diff --git a/LICENSE b/LICENSE index 4bf954c..6a8ba94 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2011 Kirk Bauer +Copyright (c) 2002-2018 Kirk Bauer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in diff --git a/conf/logfiles/autorpm.conf b/conf/logfiles/autorpm.conf index 5834581..31e0c80 100644 --- a/conf/logfiles/autorpm.conf +++ b/conf/logfiles/autorpm.conf @@ -11,6 +11,6 @@ ######################################################## # What actual file? Defaults to LogPath if not absolute path.... -LogFile = /var/spool/autorpm/install.log +LogFile = ../spool/autorpm/install.log # vi: shiftwidth=3 tabstop=3 et diff --git a/conf/logfiles/bfd.conf b/conf/logfiles/bfd.conf index 017a2f0..38fb80b 100644 --- a/conf/logfiles/bfd.conf +++ b/conf/logfiles/bfd.conf @@ -8,8 +8,8 @@ ########################################################################## # Which logfile group... -LogFile = /var/log/bfd_log -Archive = /var/log/bfd_log.* -Archive = /var/log/bfd_log-* +LogFile = bfd_log +Archive = bfd_log.* +Archive = bfd_log-* diff --git a/conf/logfiles/cron.conf b/conf/logfiles/cron.conf index 1edddf8..de1b809 100644 --- a/conf/logfiles/cron.conf +++ b/conf/logfiles/cron.conf @@ -12,7 +12,7 @@ # What actual file? Defaults to LogPath if not absolute path.... #Solaris is /var/cron/log -mgt -LogFile = /var/cron/log +LogFile = ../cron/log LogFile = cron # If the archives are searched, here is one or more line diff --git a/conf/logfiles/mysql.conf b/conf/logfiles/mysql.conf index 6c9d7eb..6e92f41 100644 --- a/conf/logfiles/mysql.conf +++ b/conf/logfiles/mysql.conf @@ -5,11 +5,11 @@ ######################################################## # What actual file? Defaults to LogPath if not absolute path.... -LogFile = /var/log/mysql/mysqld.err.1 -LogFile = /var/log/mysql/mysqld.err +LogFile = mysql/mysqld.err.1 +LogFile = mysql/mysqld.err -Archive = /var/log/mysql/mysqld.err.*.gz -Archive = /var/log/mysql/mysqld.err-*.gz +Archive = mysql/mysqld.err.*.gz +Archive = mysql/mysqld.err-*.gz # Expand the repeats (actually just removes them now) *ExpandRepeats diff --git a/conf/services/mdadm.conf b/conf/services/mdadm.conf index a0e688e..1cc87aa 100644 --- a/conf/services/mdadm.conf +++ b/conf/services/mdadm.conf @@ -13,7 +13,12 @@ # Logwatch will try to find md devices in /etc/mdadm.conf or # /etc/mdadm/mdadm.conf. If none of these files exist it can scan actively # for md devices. Set to 'Yes' to enable active scanning: -$MDADM_ENABLE_SCAN = No +$mdadm_enable_scan = No + +# Logwatch will emit an error for md devices listed in /etc/mdadm.conf +# that are not present. If you do not want this (e.g. raid devices may come +# and go) then uncomment this +# $mdadm_ignore_missing = Yes # Which logfile group... LogFile = NONE diff --git a/conf/services/sssd.conf b/conf/services/sssd.conf index 9b6332f..65097b8 100644 --- a/conf/services/sssd.conf +++ b/conf/services/sssd.conf @@ -16,4 +16,10 @@ # OnlyService doesn't work with sssd services *RemoveHeaders = "^... .. ..:..:.. [^ ]* " +# To completey ignore backend status messages, enable this +ignore_backed_status = No + +# To ignore "Enumeration requested but not enabled" messages +ignore_enumeration_requested = No + # vi: shiftwidth=3 tabstop=3 et diff --git a/conf/services/zz-fortune.conf b/conf/services/zz-fortune.conf deleted file mode 100644 index b14b668..0000000 --- a/conf/services/zz-fortune.conf +++ /dev/null @@ -1,30 +0,0 @@ -########################################################################### -# $Id$ -########################################################################### - -# This