PIKT Logo PIKT

Introduction: Reporting a Problem

PIKT Tip Jar
PIKT is user-supported software. 
Please show your support.
 
Home
News
Introduction
Samples
Tutorial
Reference
Software
Authors
Licensing



Forum
Marketplace
Links
SiteSearch
FAQ
Contribute
Donate
ContactUs



Google
Web pikt.org


Reporting a Problem

In a typical configuration, PIKT is primarily used to report problems.  For any given problem, the normal procedure is:

  • You write a Pikt script to identify and report the problem.
  • You install and schedule the script(s) to run periodically.
  • If it happens, the problem is reported, usually via e-mail.
  • You read the problem report, and possibly respond to it.
WtmpShrinkage is a simple Pikt script to report if the system wtmp file shrinks.  Ordinarily, wtmp should only grow in size, never shrink.  If it were to shrink unexpectedly (i.e., not due to a normal logfile rotation), you would want to know that, because the unexpected shrinkage might signal hacker activity.

Following is the WtmpShrinkage script, more or less as it would appear on the piktmaster system, in the central configuration alarms.cfg file, and on the slave systems, in their Critical.alt files:

	WtmpShrinkage

	        init
	                status active
	                level critical
	                task "Report if wtmp shrinks"
	                input "/var/log/wtmp"

	        rule    // file not found
	                if ! -e $inlin
	                        output mail "$inlin not found!"
	                        quit
	                fi

	        rule    // file found, test for shrinkage
	                set #size = #filesize("$inlin")
	                if    #defined(%size)
	                   && #size < %size
	                        output mail "$inlin has shrunk in size,
	                                     was $text(%size) bytes,
	                                     is now $text(#size) bytes!"
	                fi
	
Pikt scripts, much like Awk scripts, come in sections:  init, begin, rule, and/or end.  Syntax combines elements of Awk, Perl, and Bourne shell (Bash).  Comments are denoted by '//' and '/* */'.  When done right, Pikt scripts should be clear, straightforward, and easy to read.

In this script's init section, we indicate the script's status (active, i.e., it should not be bypassed), its level (of critical importance), its task description, and its input.  Normally, input is a file or the output of some process, but in this example the input is simply the character string "/var/log/wtmp".

After the init section (and an optional begin section), we enter an implicit input loop (again, much like Awk).  For each line of input, we consider a series of rules--things to check, actions to take, etc.  The current input line is assigned to the built-in variable $inlin (aka $inline, $inputline) by default.

In the first rule, we check to see if the file exists.  If it doesn't, the script sends e-mail reporting that, then quits.

Otherwise, in the next rule, we check the file size, comparing it to the size of /var/log/wtmp the last time the script was run.  PIKT will automatically remember values (indicated by the '%' prefix) from one program run to the next.  If the current size is less than the previously recorded size, e-mail is sent reporting that the file has shrunk.  The problem alert e-mail might look like the following:

	                                PIKT ALERT
	                         Sun Sep 14 14:21:28 2003
	                                 calgary

	CRITICAL:
	    WtmpShrinkage
	        Report if wtmp shrinks

	        /var/log/wtmp has shrunk in size, was 257664 bytes,
	        is now 1500 bytes!
	
We might also check for other things in this script, by adding rules to see if the wtmp ownerships and permissions have changed, but we have another more general script to do that (i.e., it does those checks for a comprehensive list of system files).

Suppose we want to check for wtmp file shrinkage several times daily.  We could add the WtmpShrinkage script to the Critical alerts group, defined (in the piktmaster's alerts.cfg file) as:

	Critical

	        timing          30 6-22/2 * * *

	        mailcmd         "mailx -s 'PIKT Alert on =pikthostname: Critical'
	                                  =sysadmins"

	        alarms

	                        ChecksumDifferenceCritical
	                        DiskCapCritical
	                        TmpFullCritical
	                        ...
	                        WtmpShrinkage
	                        ...
	
Timings are similar to cron's.  Here we have scheduled the "Critical" scripts, including the WtmpShrinkage shrink, to run every two hours, at half past the hour, from 6:30 AM to 10:30 PM.

On the central piktmaster system, we would install and schedule the Critical scripts, including the WtmpShrinkage script, on all host systems using the command:

	# piktc -iv +A Critical +H all

	processing vienna...
	installing file(s)...
	Critical.alt installed

	processing madrid...
	installing file(s)...
	Critical.alt installed

	...
	
piktc is the central command-and-control and preprocessor program.  Other PIKT programs include:  pikt, the Pikt script interpreter; piktd, the daemon that runs the alert scripts periodically; piktc_svc, the piktc service daemon; and still others.

Reporting wtmp file shrinkage is just one among many different problems you might have PIKT monitor and report.  For other examples, continue reading the Introduction and/or visit the Samples pages.



Home | News | Introduction | Samples | Tutorial | Reference | Software | Authors | Licensing
Forum | Marketplace | Links | SiteSearch | FAQ | Contribute | Donate | ContactUs
Top of Page

Join pikt-users, pikt-workers, and/or the PIKT Forum. 
Open Hand Please visit our sponsors.

Page best viewed at 1024x768.   Page last updated 2005-01-09.
This site is PIKT® powered.
PIKT® is a registered trademark of the University of Chicago.
Copyright © 1998-2005 Robert Osterlund.  All rights reserved.