LOGTEMPLATER(TMPLTR)



HOME

SCRIPTS

PROJECTS

READING

CV

View Ron Dilley's profile on LinkedIn

Please donate if you find Log Templater (tmpltr) useful.

BTC: 1GwYToq2AuUWUfJJ7NeCpksfjMth7bw7Tu
LTC: LKh99yzPeXZ7jQgvGgRhkTGReN4TRK4C6p

Log Templater (logtemplater) can be found on GitHub.

You can clone the repository directly from github:

% git clone https:/github.com/rondilley/tmpltr.git

Or you can download the current distribution tarball: tmpltr v0.7

What is tmpltr?

Templater is a small and fast log processor that provides simple artificial ignorance capabilities. You use the tool to process past log data and store templates that represent normal log line structures. You then run the tool against current or target logs and all normal patterns are automatically ignored. The parser is fast and capable of processing millions of lines per minute. Log Templater runs pretty fast. The following mentrics were generated in a Linux VM running on an i7 @ 3.2GHz.

Log size and type Avg. Line Len Avg. Arg Count Args Stored Avg. Lines per Min
18M Line Cisco FW Log 180 32 0 12,004,023/min
18M Line Cisco FW Log (Clustered) 180 32 24,009 4,093,802/Min
11M Line Apache Access Log 246 44 0 9,453,905/Min
11M Line Apache Access Log (Clustered) 246 44 21,666 5,563,009/Min
17M Line UNIX Auth Log 168 24 0 5,083,004/Min
17M Line UNIX Auth Log (Clustered) 168 24 52,318 5,121,656/Min
4M Line Windows Event Log 793 90 0 2,854,123/Min
4M Line Windows Event Log (Clustered) 881 129 70,361 1,183,226/Min
5M Line Palo Alto FW Log 881 129 0 2,358,226/Min
5M Line Palo Alto FW Log (Clustered) 881 129 612 972,425/Min

The template strategy was originally proposed by a friend of mine in 2003 who later built a tool called never before seen (NBS) which also provides artificial ignorance for arbitrary text data as well as text structures.

Why use it?

I built this tool to solve a log analysis problem that I have suffered through while responding to many security breaches. Invariably, I need to find a needle in a haystack of log data. If you need to find a pattern that has not occurred previously, then this is the tool for you.

More details can be found in the README file which is included in the distribution.

How to use it.

Templater has a simple command lines interface. In it's simplest form, pass a text file as an argument and the output will be list of counts and unique templates with the first full log line separated by a '||'.

Including the first full log line with each unique template allows for quick recognition of the log lines that map to the unique template.

To get a list of all the options, you can execute the command with the -h or --help switch.

$ ./src/tmpltr --help
tmpltr v0.6 [Dec 28 2013 - 15:55:46]

syntax: tmpltr [options] filename [filename ...]
-c|--cluster show invariable fields in output
-d|--debug (0-9) enable debugging info
-g|--greedy ignore quotes
-h|--help this info
-n|--cnum {num} Max cluster args [default: 1]
-t|--templates {file} load templates to ignore
-v|--version display version information
-w|--write {file} save templates to file
filename one or more files to process, use '-' to read from stdin

The debug option is most useful when the tool is compiled with the --ENABLE-DEBUG switch.

A typical run of tmpltr is to pass the target log file as an argument and send the output through 'sort -n' to produce the following sorted list of unique templates and their frequency of occurent from least to most prevalent.

I normally go through the list in this order to speed up catching the anonlylous patterns.

