Codebase list logwatch / 0953065
Merge tag 'upstream/7.4.0+svn20130529rev144' Upstream version 7.4.0+svn20130529rev144 Willi Mann 10 years ago
8 changed file(s) with 292 addition(s) and 21 deletion(s). Raw diff Collapse all Expand all
+15
-0
conf/logfiles/audit_log.conf less more
0 ########################################################
1 # Define log file group for mod_security
2 ########################################################
3
4 # Where the log files are - you will need to match this to your configuration
5 # Note that a relative path like this will be expanded automatically to the
6 # standard log path (e.g. /var/log/... )
7 LogFile = modsecurity2/modsec_audit.log
8
9
10 # If the archives are searched, here is one or more line
11 # (optionally containing wildcards) that tell where they are...
12 # Note: if these are gzipped, you need to end with a .gz even if you use wildcards...
13 Archive = modsecurity2/modsec_audit.log.*
14
+1
-16
conf/services/dovecot.conf less more
0 ###########################################################################
1 # $Id: dovecot.conf,v 1.3 2006/08/13 21:05:03 bjorn Exp $
2 ###########################################################################
3 # $Log: dovecot.conf,v $
4 # Revision 1.3 2006/08/13 21:05:03 bjorn
5 # Changed OnlyService to include dovecot for compatibility with Dovecot 1.0
6 # based on patches by Mark Nienberg; modification by Patrick Vande Walle.
7 #
8 # Revision 1.2 2005/12/07 04:31:44 bjorn
9 # Added $dovecot_ignore_host.
10 #
11 # Revision 1.1 2005/09/18 17:01:05 bjorn
12 # Dovecot filters written by Patrick Vande Walle.
13 #
14 ###########################################################################
15
160 # You can put comments anywhere you want to. They are effective for the
171 # rest of the line.
182
2913 LogFile = maillog
3014
3115 *OnlyService = (imap-login|pop3-login|dovecot)
16 *RemoveHeaders = "^\w{3} .\d \d\d:\d\d:\d\d (?:[^\s:]* )?"
3217
3318 # Override the default Detail level. This will only affect dovecot's report.
3419 #$dovecot_detail = 10
+18
-0
conf/services/mod_security2.conf less more
0 ###########################################################################
1 # Configuration file for http mod_security2
2 ###########################################################################
3
4 # You can put comments anywhere you want to. They are effective for the
5 # rest of the line.
6
7 # this is in the format of <name> = <value>. Whitespace at the beginning
8 # and end of the lines is removed. Whitespace before and after the = sign
9 # is removed. Everything is case *insensitive*.
10
11 # Yes = True = On = 1
12 # No = False = Off = 0
13
14 Title = "ModSecurity2 (mod_security2)"
15
16 # Which logfile group...
17 LogFile = audit_log
+10
-2
logwatch.8 less more
00 .\" Process this file with
11 .\" groff -man -Tascii foo.1
22 .\"
3 .TH LOGWATCH 8 "October 2005" Linux "User Manuals"
3 .TH LOGWATCH 8 "May 2012" Linux "User Manuals"
44 .SH NAME
55 logwatch \- system log analyzer and reporter
66 .SH SYNOPSIS
2020 .I file-name
2121 .B ] [--logdir
2222 .I directory
23 .B ] [--hostlimit
24 .I hosts
2325 .B ] [--hostname
2426 .I hostname
27 .B ] [--html_wrap
28 .I number of characters
2529 .B ] [--hostformat
2630 .I host based options
2731 .B ] [--output
9397 Look in
9498 .I directory
9599 for log subdirectories or log files instead of the default directory.
100 .IP "\fB--hostlimit\fR host1,host2"
101 Limit report to hostname - host1, host2.
96102 .IP "\fB--hostname\fR hostname"
97103 Use
98104 .I hostname
100106 if HostLimit is set in the logwatch.conf configuration file (see
101107 \fBMORE INFORMATION\fR, below),
102108 then only logs from this hostname will be processed (where appropriate).