just displays a fortune at the end of the report... - -# You can put comments anywhere you want to. They are effective for the -# rest of the line. - -# this is in the format of = . Whitespace at the beginning -# and end of the lines is removed. Whitespace before and after the = sign -# is removed. Everything is case *insensitive*. - -# Yes = True = On = 1 -# No = False = Off = 0 - -Title = "Fortune" - -# Which logfile group... -LogFile = NONE - -######################################################## -# This was written and is maintained by: -# Kirk Bauer -# -# Please send all comments, suggestions, bug reports, -# etc, to kirk@kaybee.org. -######################################################## - -# vi: shiftwidth=3 tabstop=3 et diff --git a/install_logwatch.sh b/install_logwatch.sh index 579c242..983a4af 100644 --- a/install_logwatch.sh +++ b/install_logwatch.sh @@ -275,8 +275,8 @@ if [ -d $MANDIR/man5 ] && [ -d $MANDIR/man8 ] && [ -d $MANDIR/man1 ] && [ $HAVE_MAKEWHATIS ]; then install -m 0644 logwatch.8 $MANDIR/man8 install -m 0644 logwatch.conf.5 $MANDIR/man5 - install -m 0644 override.conf.5 $MANDIR/man5 - install -m 0644 ignore.conf.5 $MANDIR/man5 + ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/ignore.conf.5 + ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/override.conf.5 install -m 0644 postfix-logwatch.1 $MANDIR/man1 install -m 0644 amavis-logwatch.1 $MANDIR/man1 #OpenBSD no -s @@ -298,12 +298,12 @@ fi else if [ $OS = "SunOS" ]; then - #Go for the safe install rather then editing man.cf + #Go for the safe install rather than editing man.cf mkdir -p $MANDIR/man1m > /dev/null 2>&1 install -m 0644 logwatch.8 $MANDIR/man1m install -m 0644 logwatch.conf.5 $MANDIR/man1m - install -m 0644 override.conf.5 $MANDIR/man1m - install -m 0644 ignore.conf.5 $MANDIR/man1m + ln -sf $MANDIR/man1m/logwatch.conf.5 $MANDIR/man1m/ignore.conf.5 + ln -sf $MANDIR/man1m/logwatch.conf.5 $MANDIR/man1m/override.conf.5 install -m 0644 postfix-logwatch.1 $MANDIR/man1 install -m 0644 amavis-logwatch.1 $MANDIR/man1 catman -w -M $MANDIR/man1m @@ -314,8 +314,8 @@ install -m 0755 -d $MANDIR/man5 install -m 0644 logwatch.conf.5 $MANDIR/man5 - install -m 0644 override.conf.5 $MANDIR/man5 - install -m 0644 ignore.conf.5 $MANDIR/man5 + ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/ignore.conf.5 + ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/override.conf.5 install -m 0755 -d $MANDIR/man8 install -m 0644 logwatch.8 $MANDIR/man8 @@ -336,7 +336,7 @@ if [ ! -e /lib/systemd/system/multi-user.target.wants ]; then install -m 0755 -d /lib/systemd/system/multi-user.target.wants fi - ln -s ../logwatch.timer /lib/systemd/system/multi-user.target.wants/logwatch.timer + ln -sf ../logwatch.timer /lib/systemd/system/multi-user.target.wants/logwatch.timer printf "Created and enabled systemd logwatch.timer" elif [ -d /etc/cron.daily ]; then rm -f /etc/cron.daily/0logwatch diff --git a/logwatch.conf.5 b/logwatch.conf.5 index 68dd949..24f534d 100644 --- a/logwatch.conf.5 +++ b/logwatch.conf.5 @@ -29,8 +29,8 @@ .SH FILES .I /etc/logwatch/conf/logwatch.conf -.I /etc/logwatch/conf/logwatch.conf -.I /etc/logwatch/conf/logwatch.conf +.I /etc/logwatch/conf/ignore.conf +.I /etc/logwatch/conf/override.conf .I /usr/share/logwatch/default.conf/logwatch.conf .SH "SEE ALSO" diff --git a/scheduler/logwatch.cron b/scheduler/logwatch.cron index 9a9b529..4613b45 100644 --- a/scheduler/logwatch.cron +++ b/scheduler/logwatch.cron @@ -1,10 +1,13 @@ #!