Script to grep through all servers logs?

[noimad1]

I would like to know if anyone has any ideas how I might be able to accomplish this:

I'd like to have a script I can install on all of my servers that I can pass a variable to from a single source (like a secure web page). I would like to create one single website that can evoke this script on all servers to search my messages log.

So it would work like this:

I go to my secure web page and do a search an IP address. That page goes to each of my servers and grep's my messages log for that IP address.

This would be extremely helpful to me to hunt down these iframe type hacks were they are logging in with users passwords across all servers.

So basically if I find an IP address that is attacking I can quickly look through my other servers to see if it has attacked any of my other servers as well.

Do you think this would be possible?

 

[noimad1]

Anyone have any ideas on how this could be accomplished?

 

[PlatinumServerM]

You can make a simple script to just run the grep command and output the results to a text file.

 

[noimad1]

You can make a simple script to just run the grep command and output the results to a text file.

What I'm looking to do is do this dynamically. I'd like to be able to create like a form behind a protected location that I can type in something like an IP address, and it will grep through multiple servers messages log to find it....

That way when lets say one of my servers get's attacked by like this iframe attack, I can see which IP address it is from, grep through all my servers to see if any other sites were attacked. Right now i have to log into each individual server to grep the logs.

 

[Spiral]

What you ask is actually fairly simple to do. I'm not sure your exact configuration
but if your servers can communicate directly, you can just run a rsync or rcp command
from script to get the log files from all servers updated in a common location and then
run greps through them all at once. This could even be updated on a cron basis too.

Personally I take things a step beyond that myself and make all the servers
I deal with a bit self aware and automatically shutdown any attack themselves
and report to me when anything significant shows up so the attacks are
already blocked even before I review all the log files routinely.

 

[noimad1]

I guess i never thought about rsyncing all the logs to a general location. It's not quite as efficient as what I was originally thinking, but I could probably get that to work.