109 .IP "\fB--html_wrap\fR num-characters"
110 Number of characters that html output should be wrapped to. Default is 80.
103111 .IP "\fB--numeric\fR"
104112 Inhibits additional name lookups, displaying IP addresses numerically.
105113 .IP "\fB--usage\fR"
153161 .RE
154162 http://www.kaybee.org/~kirk
155163 .RE
156 ftp://ftp.kaybee.org/pub/redhat/RPMS
164 http://logwatch.sourceforge.net
+25
-2
scripts/services/afpd less more
3636 ) {
3737 # We don't care about these
3838 }
39 elsif ( ($Login) = ( $ThisLine =~ /login ([^ ]+)/) ) {
39 elsif ( ($Junk,$Login) = ( $ThisLine =~ /(login|Login by) ([^ ]+)$/) ) {
40 chomp($Login);
4041 $UserLogin{$Login}++;
42 }
43 elsif ( $ThisLine =~ /started/ ) {
44 $Starts++;
45 }
46 elsif ( $ThisLine =~ /shutting down/ ) {
47 $Stops++;
48 }
49 elsif ( ($Read,$Write) = ( $ThisLine =~ /statistics: (\d+\.\d+) KB read, (\d+\.\d+) KB/) ) {
50 $TotalRead+=$Read;
51 $TotalWritten+=$Write;
4152 }
4253 else {
4354 # Report any unmatched entries...
4556 }
4657 }
4758
48 if (keys %UserLogin) {
59 if (keys %UserLogin and $Detail) {
4960 print "\nUsers Logged In:\n";
5061 foreach $Line (keys %UserLogin) {
5162 print " $Line : $UserLogin{$Line} Time(s)\n";
5263 }
64 }
65
66 if ($Starts and $Detail) {
67 print "\nNumber of server startups: $Starts\n";
68 }
69
70 if ($Stops and $Detail) {
71 print "\nNumber of server shutdowns: $Stops\n";
72 }
73
74 if (($TotalRead or $TotalWritten) and $Detail >= 5) {
75 print "\nTransfer Statistics: $TotalRead KB read, $TotalWritten KB written\n";
5376 }
5477
5578 if (($#OtherList >= 0) and (not $IgnoreUnmatched)) {
+2
-0
scripts/services/audit less more
121121 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): audit_enabled=[0-9]* old=[0-9]* auid=[0-9]* ses=[0-9]* subj=system_u:system_r:.*:s0 res=[0-9]*/) or
122122 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): auid=[0-9]* ses=[0-9]* subj=system_u:system_r:.*:s0 op=.* key=.* list=[0-9]* res=[0-9]*/) or
123123 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=0 uid=0 auid=[0-9]* ses=[0-9]* subj=system_u:system_r:.*:s0 .* res=success/) or
124 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=1 uid=0 auid=[0-9]* ses=[0-9]* subj=system_u:system_r:init_t:s0 .* res=success/) or
125 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 auid=[0-9]* ses=[0-9]*$/) or
124126 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): cwd=".*"/) or
125127 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): user/) or
126128 ( $ThisLine =~ /audit_printk_skb: [0-9]* callbacks suppressed/) or
+1
-1
scripts/services/dovecot less more
134134 while (defined($ThisLine = <STDIN>)) {
135135 # remove timestamp. We can't use *RemoveHeaders because we need the
136136 # service name
137 $ThisLine =~ s/^\w{3} .\d \d\d:\d\d:\d\d (?:[^\s:]* |)//;
137 #$ThisLine =~ s/^\w{3} .\d \d\d:\d\d:\d\d (?:[^\s:]* |)//;
138138 if ( ($ThisLine =~ /(?:ssl-build-param|ssl-params): SSL parameters regeneration completed/) or
139139 ($ThisLine =~ /ssl-params: Generating SSL parameters/) or
140140 ($ThisLine =~ /auth-worker/) or
+220
-0
scripts/services/mod_security2 less more
0 #!/usr/bin/perl -w
1 ##########################################################################
2 # $Id: mod_security2, v 1.0.1 2013/01/11
3 ##########################################################################
4 #
5 # Revision 1.0.1 2013/01/11
6 # fixed problem with uninitialized values #6
7 #
8 ##########################################################################
9 # This script is written an maintained by:
10 # Torben Hansen <derhansen@gmail.com>
11 #
12 # To send comments, suggestions, bugreports, etc, please use:
13 # https://github.com/derhansen/logwatch-modsec2
14 ##########################################################################
15
16 ##########################################################################
17 # Copyright © 2013 Torben Hansen <derhansen@gmail.com>
18 #
19 # Permission is hereby granted, free of charge, to any person obtaining a
20 # copy of this software and associated documentation files (the
21 # “Software”), to deal in the Software without restriction, including
22 # without limitation the rights to use, copy, modify, merge, publish,
23 # distribute, sublicense, and/or sell copies of the Software, and to
24 # permit persons to whom the Software is furnished to do so, subject to
25 # the following conditions:
26 #
27 # The above copyright notice and this permission notice shall be included
28 # in all copies or substantial portions of the Software.