% tmpltr /var/log/secure.log | sort -n
Opening [/var/log/secure.log] for read
1 %x %d %s %s %s[%d]: %s : %s=%s ; %s=/%s/%s/%s/%s/%s ; %s=%s ; %s=./%s/%s/%s/%s/%s /||Dec 17 13:05:49 Rons-MacBook-Pro sudo[7974]: root : TTY=unknown ; PWD=/private/tmp/PKInstallSandbox.WSZSYc/Scripts/com.apple.pkg.Safari6.1.1Lion.wqQJEF ; USER=rdilley ; COMMAND=./Tools/AlertAll.app/Contents/MacOS/AlertAll /
1 %x %d %s %s %s[%d]: %s %s %s %s %s %s>%s||Dec 16 16:30:01 Rons-MacBook-Pro newsyslog[5373]: logfile turned over due to size>1000K
1 %x %d %s %s %s[%d]: %s %s %s %s /%s/%s||Dec 16 20:01:32 Rons-MacBook-Pro su[5799]: rdilley to root on /dev/ttys001
1 %x %d %s %s %s[%d]: %s(?:%s) %s %s=-%d||Dec 17 02:02:36 Rons-MacBook-Pro com.apple.SecurityServer[24]: setup(?:obsolete) failed rcode=-2147418111
2 %x %d %s %s %s[%d]: %s %s %s %s '%s' %s %s '%s' [%d] %s %s %s %s '%s' [%d]||Dec 28 15:10:13 Rons-MacBook-Pro com.apple.SecurityServer[24]: Failed to authorize right 'system.install.app-store-software' by client '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd' [12669] for authorization created by '/System/Library/CoreServices/Software Update.app' [12661]
5 %x %d %s %s %s[%d]: %s %s %s||Dec 17 15:25:21 Rons-MacBook-Pro com.apple.SecurityServer[24]: Killing auth hosts
8 %x %d %s %s %s[%d]: %s %s %s %s %s %s %x %s||Dec 17 17:18:04 Rons-MacBook-Pro loginwindow[58]: resume called when there was already a timer
10 %x %d %s %s %s[%d]: %s %d %s||Dec 17 15:02:23 Rons-MacBook-Pro com.apple.SecurityServer[24]: Session 100012 created
50 %x %d %s %s %s[%d]: %s %s(): %s %d %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Kerberos 5 refuses you
50 %x %d %s %s %s[%d]: %s %s(): %s %s()||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Done getpwnam()
50 %x %d %s %s %s[%d]: %s %s(): %s %s, %s: %d %d||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Got euid, egid: 502 20
50 %x %d %s %s %s[%d]: %s %s(): %s: %s %s %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): pam_sm_setcred: krb5 user rdilley doesn't have a principal
51 %x %d %s %s %s[%d]: %s %s(): %s %s %s %s %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
51 %x %d %s %s %s[%d]: %s %s(): %s %s %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in od_principal_for_user(): No authentication authority returned
53 %x %d %s %s %s[%d]: %s %s(): %s %d %s %s %s:%s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in od_record_attribute_create_cfstring(): returned 2 attributes for dsAttrTypeStandard:AuthenticationAuthority
53 %x %d %s %s %s[%d]: %s %s(): %s - %s %s %s %s %s %d.||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
100 %x %d %s %s %s[%d]: %s %s(): %s %s() & %s()||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Done setegid() & seteuid()
103 %x %d %s %s %s[%d]: %s %s(): %s: %d||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in od_principal_for_user(): failed: 7
200 %x %d %s %s %s[%d]: %s %s(): %s %s: %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Got user: rdilley
252 %x %d %s %s %s[%d]: %s %s(): %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Done cleanup3
1197 %x %d %s --- %s %s %s %d %s ---||Dec 16 16:31:44: --- last message repeated 1 time ---
3119 %x %d %s %s %s[%d]: %s %s %s '%s' %s %s '%s' [%d] %s %s %s %s '%s' [%d]||Dec 16 16:30:44 Rons-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right 'system.preferences' by client '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig' [3274] for authorization created by '/Applications/System Preferences.app' [3268]

If the standard templating mode is obscuring too much information, you can switch to clustering mode (-c). This reduces the parsing speed, but allows the templates to retain all of the non-variable strings. I normally strip off the trailing example line when running in this mode just to keep the line length more managable. Below is an example of the same log processed with the clustering (-c) parsing option.

