PHPLog - Log Monitoring The Way It Should Be


Quick Info

PHPLog is a flexible log monitoring solution written in PHP and released under GPL.


February 27th, 2013
PHPLog now on github.
February 27th, 2013
Released version 0.4.6 beta which is a historical update of v0.4 – i.e. no new features, just removed the necessity for short tags in PHP: PHPLog 0.4.6
May 31st, 2008
Released version 0.4.5 alpha which is a historical update of v0.4 – i.e. no new features, just updated the libraries for more modern Linux incarnations: PHPLog 0.4.5
January 23rd, 2003
Released version 0.4 alpha with groups, service startup support and plain text mode for the console monitor: PHPLog 0.4
December 19th, 2002
Released another alpha version with bug fixes, global defaults, plugin support and the mail and exec reactions implemented: PHPLog 0.3
December 17th, 2002
Released the first usable alpha version with the console monitor: PHPLog 0.2
December 11th, 2002
Released the first pre-alpha version: PHPLog 0.1


Project Status
development | alpha

This project is actually in beta stage with the parts which are implemented. Which means that it has been tested as thoroughly as possible by one user on one computer, and it has been proven to get better results than other packages. The official status is alpha because not all functionality is in place.

The bottom line is I need feedback! Please check out the contact e-mail at the bottom of this page, and do take a couple of minutes to let me know if it works, what doesn't, if you get warnings, what features you would like to see implemented etc.

Completed Phases
  • Reactions (mail and exec); plugin support (Dec 2002)
  • Console Monitor (Dec 2002)
  • Configuration parser (Nov 2002)
  • Log file parser (Nov 2002)
To Do
Action monitor
A monitor for the rest of the actions - log and beep
The documentation for this project - both for users and for developers
GTK monitor
A monitor to show the entries tagged "echo" in graphical mode
Light DoS monitor
The parser itself can use a global/local (per file) configuration directive to limit the speed of log file growth and generate log entries or perform actions in case it's exceeded
Web interface
This is the last foreseeable phase of this project: a web interface for reporting and easy configuration, including a basic regexp wizard for newbies.
All "other" functionality, such as connecting to remote machines to deliver log entries will be handled by "plugins". The plugins will be in effect other monitors.


PHPLog is intended to become a lightweight log monitoring solution for home users, as well as a candidate for being distributed on larger networks and report to a central console.

PHPLog is not intended to become a full-blown IDS - it's only a log monitor, and it's up to you to interpret the data, log it, escalate problems etc. If you're a larger organization and need a real IDS, here's an interesting commercial application, developed by one of our partners: Event Horizon.

Major Features

PHPLog is inspired by many of the other available log monitoring tools for Linux, but it draws mostly from wots (which in turn is inspired by swatch). The final functionality intended is exactly the one in wots, but with added flexibility. Here's a list of PHPLog's most important features:

As absurd as this may sound, it's relatively difficult to ensure all matching log entries are always going to be retrieved and acted upon. Many available log monitoring packages miss some entries from time to time. PHPLog's parser uses a proprietary file monitoring method to ensure no entries are missed. Along with the modular structure described below, this means you'll never miss any interesting log entry.
Modular structure
PHPLog's parser stores matching entries in temporary files. The temporary files are in turn read by the actual monitor which renders them or performs the associated actions. This has several major advantages, and only few minor disadvantages.

The main advantage is that you can start the parser at startup, and review the juicy entries at any future time. Another advantage is flexibility: once you have the interesting entries somewhere, you can write your own plugins to check for data in there and perform specific actions. Yet another advantage is speed: the file parser doesn't have to take care of displaying the data or performing any actions - it only parses the logs, so its cyles take very short to complete. The monitors in turn are somewhat "off-line", so they may take arbitrary amounts of time to process the data resulted from parsing.

The only disadvantage is that you might theoretically have twice the delay between the event occurence and the actual action taking place. But that's the high limit - statistically you probably end up with some 150% delay, and even in the worst case we're talking four seconds instead of two (with the default settings.)

Removes duplicates
If you've used multiple file log monitors before, you know how frustrating it is to receive duplicate entries from multiple logs. PHPLog takes care of this for you, if you allow it (by default it does).

The way it does it is by ignoring NOT matching log entries which would fall in the "default" category until it finishes all log files, and storing them in a temporary stack. If an identical entry in some other log file is found, and it matches a non-default action, it removes the respective item from the stack. If no other non-default is found by the end of parsing, it falls back to the first place it encountered it in, and uses that default to perform the associated reactions.

This has the unwanted side effect of sometimes switching entries because the entries falling in the default category are acted upon after all the non-default ones. Will be fixed, but it's a minor inconvenient - please note this happens per-cycle, which is typically two seconds, so it doesn't happen very often and time discrepancies can be of two seconds at most.

Multiple reactions per match
PHPLog supports multiple reactions per each line matched - you can for instance both echo a line with a specific style and email it.
Written in PHP
This is a subjective feature - if you know PHP, you can easily tweak PHPLog to perform whatever customized functionality you wish. The PHP community is growing and there's a clear trend towards console PHP scripts within the PHP community, so I'm sure there are going to be quite a few PHP developers out there happy to be able to tweak their log monitor in their programming language of choice.


I started working on a PHPLog tutorial, but it only contains very basic instructions for now. Please check back in a few days for a more complete tutorial. This message has been added on January 19th, 2003.


Please see our download section for the most current version of PHPLog.


Please drop me a note with feedback if you have a little time to. I'd like to hear what you like/love about this package, but even more so I'd love to hear what you dislike/hate about it, what didn't work, as well as what you would like to see. If you want to tell me it's useless, no, that I wouldn't like - but any kind of constructive criticism is welcome.

Thank you!

bogdan-at-moongate-dot-ro (Bogdan Stancescu)

A product by Moongate

Valid HTML 4.01! Valid CSS!
This page was last edited Wed, 27 Feb 2013 15:33:00 +0100; local time is now Mon, 13 Jul 2020 09:02:56 +0200