29 #
30 # THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
31 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANT-
32 # ABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
33 # EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
34 # DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
35 # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
36 # THE USE OR OTHER DEALINGS IN THE SOFTWARE.
37 #
38 ##########################################################################
39
40 use Logwatch ':dates';
41
42 # Disable warnings about unused variables
43 no warnings qw(once);
44
45 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
46 my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
47 my $SearchDate = TimeFilter('%d/%b/%Y:%H:%M:%S');
48 my $within_range = 0;
49
50 my %tmpEntry = ();
51 my $count = 0;
52
53 my %messages = ();
54 my %topips = ();
55 my %toprules = ();
56
57 my $check = 0;
58 my $option = '';
59
60 if ( $Debug >= 5 ) {
61 print STDERR "\n\nDEBUG MODE \n\n";
62 }
63
64 # Initialize array
65 $tmpEntry{$count}{"action"} = "";
66 $tmpEntry{$count}{"hostname"} = "";
67 $tmpEntry{$count}{"message"} = "";
68 $tmpEntry{$count}{"ruleid"} = "";
69
70 while (defined($ThisLine = <STDIN>)) {
71 chomp($ThisLine);
72
73 # Reset $check if line starts with two dashes
74 if ( $ThisLine =~ /-[A-Z]--/ ) {
75 $check = 0;
76 $option = "";
77 }
78
79 if ($check == 1) {
80 if ($option eq "audit-log-header") {
81 ($timestamp, $transactionID, $sourceIP, $sourcePort, $destIP, $destPort ) = ($ThisLine =~ /\[(.*?)\] (.*?) (.*?) (.*?) (.*?) (.*?)$/ );
82
83 $tmpEntry{$count}{"timestamp"} = $timestamp;
84 $tmpEntry{$count}{"sourceIp"} = $sourceIP;
85 $tmpEntry{$count}{"sourcePort"} = $sourcePort;
86 $tmpEntry{$count}{"destIp"} = $destIP;
87 $tmpEntry{$count}{"destPort"} = $destPort;
88
89 if ( $Debug >= 5 ) {
90 print STDERR "\n";
91 print STDERR "DATE: " . $timestamp . "\n";
92 print STDERR "FROM: ". $sourceIP . ":" . $sourcePort . "\n";
93 print STDERR "TO: ". $destIP . ":" . $destPort . "\n";
94 }
95 }
96
97 if ($option eq "request-header") {
98 if ( ($method, $requestUri) = ($ThisLine =~ /^(POST|GET) (.*?)$/) ) {
99 $tmpEntry{$count}{"method"} = $method;
100 $tmpEntry{$count}{"uri"} = $requestUri;
101
102 if ( $Debug >= 5 ) {
103 print STDERR "METHOD: " . $method . "\n";
104 print STDERR "URI: " . $requestUri . "\n";
105 }
106 }
107 elsif ( ($hostname) = ($ThisLine =~ /^Host: (.*?)$/) ) {
108 $tmpEntry{$count}{"hostname"} = $hostname;
109
110 if ( $Debug >= 5 ) {
111 print STDERR "HOST: " . $hostname . "\n";
112 }
113 }
114 }
115 if ($option eq "audit-log-trailer") {
116 if ( $ThisLine =~ /^Message:/ ) {
117 if ( ($ruleId) = ($ThisLine =~ /\[id \"(.*?)\"\]/) ) {
118 if ( $Debug >= 5 ) {
119 print STDERR "Rule ID: " . $ruleId. "\n";
120 }
121 }
122 if ( ($msg) = ($ThisLine =~ /\[msg \"(.*?)\"\]/) ) {
123 if ( $Debug >= 5 ) {
124 print STDERR "Message: " . $msg. "\n";