$ tmpltr -c /var/log/secure.log | sort -n
Opening [/var/log/secure.log] for read
1 Dec 16 16:30:01 Rons-MacBook-Pro newsyslog[5373]: logfile turned over due to size>1000K
1 Dec 16 20:01:32 Rons-MacBook-Pro su[5799]: rdilley to root on /dev/ttys001
1 Dec 17 02:02:36 Rons-MacBook-Pro com.apple.SecurityServer[24]: setup(?:obsolete) failed rcode=-2147418111
1 Dec 17 13:05:49 Rons-MacBook-Pro sudo[7974]: root : TTY=unknown ; PWD=/private/tmp/PKInstallSandbox.WSZSYc/Scripts/com.apple.pkg.Safari6.1.1Lion.wqQJEF ; USER=rdilley ; COMMAND=./Tools/AlertAll.app/Contents/MacOS/AlertAll /
2 Dec 28 15:10:13 Rons-MacBook-Pro com.apple.SecurityServer[24]: Failed to authorize right '%s' by client '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd' [12669] for authorization created by '/System/Library/CoreServices/Software Update.app' [12661]||Dec 28 15:10:13 Rons-MacBook-Pro com.apple.SecurityServer[24]: Failed to authorize right 'system.install.app-store-software' by client '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd' [12669] for authorization created by '/System/Library/CoreServices/Software Update.app' [12661]
5 Dec %d %s Rons-MacBook-Pro com.apple.SecurityServer[24]: Killing auth hosts||Dec 17 15:25:21 Rons-MacBook-Pro com.apple.SecurityServer[24]: Killing auth hosts
8 Dec %d %s Rons-MacBook-Pro loginwindow[58]: resume called when there was already a timer||Dec 17 17:18:04 Rons-MacBook-Pro loginwindow[58]: resume called when there was already a timer
10 Dec %d %s Rons-MacBook-Pro com.apple.SecurityServer[24]: Session %d %s||Dec 17 15:02:23 Rons-MacBook-Pro com.apple.SecurityServer[24]: Session 100012 created
50 Dec %d %s Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Kerberos 5 refuses you||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Kerberos 5 refuses you
50 Dec %d %s Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Done getpwnam()||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Done getpwnam()
50 Dec %d %s Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Got euid, egid: 502 20||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Got euid, egid: 502 20
50 Dec %d %s Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): pam_sm_setcred: krb5 user rdilley doesn't have a principal||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): pam_sm_setcred: krb5 user rdilley doesn't have a principal
51 Dec %d %s Rons-MacBook-Pro %s[%d]: in %s(): %s %s %s %s %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
51 Dec %d %s Rons-MacBook-Pro %s[%d]: in %s(): %s %s %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in od_principal_for_user(): No authentication authority returned
53 Dec %d %s Rons-MacBook-Pro %s[%d]: in od_record_attribute_create_cfstring(): returned 2 attributes for dsAttrTypeStandard:AuthenticationAuthority||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in od_record_attribute_create_cfstring(): returned 2 attributes for dsAttrTypeStandard:AuthenticationAuthority
53 Dec %d %s Rons-MacBook-Pro %s[%d]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.
100 Dec %d %s Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Done %s() & %s()||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_setcred(): Done setegid() & seteuid()
103 Dec %d %s Rons-MacBook-Pro %s[%d]: in %s(): %s: %d||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in od_principal_for_user(): failed: 7
200 Dec %d %s Rons-MacBook-Pro loginwindow[58]: in %s(): Got %s: %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Got user: rdilley
252 Dec %d %s Rons-MacBook-Pro %s[%d]: in %s(): %s %s||Dec 16 16:35:18 Rons-MacBook-Pro loginwindow[58]: in pam_sm_authenticate(): Done cleanup3
1197 Dec %d %s --- last message repeated %d %s ---||Dec 16 16:31:44: --- last message repeated 1 time ---
3119 Dec %d %s Rons-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right '%s' by client '%s' [%d] for authorization created by '%s' [%d]||Dec 16 16:30:44 Rons-MacBook-Pro com.apple.SecurityServer[24]: Succeeded authorizing right 'system.preferences' by client '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig' [3274] for authorization created by '/Applications/System Preferences.app' [3268]

You can use the same syntax but also store copies of all of the unique templates by using the '-w {fname}' switch. When you do this, the file referenced with the switch is over written with a delimited list of the templates.

The currently supported field types are as follows:
%c = character
%d = number
%x = hex number
%s = string
%i = IPv4 address (number-dot syntax)
%I = IPv6
%m = MAC address (IEEE 802 syntax)

The template file can be used with the '-t {fname}' switch to provide artificial ignorance capabilities.

% tmpltr -w ignore.templates /var/log/system.log | sort -n

After the above run of the tool, a file named ignore.templates is created in the current directory as shown below:

