removing data without using an explicit switch.
-V, --version
Display the version of petit and exit
--hash
This is one of the most basic functions of petit. This function tallies lines found. Each output line displays the number of similar lines found in the log and what the group generally looked like. If filtering is used in conjunction with hashing then numbers and patterns which are commonly found and not profoundly necessary are removed from the input stream. This leaves the analyst with approximate log entries as opposed to actual log entries. This is useful for analyzing large log sets commonly found in clusters/pools of servers.
--wordcount
Word counting is essentially like hashing except that data is grouped by word instead of line. A custom stopwords list is used to filter out common words found in the english language. A common use case for this function would be word discovery. When used in connection with grep or swatch, word counting can be used to enumarate all of the words found in a log file which have similar meanings, such as "error, can't, fail, reject", etc.
 
This is extremely useful for giving confidence when building white lists and black lists. These lists can then be used for daily reporting or graphing for anamoly detection.
--daemon
Gives a simple report of lines produced, keyed by the daemon that produced them
--host
Gives a simple report of lines produced, keyed by the host that produced them. This can be useful for analyzing machines in a cluster dedicated to the same task. If one machine is producing too much or too little log output there is generally a problem.

GRAPHS

Graphs are displayed with the following information to help analyze the log file
--sgraph
Show a graph of first 60 seconds of the log file
--mgraph
Show a graph of first 60 minutes of the log file
--hgraph
Show a graph of first 24 hours of the log file
--dgraph
Show a graph of first 31 days of the log file
--mograph
Show a graph of first 12 months of the log file
--ygraph
Show a graph of first 10 years. 10 years was chosen arbitrarily and could be changed in the code if more time is needed.

FILES

/var/lib/petit/fingerprint_library
Fingerprint library which can be used to construct custom fingerprint files. They are in the same format as petit's output so it is easy to construct new fingerprints.
/var/lib/petit/fingerprints
Aggregate fingerprint files which can be used to filter out reboots and other events which the administrator does not care to see
/var/lib/petit/filters/
Each function has a separate list of words and patterns which are removed. Each list is stored in a designated file and specified with standard regular expression format.

AUTHOR

Written by Scott McCarty, see the AUTHORS file

COPYRIGHT

This program is licensed under the GNU General Public License, see the file COPYING included in the distribution archive.
February 2010 Petit