1PETIT(1)                         User Commands                        PETIT(1)
2
3
4

NAME

6       petit - log analysis tool for systems administrators
7

SYNOPSIS

9       petit [OPTION] [FILE]
10

DESCRIPTION

12       petit  was  developed to quickly analyze syslog and Apache log files in
13       large environments. It can also be used for word discovery  within  log
14       data.  It  is  a general purpose tool that can do hashing, word counts,
15       and command line graphing of Apache and syslog files. It is designed to
16       be  a  standard Unix tool that can be employed with pipes or by opening
17       files. Petit works by sifting data with standard  patterns  and  allows
18       for  custom filters and fingerprints. This leaves the analyst with data
19       that is both varied and interesting.
20
21       FILE can be Syslog, Apache Access,  Apache  Error,  Snort  or  Raw  log
22       files.  Petit can also be used to analyze any type of file as a Raw log
23       file, but since time/date is not understood, they cannot be graphed.
24

OPTIONS

26       -h, --help
27              Displays simple usage message
28
29       -v, --verbose
30              Adds verbose output to any function
31
32       --sample
33              Sample any line for which there are 3 or less entries found
34
35       --allsample
36              Show samples for all lines found
37
38       --filter
39              Force filter files to be used  during  processing  because  some
40              functions do not filter by default.
41
42       --nofilter
43              Force  filter  files  to be skipped during processing. This will
44              work for any function.
45
46       --wide Make graphing wider for bigger screens
47
48       --tick="%"
49              Change tick character from default of "#". This can be any  sin‐
50              gle character.
51
52       --finterprint
53              Use  fingerprinting to remove certain patterns from analysis. By
54              default this is off for most or all functions. This is a  safety
55              feature  to  prevent an analyst from removing data without using
56              an explicit switch.
57
58       -V, --version
59              Display the version of petit and exit
60
61       --hash This is one of the most basic functions of petit. This  function
62              tallies  lines  found.  Each  output line displays the number of
63              similar lines found in the log  and  what  the  group  generally
64              looked  like.  If  filtering is used in conjunction with hashing
65              then numbers and patterns which are commonly found and not  pro‐
66              foundly necessary are removed from the input stream. This leaves
67              the analyst with approximate log entries as  opposed  to  actual
68              log  entries.  This  is useful for analyzing large log sets com‐
69              monly found in clusters/pools of servers.
70
71       --wordcount
72              Word counting is essentially like hashing except  that  data  is
73              grouped by word instead of line. A custom stopwords list is used
74              to filter out common words found in the english language. A com‐
75              mon  use  case  for  this function would be word discovery. When
76              used in connection with grep or swatch,  word  counting  can  be
77              used  to  enumarate  all  of the words found in a log file which
78              have similar meanings, such as  "error,  can't,  fail,  reject",
79              etc.
80
81              This  is  extremely  useful  for giving confidence when building
82              white lists and black lists. These lists can then  be  used  for
83              daily reporting or graphing for anamoly detection.
84
85       --daemon
86              Gives  a  simple  report  of lines produced, keyed by the daemon
87              that produced them
88
89       --host Gives a simple report of lines produced, keyed by the host  that
90              produced  them.   This can be useful for analyzing machines in a
91              cluster dedicated to the same task. If one machine is  producing
92              too much or too little log output there is generally a problem.
93

GRAPHS

95       Graphs are displayed with the following information to help analyze the
96       log file
97
98       --sgraph
99              Show a graph of first 60 seconds of the log file
100
101       --mgraph
102              Show a graph of first 60 minutes of the log file
103
104       --hgraph
105              Show a graph of first 24 hours of the log file
106
107       --dgraph
108              Show a graph of first 31 days of the log file
109
110       --mograph
111              Show a graph of first 12 months of the log file
112
113       --ygraph
114              Show a graph of first 10 years. 10 years was chosen  arbitrarily
115              and could be changed in the code if more time is needed.
116

FILES

118       /usr/share/petit/fingerprint_library
119              Fingerprint  library  which can be used to construct custom fin‐
120              gerprint files. They are in the same format as petit's output so
121              it is easy to construct new fingerprints.
122
123       /usr/share/petit/fingerprints
124              Aggregate  fingerprint  files  which  can  be used to filter out
125              reboots and other events which the administrator does  not  care
126              to see
127
128       /usr/share/petit/filters/
129              Each  function  has  a separate list of words and patterns which
130              are removed. Each list is stored in a designated file and speci‐
131              fied with standard regular expression format.
132

AUTHOR

134       Written by Scott McCarty, see the AUTHORS file
135

137       This  program is licensed under the GNU General Public License, see the
138       file COPYING included in the distribution archive.
139
140
141
142Petit                            February 2010                        PETIT(1)
Impressum