SNOWLOG(1) Snowlog 1.1.1 SNOWLOG(1)NAMEsnowlog - web server access log browser and analyzer
SYNOPSISsnowlog [-hfV] [--help|--logfile|--version]
DESCRIPTION
Snowlog is a webserver access log browser/analyzer. It does not gener‐
ate static reports, but let's you browse through the requests in real
time. Filters that accept regular expressions can be applied.
Filters
You can apply a filter to the current list of requests by pressing 'f'.
Snowlog will present you a list of all filters it knows. Press the key
next to the filter you want, to apply it. To get an unfiltered list
again, just hit 'enter' here.
The filters are read from the global file in
/usr/local/share/snowlog/filters. You can put any site wide filters
into this file. To add your own filters, put them into ~/.snowlog/fil‐
ters.
The format of this file is described in the following:
[filter name]
type =match this
type !do not match this
type >200
Fields must be seperated by a single tab character! The name in brack‐
ets starts a new filter section. This is also the name of the filter
snowlog will show. The following filter types are currently defined:
httpstatus server status reply (no regexps!)
content_length size of the transfered resource (no regexps!)
method GET/POST/etc.
request the resource requested
mime_type MIME type of the transferer resource
referer referer of this request
useragent useragent string
vhost virtual host for this request
authname logged user for this request
loghint loghint supplied by the server (see installation
README)
In front of the string to match you must place an operator to tell
snowlog if you either want this string to match or not to match. Of
course you can also just use a regular expression to implement this
logic.
= matches/is equal
! does not match/is not
> is greater than (only works for integers)
< is less than (only works for integers)
Example:
A filter that shows all requests of MP3 files on a virtual host
foo.example.org that are at least 2MB in size, contain the string
"scene" and were successfully delivered by the server would look like
this:
[My legal MP3z]
mime_type =audio/mpeg
vhost =foo.example.com
content_length >2097152
request =scene
httpstatus <300
User agent and search engine strings
Snowlog tries its best to make user agent strings and search engine
queries look decent. It uses a collection of regular expressions to
convert strings like "Snownews/1.5.2 (Linux; de_DE.UTF-8@euro;
http://kiza.kcore.de/software/snownews/)" into "Snownews/1.5.2
(Linux)". It also tries to parse search engine referers and extracts
the query so you can see what the person looked for much easier. It
will look like "Google: cool access log analyzer" in the program.
Snowlog already knows a lot of search engine and user agent strings.
You can find the global definitions in the files useragents.regexp and
referers.regexp in the directory /usr/local/share/snowlog. If you want
to add your own regular expressions, put them into ~/.snowlog/usera‐
gents.regexp and ~/.snowlog/referers.regexp respectively. Do not edit
the global definitions as they get overwritten when you install a new
version of snowlog.
Referer Spam
If you have a log with so much referer spam that it becomes tedious to
browse the request you can filter out these requests easily. If you
select a host, you can press 's' to tell Snowlog it is spam. Snowlog
will then remove all requests from this IP and all requests that have
the same base URL referer.
Example:
You have a request
12.34.56.78 http://free-stuff.com/buy-junk-online.html
If you select this request and hit 's' Snowlog will remove all requests
from 12.34.56.78 and all referers that contain free-stuff.com from the
display.
Please note that Spam filters will only be applied in filtered lists
and never in the unfiltered view of all requests. If you select a sin‐
gle request and not a host and hit the despam key ('s') only the ref‐
erer and not the IP will be added to the blacklist.
These filters will not be remembered over a restart. Lists of IPs will
get very long and referers will change daily so it just doesn't make
sense. For permanent spam filtering use the normal filters of Snowlog.
More functions
Press 'h' to get an overview of all keys that are bound to a function.
You can open the referer in your web browser by pressing 'o'. Unlike
all web based log analyzers this will not send any referer back to the
page. You can open the resource that was requested on your server with
'O'. The browser that will me used can be customized by editing
~/.snowlog/browswer. The default that will be used is lynx. See
http://snownews.kcore.de/faq#toc2 for more details on how to setup the
browser.
OPTIONS--logfile or -f file
Load the logfile "file" instead of the default. The system default log‐
file can be set by creating a symlink
/usr/local/share/snowlog/default.log which points to the logfile to
load. A user can set her or his own default by creating a similar sym‐
link ~/.snowlog/default.log which overrides the system default. Finally
this command line option overrides every default setting.
--help or -h
Display short summary.
--version or -V
Display program version.
FILES
/usr/local/bin/snowlog
/usr/local/share/snowlog/referers.regexp
/usr/local/share/snowlog/useragents.regexp
BUGS
If you think you've hit a bug, please report it. You can do so in Eng‐
lish or German.
AUTHOR
Oliver Feiler <kiza@kcore.de>
Programs 03 June 2005 SNOWLOG(1)
