krb5kdc log analysis tool/script

Russ Allbery rra at stanford.edu
Fri Jan 7 16:35:27 EST 2011 

Kevin Longfellow <klongfel at yahoo.com> writes:

> We are using MIT Kerberos 1.7.1 on a linux server and have a lot of kdc
> log entries (100k+ in a 9 hour span) in the kdc logfile krb5kdc.log.  I
> figured it can't hurt to ask but does anyone have or know of a
> tool/script to parse the log and summarize the activity?

git clone git://git.eyrie.org/system/metrics.git will give you the stuff
that we use.  This is not even remotely a distributed or polished bit of
software; it's a box full of loose pieces that you have to assemble
yourself.  But it may be helpful as pointers in the right direction.

This software was originally written for MIT Kerberos but we now use
Heimdal, so recent changes haven't been tested with MIT Kerberos.  I think
it should still work, but some tweaks may be required.

A sample monthly report:

Kerberos authentications from 2010-12-01 to 2010-12-31 

Initial authentications: 138,017,218
        Service tickets:  29,423,229
   Total tickets issued: 167,440,447

   Unique users in 2010-12: 45,237
Unique services in 2010-12:  2,302
 Unique servers in 2010-12:  1,247

where a user is a human user, a service is an initial authentication for a
non-human principal, and a server is something to which a Kerberos
principal authenticated (a service ticket request).

Breakdown of initial authentications:

Type            Count  Percent
--------  -----------  -------
Users     110,497,742    80.1%
CGI        14,910,569    10.8%
Services   12,608,907     9.1%
--------  -----------  -------
TOTAL:    138,017,218         

Breakdown of service tickets:

Type           Count  Percent
--------  ----------  -------
Users      7,849,867    26.7%
CGI       14,919,865    50.7%
Services   6,653,497    22.6%
--------  ----------  -------
TOTAL:    29,423,229         

Top five service tickets:

Service Principal                            Count
--------------------------------------  ----------
afs/ir.stanford.edu at stanford.edu        15,656,734
ldap/ldap-lb.stanford.edu at stanford.edu   5,371,003
krbtgt/stanford.edu at stanford.edu         3,771,356
service/webkdc at stanford.edu              1,500,145
host/pobox00.stanford.edu at stanford.edu     577,766

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list