Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Logfiles Made Interesting with glTail 131

Posted by CmdrTaco
from the because-you-can dept.
Fudgie writes "My boss claimed it was pretty much impossible to create an entertaining way to visualize server traffic and events in a short time frame, so of course I had to prove him wrong. A weekend of neglecting my family produced a small ruby program which connects to your servers via SSH, grabs and parses data from Apaches access log and Ruby on Rails production log, and displays your traffic and statistics in real-time using a simple OpenGL interface (tested under Linux and Mac OS/X). It's a bit hard to explain over text, so please have a look at fudgie.org for an example movie, and more information."
This discussion has been archived. No new comments can be posted.

Logfiles Made Interesting with glTail

Comments Filter:
  • Oh dear... (Score:5, Funny)

    by DamonHD (794830) <d@hd.org> on Sunday October 07, 2007 @09:14AM (#20887681) Homepage
    ...I'm afraid that's the nearest I've seen to a simulated pissing contest ever! B^>

    Rgds

    Damon
  • Oh great... (Score:5, Funny)

    by GodlikeDoglike (600594) on Sunday October 07, 2007 @09:18AM (#20887705)
    ...we just made his log screen look like a bukkake flick.
  • And it looks like lots of things taking a wee. Once the site is slashdotted, it'll be a veritable golden shower...

    Nice work though.
  • by Anonymous Coward on Sunday October 07, 2007 @09:20AM (#20887729)
    tell the engineer it can't be done
    • Re: (Score:3, Funny)

      by H310iSe (249662)
      Just want to give props, very nice you made my morning. Now to convert this to a heads up display for my helmet and I'm 1 step closer to becoming the motorcycle hacker I always dreamed I could be. And 1 step closer to earning a darwin award...

  • Visitorville (Score:4, Interesting)

    by Anonymous Coward on Sunday October 07, 2007 @09:25AM (#20887759)
    The most entertaining way I ever saw to view logs was Visitorville [visitorville.com]-its kind of like SimCity meets web logging.
  • Not "Fudgie", glTail (Score:5, Informative)

    by gumpish (682245) on Sunday October 07, 2007 @09:28AM (#20887779) Journal
    It's pretty obvious that fudgie.org is just the name of the site and glTail is the name of the program.
    • On the main page it says glTail, and when you click the link to read it with comments it says Fudgie, so actually, it seems both are there.
  • Wow ! (Score:5, Interesting)

    by cheros (223479) on Sunday October 07, 2007 @09:29AM (#20887789)
    Obligatory jokes about 'taking the piss' aside, that is brilliant. It's the ultimate 'machine that does ping' (to name an old sketch) to keep management amused, but also provides real data. I bet that screen will go ballistic when you get Slashdotted (also a good way to visualise DDoS, maybe?).

    I was about to say that it's a sort of etherape on steroids, but I've just realised your visualisation could benefit etherape instead (if you don't know etherape, look it up. No tools identifies a virus infection quicker).

    Class, I'm impressed.

    • Re: (Score:3, Insightful)

      by bughunter (10093)

      I bet that screen will go ballistic when you get Slashdotted

      Look closer. It already is ballistic.

    • Man, capitalize names. I got all sorts of things in my mind when I read about your EtheRape program...
  • by molo (94384) on Sunday October 07, 2007 @09:36AM (#20887831) Journal
    Notice in the movie that one of the sites being monitored is fudgie.org, which is what is linked to here. This looks like a ploy to visualize the slashdot effect. :) Wonder what that must look like. Might tax the renderer pretty hard. I guess that is one way to get load testing done!

    -molo
    • by Fudgie (594631) on Sunday October 07, 2007 @09:40AM (#20887863)
      Still running at 30 fps with ~25 requests / second.
      • by Fweeky (41046)
        I just ran it through 10,000 Apache requests. After a minute and a half or so it stopped spewing dots from most of the graphs other than the "Content" ones, which spewed for about 8 minutes. In all those logs (about 60 seconds of activity) took 6 minutes 22 seconds CPU time on a 1.66GHz Core Duo Mac Mini.