% cat ignore.templates
%x %d %s %s %s[%d]: %s(%s) == %d
%x %d %s %s %s[%d]: %s %d, %s %d, %s %d, %s %d, %s %d, %s %d, %s %d, %s %s %s %d %s %d %s %d %s %d
%x %d %s %s %s[%d]: %s
%x %d %s %s %s[%d]: %s %s %s %s %s %s %s
%x %d %s %s %s[%d]: %s [%s]: %s %s %s %s (%s %s, %s %d)
%x %d %s %s %s[%d]: %s: %s %s %s %s %s %d (%s %s %s %s).
%x %d %s %s %s[%d]: %s: %s %s %d %s %s %s %s(%c)
%x %d %s %s %s[%d]: %s: %d.%x %s %s %s %s '%s'.
%x %d %s %s %s[%d]: %s %x
%x %d %s %s %s[%d]: %s: %s %s %s %s %s = %d
%x %d %s %s %s[%d]: %s::%s - %s, %s %s, %x %s, %s %s %s
%x %d %s %s %s[%d]: [%s](%d)/(%d) %s %s %s
%x %d %s %s %s[%d]: %s %s %s: /%s/%s/%s
%x %d %s %s %s[%d]: [%s %s]
%x %d %s %s %s[%d]: %s: %s %s %s %s %s
%x %d %s %s %s[%d]: %s %s %s %s
%x %d %s %s %s[%d]: %s, %s %d
%x %d %s %s %s[%d]: %s %s %s %s %s %s>%s
%x %d %s %s %s[%d]: %s %d, %s %d, %s %d
%x %d %s %s %s[%d]: %s: %s %s %x:%s
%x %d %s %s %s[%d]:
%x %d %s %s %s[%d]: %s: %s %s %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d %d
%x %d %s %s %s[%d]: %s %s %s %s %s (%d)
%x %d %s %s %s[%d]: %s: %s %s %s %m
%x %d %s %s %s[%d]: %s /%s/%s %s/.%s/%s/%x-%x-%x-%x-%x/%s] [%s %d] [%s %s]
%x %d %s %s %s[%d]: %s %s %s %s %s: %m %s %s %s
%x %d %s %s %s[%d]: %s: %s: %s: %s %s %s %s %s!
%x %d %s %s %s[%d]: %s: %s %d %s %s %s (%x %d [%s %d] [%s %d] [%s %s] [ [%s %d] [%s %s]
%x %d %s %s %s[%d]: %s: %s %s %s %s, %s #%d, %s %m
%x %d %s %s %s[%d]: %s %x %s %d
%x %d %s %s %s[%d]: %s %s(%d): %d []
%x %d %s %s %s[%d]: %s: %s %s
%x %d %s %s %s[%d]: [ %s %s %s, %s %d %s %d ]
%x %d %s %s %s[%d]: %s: %s %d %s %s %s (%s %s)
%x %d %s %s %s[%d]: %s %s %s (%s=%d %s=%d %s=%d)
%x %d %s %s %s[%d]: %s: %s %s=%d
%x %d %s %s %s[%d]: %s %d, %s %d (%d), %s %d (%d%c), %s %x, %s %x
%x %d %s %s %s[%d]: %s %s %s %d
%x %d %s %s %s[%d]: %s %s %s, %s
%x %d %s %s %s[%d]: %s %s, %s %s, %s %s
%x %d %s %s %s[%d]: %s: %s %s %s
%x %d %s %s %s[%d]: %s %d
%x %d %s %s %s[%d]: %s %s %s %d, %s %d, %s %d, %s %d
%x %d %s %s %s[%d]: %s: %s %s %s %s
%x %d %s %s %s[%d]: %s %s] [%s /%s/%s] [%s /%s/%s] [%s %d] [%s %s]
%x %d %s %s %s[%d]: %s %s(%d): %d [%c]
%x %d %s %s %s[%d]: %s: %s %s %s %d %s
%x %d %s %s %s[%d]: [ %s %s %s ]
%x %d %s %s %s[%d]: %s: %s: %s: %s %s %s
%x %d %s %s %s[%d]: %s %s %s %s (%s %d %s %s %s %s) %s %s %s %x %s %s %s %x %s %s (%d)
%x %d %s %s %s[%d]: %s %s %s %s %s %s / %s (%s %d %s %s %s %s) %s %s %s %x %s %s %s %x %s %s (%d)
%x %d %s %s %s[%d]: %s::%s - %s
%x %d %s %s %s[%d]: %s %s %d, %s %d %s
%x %d %s %s %s[%d]: %s: %s %d %s %s %s (%s)
%x %d %s %s %s[%d]: %s: %s %d %s / %s %s %s %d %s
%x %d %s %s %s[%d]: %s %s: %s(%s): %c=%d[%s] %s %s
%x %d %s %s %s[%d]: %s %s: ?
%x %d %s %s %s[%d]: %s %s %s %s %s: %m %s %s
%x %d %s --- %s %s %s %d %s ---
%x %d %s %s %s[%d]: %s %d %s
%x %d %s %s %s[%d]: %s (%s) %s %s %d %s %s %s, %s %x; %s %s %s
%x %d %s %s %s[%d]: %s %s: %x.%s (%s)
%x %d %s %s %s[%d]: %s %s %s %s %s: %m %s %s %s
%x %d %s %s %s[%d]: %s: %s: %s: %s: %d %s: %d (%s %s)
%x %d %s %s %s[%d]: %s: %s: %s: %s %s, %s %s %s %s %s
%x %d %s %s %s[%d]: %s [%s]: %s %s %s %s, %d-%s, %s, %s %s, %s [%x,%d,%x,%d,%x,%d]
