Poor Mans' Splunk

There are many commercial products for scanning log files and reporting but I just needed something simple and low cost.    This is a very basic script that periodically scans a log file and e-mails an alert when a particular pattern is found.  I run this every 15 minutes on my syslog server.

#--------------------------------------------------
#!/bin/bash
#
# Poor man's Splunk - grep syslog for patterns and send e-mail alert
#

# number of seconds to wait between alerts
WAIT=3600
ALERT=0
CURTIME=0
LASTALERT=0
# Set the path to a file where we'll keep track of the last time we alerted
LASTALERTFILE=/path/LogMonLast.txt

LOGFILE=/var/log/syslog
GREP=/bin/egrep
#
# Add strings to search for
#

STRING[0]="Source: CiscoUnity_UMR|ID: 137"
STRING[1]="VLAN mismatch discovered"
STRING[2]="Duplicate address"
STRING[3]="Failover"

element_count=${#STRING[@]}

index=0

if [ -f "$LASTALERTFILE" ]
        then echo "Alert file found"
        else
        echo 0 > $LASTALERTFILE
fi


while [ "$index" -lt "$element_count" ]
do
        echo ${STRING[$index]}

        grepResult=`$GREP "${STRING[$index]}" $LOGFILE`
        if [ $? -eq 1 ];
                then echo "No match for ${STRING[$index]} in current $LOGFILE"
        else
                LASTALERT=`cat $LASTALERTFILE`
                CURTIME=`date +%s`
                TIMEDIF=`expr $CURTIME - $LASTALERT`
                if [ $TIMEDIF -lt $WAIT ]
                        then echo "Warning suppressed - not enough time elapsed since last warning"
                else
                        date +%s >$LASTALERTFILE
                        mail -s "LogMon: ${STRING[$index]}" -t your.email@address.ok << EOF
The search string

${STRING[$index]}

was found in $LOGFILE

the search result was

$grepResult

EOF
                fi
        fi

        ((index++))
done

exit
#--------------------------------------------------------------------