        Most of that time seems to have been spent drawing dots at maximum speed spewing out of the "Content" lines; maybe they need to increase speed in response to higher request rates so it's not waiting for t
        • Re: (Score:2, Informative)

          by Fudgie (594631)
          Not sure why it stopped for you, I've had it running throughout a slashdotting without any problems at all. Peaked at 3500 req/min and still spewed dots from all the correct places at 30 fps.
          • by Fweeky (41046)
            Well, each stream seems to have a maximum rate it can spew out dots; if you exceed that, they back up. If you can spew out 1,000 dots from each stream in a minute but you've got 10,000 to actually spew through it, it's going to take 10 minutes doing it.
            • Re: (Score:2, Informative)

              by Fudgie (594631)
              You're correct, and I will be adressing this in the next version. It's currently limited to 1000/FPS per second.
    • by Fudgie (594631) on Sunday October 07, 2007 @09:55AM (#20887965)
      http://www.fudgie.org/slashdotted.jpg [fudgie.org] for how that looks.
      • Serious prostrate problems at Fundie.org, it appears... I'm looking forward to plugging this in to sysstat for some over-utilized servers I manage....
      • by foobsr (693224)
        Great work (How I love that I may contribute a positive remark ;)

        CC.
      • http://chip.cuccio.us/gl_tail.png [cuccio.us]

        Perhaps the parser doesn't like my Apache logs?

        2437 frames in 5.000 seconds = 487.400 FPS
        Elements[0], Activities[0]
        2550 frames in 5.001 seconds = 509.898 FPS
        Elements[0], Activities[0]
        1182 frames in 5.002 seconds = 236.305 FPS
        Elements[0], Activities[0]
        987 frames in 5.001 seconds = 397.321 FPS
        Elements[0], Activities[0]
        2534 frames in 5.003 seconds = 506.496 FPS
        Elements[0], Activities[0]
        2506 frames in 5.000 seconds = 501.200 FPS
        Elements[0], Activities[0]
        2505 frames in 5.0

        • by chipster (661352)
          I figured it out.

          My apache config has the "HostNameLookup" feature enabled for the logs.

          The ruby script's apache log regex parser only allowed for IP's in the logs. I changed it from [\d.] to [a-z0-9.] (line 87).

          Bingo.

          PS: THis is a pretty neat script.
          • by Fudgie (594631)
            Ah. I turned that off in '00 and forgot all about it. Sorry. :-)
            • by chipster (661352)
              No worries! Ideally, hostname lookups introduce extra load and traffic anyway :) The a-z0-9 should capture IP's and hostnames.

              Nice work.
      • by eclectro (227083)
        Wow, it's like slashdot hurls chunks.
        • by o2sd (1002888)
          Wow, it's like slashdot hurls chunks.

          I say hurl. If slashdot blows chunks and fudgie comes back, shes yours. If it spews and fudgie runs, it was never meant to be.
      • Re: (Score:3, Interesting)

        by nacturation (646836)
        Very nice. One suggestion: rather than have each side's dots fall off at the bottom of the opposite side, how about matching up serving requests with the originating referral so that the dots go to the corresponding spot on the right? Also, if you're not familiar with Flight Patterns [ucla.edu] it's along the same lines. Borrowing from that, it'd be quite interesting to show a 2D map arranged in a hub and spoke model with the center being the site(s) and the spokes representing the top 10 (or 20... configurable) re
        • Re: (Score:2, Interesting)

          by Fudgie (594631)
          Interesting idea. Shouldn't be too hard to try something like that, I already have some code in there doing something similar meant for incoming emails, uploads and other data going into the servers/sites. Try adding :type => 5 to the URL activities for an example. -- Erlend
  • didn't someone once do a version of doom that displayed network activity?

    I recall seeing screenshots, but that was years ago.
  • by avirrey (972127) on Sunday October 07, 2007 @09:41AM (#20887873)
    You gotta add an 'Asteroids' ship on the screen that lets you shoot down connections!

    "Oh, look! Bob just logged on... let's get 'em!"

    ...

    "IT support. How can I help you?"

    "Hi, this is Bob..."

