Snowlog is a webserver access log browser/analyzer. It does not generate
static reports, but lets you browse through the requests in real time.
Filters that accept regular expressions can be applied.
You can apply a filter to the current list of requests by pressing f.
Snowlog will present you a list of all filters it knows. Press the key next
to the filter you want, to apply it. To get an unfiltered list again, just
hit enter here.
The filters are read from the global file in /usr/local/share/snowlog/filters.
You can put any site wide filters into this file. To add your own filters,
put them into ~/.snowlog/filters.
The format of this file is described in the following:
type =match this
type !do not match this
Fields must be seperated by a single tab character!
The name in brackets starts a new filter section. This is also the name of the
filter snowlog will show. The following filter types are currently defined:
httpstatus server status reply (no regexps!)
content_length size of the transfered resource (no regexps!)
request the resource requested
mime_type MIME type of the transferer resource
referer referer of this request
useragent useragent string
vhost virtual host for this request
authname logged user for this request
loghint loghint supplied by the server (see installation README)
In front of the string to match you must place an operator to tell snowlog if
you either want this string to match or not to match. Of course you can also
just use a regular expression to implement this logic.
= matches/is equal
! does not match/is not
> is greater than (only works for integers)
< is less than (only works for integers)
A filter that shows all requests of MP3 files on a virtual host foo.example.org
that are at least 2MB in size, contain the string "scene" and were successfully
delivered by the server would look like this:
[My legal MP3z]
User agent and search engine strings
Snowlog tries its best to make user agent strings and search engine queries
look decent. It uses a collection of regular expressions to convert strings
(Linux; de_DE.UTF-8@euro; http://kiza.kcore.de/software/snownews/)" into
"Snownews/1.5.2 (Linux)". It also tries to parse search engine referers and
extracts the query so you can see what the person looked for much easier. It
will look like "Google: cool access log analyzer" in the program.
Snowlog already knows a lot of search engine and user agent strings. You can
find the global definitions in the files useragents.regexp and
referers.regexp in the directory /usr/local/share/snowlog. If you want to add your
own regular expressions, put them into ~/.snowlog/useragents.regexp and
~/.snowlog/referers.regexp respectively. Do not edit the global definitions
as they get overwritten when you install a new version of snowlog.
If you have a log with so much referer spam that it becomes tedious to browse the request you can filter out these requests easily. If you select a host, you can press s to tell Snowlog it is spam. Snowlog will then remove all requests from this IP and all requests that have the same base URL referer.
You have a request
If you select this request and hit s Snowlog will remove all requests from 18.104.22.168 and all referers that contain free-stuff.com from the display.
Please note that Spam filters will only be applied in filtered lists and never in the unfiltered view of all requests. If you select a single request and not a host and hit the despam key (s) only the referer and not the IP will be added to the blacklist.
These filters will not be remembered over a restart. Lists of IPs will get very long and referers will change daily so it just doesnt make sense. For permanent spam filtering use the normal filters of Snowlog.
Press h to get an overview of all keys that are bound to a function. You
can open the referer in your web browser by pressing o. Unlike all web
based log analyzers this will not send any referer back to the page. You
can open the resource that was requested on your server with O. The
browser that will me used can be customized by editing ~/.snowlog/browswer.
The default that will be used is lynx. See
http://snownews.kcore.de/faq#toc2 for more details on how to setup the