/bin/sh -#Set logwatch location +#Set logwatch executable location LOGWATCH_SCRIPT="/usr/sbin/logwatch" -#Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf, -#but some are only for the nightly cronrun such as --output mail and should be set here. -#Other options to consider might be "--format html" or "--encode base64", man logwatch for more details. + +# Add options to the OPTIONS variable. Most options should be defined in +# the file /etc/logwatch/conf/logwatch.conf, but some are only for the +# nightly cron run such as "--output mail" and should be set here. +# Other options to consider might be "--format html" or "--encode base64". +# See 'man logwatch' for more details. OPTIONS="--output mail" #Call logwatch diff --git a/scripts/logfiles/samba/applydate b/scripts/logfiles/samba/applydate index 63aeb0a..d5be863 100755 --- a/scripts/logfiles/samba/applydate +++ b/scripts/logfiles/samba/applydate @@ -46,6 +46,7 @@ mainloop: while ($ThisLine) { if ($ThisLine =~ m/^$SearchDate /o) { print $ThisLine; + $ThisLine = ; } elsif ($ThisLine =~ m/^\[$SearchDate2/o) { chomp($ThisLine); diff --git a/scripts/services/audit b/scripts/services/audit index c1b65f5..dcdc98e 100644 --- a/scripts/services/audit +++ b/scripts/services/audit @@ -129,6 +129,9 @@ ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 auid=[0-9]* ses=[0-9]* subj=.*res=success/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 old auid=[0-9]* new auid=[0-9]+ old ses=[0-9]* new ses=[0-9]+ res=1$/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 subj=.* old-auid=[0-9]* auid=[0-9]+ old-ses=[0-9]* ses=[0-9]+ res=1$/) or + # This will generate a journal entry for the service failure, success, or start/stop + ( $ThisLine =~ /type=113[01] audit\([0-9.]*:[0-9]*\): pid=1 uid=0 auid=[0-9]+ ses=[0-9]+ (?:subj=system_u:system_r:init_t:s0 )?msg='unit.* comm="systemd" .* res=.*'$/) or + ( $ThisLine =~ /SERVICE_(?:START|STOP) pid=1/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): cwd=".*"/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): user/) or ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): proctitle=/) or @@ -307,7 +310,7 @@ } } -if (keys %OtherList) { +if (keys %OtherList and $Detail) { print "\n**Unmatched Entries**\n"; foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; diff --git a/scripts/services/cisco b/scripts/services/cisco old file mode 100755 new file mode 100644 index 10d6825..0c57e87 100644 --- a/scripts/services/cisco +++ b/scripts/services/cisco @@ -226,9 +226,6 @@ elsif ( ($unmatched) = ($ThisLine =~ /%AUDIT-5-RUN_CONFIG/) ) { $ConfigChange{$host}++; } - elsif ( ($HASH) = ($ThisLine =~ /%AUDIT-5-STARTUP_CONFIG: Startup Configuration changed. Hash:\s(^\s)/) ) { - $StartConfigChange{host}++; - } elsif ( ($interface,$errortype,$withwho) = ($ThisLine =~ /duplex mismatch discovered on (.+) \(.*\), with (.*)/) ) { $DuplexMismatched{$host}{$interface." with ".$errortype}++; } @@ -298,6 +295,9 @@ elsif ( ($interface) = ($ThisLine =~ /UNDERFLO: (.*)/) ) { $Underflow{$host}{$interface}++; } + elsif ( ($interface) = ($ThisLine =~ /SYS-4-P2_WARN: (.*)/) ) { + $SYSWarn{$host}{$interface}++; + } elsif ( ($interface) = ($ThisLine =~ /P2_WARN: (.*)/) ) { $InvalidMulticast{$host}{$interface}++; } @@ -361,9 +361,6 @@ elsif ( ($interface) = ($ThisLine =~ /MLS-5-FLOWMASKCHANGE: (.*)/) ) { $MLSFlowmaskChanged{$host}{$interface}++; } - elsif ( ($interface) = ($ThisLine =~ /SYS-4-P2_WARN: (.*)/) ) { - $SYSWarn{$host}{$interface}++; - } elsif ( ($interface) = ($ThisLine =~ /SYS-3-CPUHOG: (.