    --
    X's and O's for all my foes.
    • Re: (Score:2, Funny)

      by NFN_NLN (633283)
      We're finally catching up to movies now... you know the cheesy and disconnected from reality sequence where some hackers enters a system by navigating a 3D maze... and the firewall is a monster you have to literally kill. The movie Masterminds comes to mind.
    • by quanticle (843097)

      And maybe after that you can add a tool to allow you to kill "rabbits" with "flu shots" ;-)

  • Man this is cool. Very cool.
    • by Volatar (1099775)
      I highly agree, I am definatly going to check this out.
    • by symbolic (11752)
      Agreed. I saw something similar a few years ago, but this seems a bit more refined. I think there's actually a lot you can do when combining a graphics rendering engine with something like network activity. All it takes is a little creativity, a little time, and a boss who says it can't be done.
  • by udippel (562132) on Sunday October 07, 2007 @09:53AM (#20887961)
    Luckily, I saw the movie before the meltdown of the server. It always pays to be on time. ;)

    For those unlucky and late, actually, you missed a competition of peeing coloured snowflakes from the right versus doing the same from the left.
    Only, the sources on the left are much better at aiming.
    Plus, you have some 'Login ...' scrolling top to bottom; like the cast of a movie.

    Heads up, Fudgie, it is truely the most amazing display of log files ever creeping across my eyes.
    Keep the good work up, and please post again when you have something actually useful for the sysadmin.

    I declare you 'King of Log Candy' !
  • Ob quote (Score:4, Funny)

    by Provocateur (133110) on Sunday October 07, 2007 @09:53AM (#20887963) Homepage
    All I see now is blonde, brunette, redhead.
  • I'd enjoy a postfix version
    • Re: (Score:3, Interesting)

      by Fudgie (594631)
      Shouldn't be too hard. I'll cook one up this evening.
      • Any idea on how many servers it can connect to before performance issues come up?
        • by Fudgie (594631)
          At work I show about 30 logfiles, divided across 10 different servers running at 50+ FPS on an old Centrino laptop with a GeForce 5xxx mobile.
        • by MarkRose (820682)
          I have it monitoring Apache. At around 1000 requests per minute, I get about 10 fps on my 1750 MHz Duron. It's CPU bound, not GPU bound.
      • by JShadow21 (871404)
        Awesome, thank you sir
        • by Fudgie (594631)
          A basic Postfix parser cooked up and introduced in v0.02. Also includes a simple IIS parser. More refined parsing of postfix will come. :-)
  • GNU GPL (Score:2, Informative)

    by wikinerd (809585)

    #!/usr/bin/env ruby # gl_tail.rb v0.01 - OpenGL visualization of your server traffic # Copyright 2007 Erlend Simonsen # # Licensed under the GPLv2

    Hey, this is not the correct way to apply the GNU GPL licence. I don't know whether you had very little time available or just don't care, but the correct way is to explain exactly what licence (full title) the program is under and enable the user to find the licence (provide a copy of it and explain that the author of the licence is FSF, giving their address). We nerds of course understand completely what you mean, but other people may have no idea what you are talking about. To learn how to apply GPL

    • by makomk (752139)
      I wonder if the author has spent time doing Linux kernel development? Variants of that statement are quite common on files in it, for some reason.
  • by nurb432 (527695) on Sunday October 07, 2007 @10:45AM (#20888315) Homepage Journal
    its still NOT entertaining.. Its more bizzare then anything else.
    • by aftk2 (556992)
      I'm afraid I'd have to agree. The first thing I thought was: "Hmm..how about trying to make logfiles more readable/understandable instead?" I'm impressed by the technical acuity though.
      • by Fudgie (594631)
        It's both harder for me to track a scrolling display of text moving in erratic bursts, and processing the information in each line than it is to take a quick glance at a screen and see if there are many small dots or few large ones.
  • by allenw (33234) on Sunday October 07, 2007 @10:59AM (#20888431) Homepage Journal
    Why use ssh + tail -f when one can send the output to a centralized syslog server? There isn't any need to setup an account, keys, etc. when you can have the individual servers consolidate the data for you.
    • seconded (Score:4, Insightful)

      by Cheesey (70139) on Sunday October 07, 2007 @11:59AM (#20888873)
      Remote syslog also means that your servers are more secure: (a) because it is harder for crackers to falsify remote logs as they need to compromise two machines, not just one; and (b) because your visualisation program doesn't need access to SSH keys for all of the machines it monitors, so a compromise on the visualisation computer doesn't automatically mean that all of the servers can also be compromised. However, you could presumably adapt this tool to use syslog quite easily.
      • I'm sorry; I know your comment is old, but: no. No, no. No no no no no.