%x %d %s %s %s[%d]: %s::%s - %s %s %s, %s %d: %s %s %s
%x %d %s %s %s[%d]: %s(%d)
%x %d %s %s %s[%d]: %s %s %s: %d
%x %d %s %s %s[%d]: %s(%d) %s %d %s
%x %d %s %s %s[%d]: %s %s /%s/%s/%s, %s %d, %s %s %s, %s %d %s %d
%x %d %s %s %s[%d]: %s [%s]: %s %s %s %s, %d-%s, %s, %s %s, %s [%x,%d,%d,%d,%x,%d]
%x %d %s %s %s[%d]: %s %s: %d %s
%x %d %s %s %s[%d]: %s: %s/%s %s %s %s
%x %d %s %s %s[%d]: %s(%s)::%s - %s %s %s %s %s = %s %s = %d %s = %d
%x %d %s %s %s[%d]: %s %d, %s %d (%d), %s %d (%d%c), %s %x, %s %d
%x %d %s %s %s[%d]: %s %s(%d)
%x %d %s %s %s[%d]: %s [%s]: %s %s %s %s (%s)
%x %d %s %s %s[%d]: %s %s %d %s
%x %d %s %s %s[%d]: %s %s: %d %s, %s %s: %d %s: %d %s %d %s/%c, %s %s: %d %s: %d %s %d %s/%c,
%x %d %s %s %s[%d]: %s %s %s %s %s (%s %d %s %s %s %s) %s %s %s %x %s %s %s %x %s %s (%d)
%x %d %s %s %s[%d]: %s::_%s - %s %s %s %s %s %s %s %s - %s
%x %d %s %s %s[%d]: %s [%s]: %s %s %s %s
%x %d %s %s %s[%d]: %d [%s %d] [%s %d] [%s %s] [%s /%s/%s] [%s /%s/%s %s] [%s /%s/%s %s/.%s/%s/%x-%x-%x-%x-%x/%s] [%s %d] [%s %s]
%x %d %s %s %s[%d]: %s::%s %s %s=%s (%s %s %s) %s=%s
%x %d %s %s %s[%d]: %s (%s: %s) %s %s %s %s %s %s %s: %s, %s %s>%s %s %s %s %s %s, %s %s %s %s %s %s %s %s %s
%x %d %s %s %s[%d]: %s %s (%s): %x %s %s %s
%x %d %s %s %s[%d]: %s: %s: %s %s %s
%x %d %s %s %s[%d]: %s %s %s %s %s (%x) %d %s %s
%x %d %s %s %s[%d]: %s %s: %x.%s %s (%s)

You can now pass this file back into tmplptr and all log lines that match an existing template pattern will be ignored. This is the real utility of the tool. Using this teqnique, you can train tmpltr to ignore all log patterns that have been seen before and only show log templates for new patterns.

This is how I use to tool during incident repsonse. I push all the log data that I have for the period of my choice before the detected event into tmpltr and save the pattern file, then run tmpltr against the log data for the period around when the detected event happened.

% ./tmpltr -t ignore.templates /var/log/system.log

A couple of things to note about the '-w' and '-t' switches:

If you use the '-w' switch in conjunction with the '-t', you should not read from and write to the same file. This version of tmpltr would allow you to do it without an issue if you pass the read '-t {fname}' arguments before the write '-w {fname}' arguments but future versions may not work as expected.

Additionally, when you load templates using the '-t' switch then write all the templates using the '-w' switch, then new file will contain all of the templates loaded from the template file as well as any new unique templates discovered in the processing of the log files. In this way, you can have your most recent saved template file always contain all of the templates that have been discovered.

What is in the works?

In addition to porting this tool to more platforms, I will be adding several new features to make finding anomolous patterns faster and simpler.


Please report issues to webmaster@uberadmin.com

Last updated: 2015-12-30 @ 2:55pm