*)/) ) { $SYSCpuHog{$host}{$interface}++; } @@ -410,9 +407,6 @@ $CountersMsg{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /DOT11-4-MAXRETRIES: Packet to client ....\.....\..... reached(.*)/) ) { - $Dot11Retrys{$host}{$interface}++; - } - elsif ( ($interface,$msg) = ($ThisLine =~ /DOT11-4-MAXRETRIES: Packet to client ....\.....\..... reached(.*)/) ) { $Dot11Retrys{$host}{$interface}++; } elsif ( ($radio,$interface) = ($ThisLine =~ /DOT11-6-ASSOC: Interface (.*), Station +(.*)/) ) { @@ -574,11 +568,11 @@ } } -if (keys %$DuplicateAddress) { +if (keys %DuplicateAddress) { print "\nPort/Interface duplicate address :\n"; - foreach $ThisOne (sort keys %$DuplicateAddress) { - print " " . $ThisOne . ":\n"; - foreach $ThatOne (sort keys %{$$DuplicateAddress{$ThisOne}}) { + foreach $ThisOne (sort keys %DuplicateAddress) { + print " " . $ThisOne . ":\n"; + foreach $ThatOne (sort keys %{$DuplicateAddress{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $DuplicateAddress{$ThisOne}{$ThatOne} . " Time(s)\n"; } } diff --git a/scripts/services/clamav b/scripts/services/clamav index 5f0b1a0..0fe7fc0 100755 --- a/scripts/services/clamav +++ b/scripts/services/clamav @@ -50,16 +50,13 @@ ( $ThisLine =~ /^Protecting against \d+ viruses\./ ) or ( $ThisLine =~ /^Reading databases from/ ) or ( $ThisLine =~ /file removed\./ ) or - ( $ThisLine =~ /support enabled\./ ) or - ( $ThisLine =~ /support disabled\./ ) or + ( $ThisLine =~ / (?:dis|en)abled\.$/ ) or ( $ThisLine =~ /^Archive/ ) or ( $ThisLine =~ /^Running as user/ ) or ( $ThisLine =~ /^Log file size limit/ ) or ( $ThisLine =~ /^Bound to.*port \d*/ ) or - ( $ThisLine =~ /^Detection of broken executables enabled./ ) or ( $ThisLine =~ /^SIGHUP caught: re-opening log file./ ) or ( $ThisLine =~ /^Loaded \d+ signatures/ ) or - ( $ThisLine =~ /^Algorithmic detection enabled/ ) or ( $ThisLine =~ /^Mail: Recursion level limit set to \d+/ ) or ( $ThisLine =~ /clamd shutdown\s+succeeded/ ) or ( $ThisLine =~ /clamd startup\s+succeeded/ ) or @@ -71,7 +68,6 @@ ( $ThisLine =~ /Bytecode: Security mode set to /) or ( $ThisLine =~ /^No stats for Database check/ ) or ( $ThisLine =~ /^Received \d+ file descriptor\(s\) from systemd\.$/) or - ( $ThisLine =~ /^BlockMax heuristic detection (?:en|dis)abled\./) or 0 # This line prevents blame shifting as lines are added above ) { # We do not care about these. diff --git a/scripts/services/cron b/scripts/services/cron index ec21c5e..fc7c752 100755 --- a/scripts/services/cron +++ b/scripts/services/cron @@ -40,7 +40,8 @@ ($ThisLine =~ /loading table .*/) or ($ThisLine =~ /void Inotify::Remove\(InotifyWatch\*\): removing watch failed/) or ($ThisLine =~ /error: \(22\) Invalid argument/) or - ($ThisLine =~ /pam_unix\(crond:session\): session (?:opened|closed) for user/) + ($ThisLine =~ /pam_unix\(crond:session\): session (?:opened|closed) for user/) or + ($ThisLine =~ /PAM pam_end: NULL pam handle passed/) ) { # Ignore } elsif ( diff --git a/scripts/services/dirsrv b/scripts/services/dirsrv index ac81a4a..1952b03 100644 --- a/scripts/services/dirsrv +++ b/scripts/services/dirsrv @@ -16,6 +16,14 @@ use strict; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; +my %ErrorThreshold; +if (defined($ENV{'error_threshold'})) { + foreach my $entry (split(',',$ENV{'error_threshold'})) { + my ($regex,$limit) = split(';',$entry); + $ErrorThreshold{$regex} = $limit; + } +} + my %Errors; my %Warnings; my %Startup; @@ -49,6 +57,9 @@ } elsif ($ThisLine =~ /^ERR - / or $ThisLine =~ /error/i or $ThisLine =~ /^Detected Disorderly Shutdown/) { + # Remove some items that prevent de-duplication + $ThisLine =~ s/:\s+\d+\s+\d+//; + $ThisLine =~ s/change record \d+/change record/; $Errors{$ThisLine}++; } elsif ($ThisLine =~ /^WARN - / or $ThisLine =~ /warning/i @@ -84,6 +95,17 @@ $OtherList{$ThisLine}++; } $PreviousLine = $ThisLine; +} + +if (keys %Errors and keys %ErrorThreshold) { + LINE: foreach my $line (sort {$a cmp $b} keys %Errors) { + foreach my $regex (keys %ErrorThreshold) { + if ($line =~ /$regex/i and $Errors{$line} <= $ErrorThreshold{$regex}) { + delete $Errors{$line}; + next LINE; + } + } + } } if (keys %Errors) { diff --git a/scripts/services/dnf-rpm b/scripts/services/dnf-rpm index 627a559..ae604ab 100644 --- a/scripts/services/dnf-rpm +++ b/scripts/services/dnf-rpm @@ -32,8 +32,12 @@ $PackageUpdated{$ThisLine}++; } elsif ( $ThisLine =~ s/^.* INFO Installed: ([^ ]+)/$1/ ) { $PackageInstalled{$ThisLine}++; + } elsif ( $ThisLine =~ s/^.* INFO Reinstalled: ([^ ]+)/$1/ ) { + $PackageReinstalled{$ThisLine}++; } elsif ( $ThisLine =~ s/^.* INFO Erased: ([^ ]+)/$1/ ) { $PackageErased{$ThisLine}++; + } elsif ( $ThisLine =~ s/^.* INFO Obsoleted: ([^ ]+)/$1/ ) { + $PackageObsoleted{$ThisLine}++; } elsif ( $ThisLine =~ m/INFO --- logging initialized ---/ ) { $ignoredlines++; } elsif ( $ThisLine =~ m/INFO Cleanup: / ) { @@ -50,6 +54,12 @@ print " " . $ThisOne; } } +if (keys %PackageReinstalled) { + print "\nPackages Reinstalled:\n"; + foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageReinstalled) { + print " ". $ThisOne; + } +} if (keys %PackageUpdated) { print "\nPackages Updated:\n"; foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdated) { @@ -59,6 +69,12 @@ if (keys %PackageErased) { print "\nPackages Erased:\n"; foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageErased) { + print " ". $ThisOne; + } +} +if (keys %PackageObsoleted) { + print "\nPackages Obsoleted:\n"; + foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageObsoleted) { print " ". $ThisOne; } } diff --git a/scripts/services/dovecot b/scripts/services/dovecot index f3f2b2f..a91ef3c 100755 --- a/scripts/services/dovecot +++ b/scripts/services/dovecot @@ -228,17 +228,34 @@ $Deliver{$User}{$Mailbox}++; # LMTP-based delivery - } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): [^:]+:(?:\d+:)? msgid=.*: saved mail to (.*)/ ) ) { + } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): .*msgid=.*: saved mail to (.*)/ ) ) { # dovecot: [ID 583609 mail.info] lmtp(12782, cloyce@headgear.org): jBt1EfjCMk3uMQAAm9eMBA: msgid=<4D32DB1F.3080707@c-dot.co.uk>: saved mail to INBOX + $Deliver{$User}{$Mailbox}++; + +# LMTP-based delivery Dovecot 2.2.33 + } elsif ( ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\): msgid=.*: saved mail to (.*)/ ) ) { + # dovecot: lmtp(user@domain.com): msgid=<0.0.B.B83.1D385668207AF06.0@b12.mta01.sendsmaily.info>: saved mail to INBOX $Deliver{$User}{$Mailbox}++; # LMTP-based Sieve delivery } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): .*: sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) { $Deliver{$User}{$Mailbox}++; +# LMTP-based Sieve delivery Dovecot 2.3 + } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\): sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) { + $Deliver{$User}{$Mailbox}++; + # sieve forward } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*?)\):(?: [^:]+:)? sieve: msgid=.* forwarded to \<(.*)\>/)) { $Forwarded{$User}{$Recip}++; + +# sieve pipe + } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?pipe action: piped message to program `.*'/) or + my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?left message in mailbox '.