125 }
126 }
127 $tmpEntry{$count}{"ruleid"} = $ruleId;
128 $tmpEntry{$count}{"message"} = $msg;
129 }
130
131 if ( ($action) = ($ThisLine =~ /^Action: (.*?)$/) ) {
132 $tmpEntry{$count}{"action"} = $action;
133 if ( $Debug >= 5 ) {
134 print STDERR "Action: " . $action. "\n";
135 }
136 }
137 if ( ($engineMode) = ($ThisLine =~ /^Engine-Mode: (.*?)$/) ) {
138 $tmpEntry{$count}{"engine"} = $engineMode;
139 if ( $Debug >= 5 ) {
140 print STDERR "Engine mode: " . $engineMode. "\n";
141 }
142 }
143 }
144 }
145
146 if ( $ThisLine =~ /-A--/ ) {
147 $check = 1;
148 $option = "audit-log-header";
149 }
150 elsif ( $ThisLine =~ /-B--/ ) {
151 $check = 1;
152 $option = "request-header";
153 }
154 elsif ( $ThisLine =~ /-H--/ ) {
155 $check = 1;
156 $option = "audit-log-trailer";
157 }
158 elsif ( $ThisLine =~ /-Z--/ ) {
159 $check = 0;
160 $option = "";
161
162 # Create new summary entry if date matches searchdate
163 if ( $tmpEntry{$count}{"timestamp"} =~ /$SearchDate/ ) {
164 if ( $tmpEntry{$count}{"action"} ne "" && $tmpEntry{$count}{"hostname"} ne "" && $tmpEntry{$count}{"message"} ne "" && $tmpEntry{$count}{"ruleid"} ne "" ) {
165 $messages{$tmpEntry{$count}{"hostname"}}{"numAttacks"}++;
166 $messages{$tmpEntry{$count}{"hostname"}}{"attack"}{$tmpEntry{$count}{"sourceIp"}}{$tmpEntry{$count}{"ruleid"}} = $tmpEntry{$count}{"message"};
167 $messages{$tmpEntry{$count}{"hostname"}}{$tmpEntry{$count}{"sourceIp"}}{$tmpEntry{$count}{"ruleid"}}++;
168
169 $topips{$tmpEntry{$count}{"sourceIp"}}++;
170 $toprules{$tmpEntry{$count}{"ruleid"}}++;
171 }
172 }
173
174 # Increase counter
175 $count++;
176
177 # Reset values
178 $tmpEntry = ();
179 $tmpEntry{$count}{"action"} = "";
180 $tmpEntry{$count}{"hostname"} = "";
181 $tmpEntry{$count}{"message"} = "";
182 $tmpEntry{$count}{"ruleid"} = "";
183
184 if ( $Debug >= 5 ) {
185 print STDERR "---------------------------------------\n";
186 }
187 }
188 }
189
190 # Start summary
191 if (keys %messages) {
192 print "\nATTACKS BLOCKED ON VHOSTS:\n";
193 foreach my $vhost ( sort {$a cmp $b} keys %messages ) {
194 print "\n" . $vhost . " - " . $messages{$vhost}{"numAttacks"} . " time(s)\n";
195
196 foreach my $fromip (sort {$a cmp $b} keys %{$messages{$vhost}{"attack"}}) {
197 foreach my $ruleid (sort {$a cmp $b} keys %{$messages{$vhost}{"attack"}{$fromip}}) {
198 print " [ip: " . sprintf("%-15s", $fromip) . "] ";
199 print "[id: " . $ruleid . " ] [msg: " . $messages{$vhost}{"attack"}{$fromip}{$ruleid} . "] ";
200 print " - " . $messages{$vhost}{$fromip}{$ruleid} . " time(s)\n";
201 }
202 }
203
204 }
205 }
206
207 # Top 10 blocked IPs
208 if (keys %topips) {
209 print "\nTOP 10 BLOCKED IPS:\n";
210 my $cnt = 0;
211 foreach my $ip ( sort {$topips{$b} <=> $topips{$a}} keys %topips ) {
212 print "\n " . sprintf("%2s", ($cnt + 1)) . ". " . $ip . " - " . $topips{$ip} . " time(s)";
213 $cnt++;
214 if($cnt == 10) { last(); }
215 }
216 print "\n";
217 }
218
219 exit(0)