Lead Image © bowie15, 123RF

Real-time log inspection

Inspector General

Article from ADMIN 61/2021

By Chris Binnie

Teler is an intrusion detection and threat alert command-line tool that analyzes logs and identifies suspicious activity in real time.

A perennial problem for any system operator is sifting through mountains of logfiles that contain entries of importance. However, when you're presented with half a million lines in a single logfile full of differing content, you have little hope of spotting attack data that may be of concern or, in fact, partially or completely successful.

Numerous tools can help you sort the wheat from the chaff in logfiles, such as the daily reporting provided by the excellent Logwatch [1]. Although these tools are ideal for a small number of entries, few offer analysis in real time with the sophistication of Teler, a "real-time HTTP intrusion detection" tool [2].

Judging by the age of the commits on its GitHub page, it's a relatively new project, but I found its uncomplicated ingenuity exceptionally intriguing. If you visit the GitHub page, you can see multiple command-line screen recordings of Teler in action to whet your appetite. In this article, I look at installation options and use cases for the excellent Teler.

On Your Marks

To begin, I look at how you can install Teler by a very simple route with a precompiled binary; then, I'll look at running it across some web server logs that I have to hand.

The prebuilt binary route can be installed in one of two ways:

by visiting the release page on GitHub [3] and choosing the correct binary for your system, or
with the use of a handy installation script that pulls down the binary and then saves it to your user path (in this case, /usr/local/bin).

If you choose the second method, for prudence, you should download the script first with curl (to scrutinize the script for malicious intent, omit the section after

...

Use Express-Checkout link below to read the full article (PDF).