        syslog is insecure; messages are unauthenticated. Don't believe me? Use the logger(1) utility to forge a message from any daemon on your system, as an unprivileged user. Send a UDP packet to an open syslog daemon to forge a message to look as if it came from any daemon on the originating host. Forge that UDP packet as if it came from any system in the world; there's no two-way handshake to verify the path to the sender is legitim

    • by MarkRose (820682)
      You could, like me, be using a shared host where you have access to the server logs, but not to the server configuration files. This is a fantastic way to monitor performance remotely.
      • by allenw (33234)
        That is a very good point. I'm used to dealing with scales beyond a single node ;) where you have access to such things.

        In any case, I'm considering borrowing the idea and using it to 'watch' blocks on HDFS [apache.org]. I think it would be interesting to have a visual of blocks/files getting read/written/replicated. It might show patterns that we're otherwise not seeing.

  • by Mazin07 (999269) on Sunday October 07, 2007 @02:43PM (#20890169) Homepage
    If you want to run glTail on Windows:

    1. Use the One-click Ruby installer from rubyforge (not Cygwin ruby)
    2. Make sure to `gem install net-ssh`
    3. Change "require 'glut'" to "require 'glut_prev'" to enable legacy GLUT ruby bindings

    Took me a while to figure this out.
    • by 0racle (667029)
      Thank you.
    • by 0racle (667029)
      Actually, now it runs but I get nothing but a blank screen on both Windows and OS X.
      • by Fudgie (594631)
        Probably one of these:
        • The parser you've chosen is unable to parse the log due to a wrong logfile format
        • You've failed to enter the path to the logfile correctly
        • net-ssh is failing to let you know about some problem with logging in
        Enable session_options[:verbose] = :debug and see what that prints out.
  • fastfinge> I used to have a program that would play a musical note every time someone hit a port. so for each port it would have a different note
    fastfinge> i put it in the dmz
    fastfinge> much musical entertainment
    fastfinge> I should find the source for that thing again. i could change midi intruments depending on the type of packet.
    fastfinge> or maybe create length and timbre data from the source IP?
    2006-09-20
  • We did something similar like 10 years ago, hooking the log-file to the sound server where each port hat its individual sound and the frequency of connects directly related to the respective sound's volume.

    Was rather interesting as you actually could *hear* all those Windows trojans and worms trying to dig their way into your (Linux) system.
  • by Anonymous Coward
    They heard about your cool project and want to subject you to a series of tedious interviews, ultimately not offering you a job because you didn't go to stanford.
  • Not impressed (Score:1, Insightful)

    by Anonymous Coward

    A weekend

    It *really* shows that this was hacked together over a weekend. I've spent 15 minutes trying to get it to run, and all I see are Ruby warnings about about obsolete code, and failed dependencies. I've installed about a dozen packages to try to satisfy this beast's dependency hunger, but to no avail. Behold:

    $ ls /usr/lib/ruby/1.8/net/ssh
    connection lenient-host-key-verifier.rb service userauth
    errors.rb null-host-key-verifier.rb session.rb util
    host-key-verifier.rb proxy transp

    • Re: (Score:2, Informative)

      by Fudgie (594631)
      Try and install the gem version of net-ssh or change the require_gem to plain old require so you use the packaged net-ssh instead? I've got net/ssh in

      /usr/lib/ruby/gems/1.8/gems/net-ssh-1.0.10/lib/net/ssh
      and

      /var/lib/gems/1.8/gems/net-ssh-1.1.2/lib/net/ssh
      depending on which Ubuntu version I'm running.

      It's not hard, and quite a few have been able to get it running on Linux, OS X and Windows. FreeBSD is still a no-go.

  • Movie OS
  • Is available at the site.

If you're not careful, you're going to catch something.

Working...