*'/) ) { + # dovecot: imap(user@domain.com): sieve: pipe action: piped message to program `sa-learn-sieve.sh' + # dovecot: imap(user@domain.com): sieve: left message in mailbox 'INBOX.Spam' + # dovecot: lmtp(spam@domain.com): sieve: msgid=<6e3eb3f436fdca54@host.domain.com>: pipe action: piped message to program `sa-learn-sieve.sh' + # IGNORE # sieve vacation } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*)\):(?: .*:)? sieve: msgid=.* sent vacation response to \<(.*)\>/)) { @@ -299,7 +316,7 @@ $Aborted{$Host}++; } elsif (my ($Reason) = ($ThisLine =~ /Aborted login \((.*)\):/)) { $Aborted{$Reason}++; - } elsif (my ($User,$IP) = ($ThisLine =~ /auth: LOGIN\((.*),(\d+\.\d+\.\d+\.\d+)\): Request timed out waiting for client to continue authentication/) ) { + } elsif (my ($User,$IP) = ($ThisLine =~ /auth: (?:LOGIN|login)\((.*),(\d+\.\d+\.\d+\.\d+)\): Request timed out waiting for client to continue authentication/) ) { $AuthTimedOut{$User}{$IP}++; } elsif (my ($Reason) = ($ThisLine =~ /auth: Warning: auth client \d+ disconnected with \d+ pending requests: (.*)/) ) { $AuthDisconnectedWithPending{$Reason}++; diff --git a/scripts/services/fail2ban b/scripts/services/fail2ban index d130975..4399f88 100644 --- a/scripts/services/fail2ban +++ b/scripts/services/fail2ban @@ -115,9 +115,9 @@ $ReInitializations++; } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) { # just ignore - this will be fixed within fail2ban and is harmless warning - } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (.*)/)) { + } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (\S+)/)) { $ServicesFound{$Service}{$Host}++; - } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (.*)/)) { + } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (\S+)/)) { $ServicesIgnored{$Service}{$Host}++; # Generic messages } elsif ( my ($Message) = ($ThisLine =~ / ERROR (.*)$/)) { diff --git a/scripts/services/http b/scripts/services/http index c545067..95a0a00 100755 --- a/scripts/services/http +++ b/scripts/services/http @@ -198,7 +198,6 @@ # what to look for as an attack USE LOWER CASE!!!!!! # my @exploits = ( - '^null$', '/\.\./\.\./\.\./', '\.\./\.\./config\.sys', '/\.\./\.\./\.\./autoexec\.bat', @@ -315,7 +314,7 @@ } elsif ($logformat =~ /\G%\{User-Agent}i/gci) { $parse_string[$parse_index] .= "(.*)"; $parse_field[$parse_index][$parse_subindex++] = "agent"; - } elsif ($logformat =~ /\G%({.*?})?./gc) { + } elsif ($logformat =~ /\G%(\{.*?\})?./gc) { $parse_string[$parse_index] .= "(.*?)"; $parse_field[$parse_index][$parse_subindex++] = "not_used"; } elsif ($logformat =~ /\G\|/gc) { @@ -576,8 +575,6 @@ foreach my $j ( keys %{$hacks{$i}} ) { print " $j $hacks{$i}{$j} Time(s) \n"; } - } else { - print "\n"; } } } diff --git a/scripts/services/kernel b/scripts/services/kernel index 9803c14..fe65a4b 100755 --- a/scripts/services/kernel +++ b/scripts/services/kernel @@ -105,9 +105,7 @@ $UnalignedErrors{$1}++; } elsif ($ThisLine =~ /([^(]*)\(\d+\): floating-point assist fault at ip/) { $FPAssists{$1}++; - } elsif ($ThisLine =~ /Out of memory: (?:[KK]illed|[Kk]ill) process \d+ \((.*)\)/) { - $OOM{$1}++; - } elsif ($ThisLine =~ /(\S+) invoked oom-killer/) { + } elsif ($ThisLine =~ /(?:[KK]illed|[Kk]ill) process \d+ \((.*)\)/) { $OOM{$1}++; } elsif ($ThisLine =~ /(EDAC (MC|PCI)\d:.*)/) { # Standard boot messages @@ -249,7 +247,7 @@ } if (keys %OOM) { - print "\nWARNING: Out of memory killer killed these executables or their children\n"; + print "\nWARNING: Out of memory killer killed these executables\n"; foreach my $Thisone ( sort {$a cmp $b} keys %OOM ) { print " $Thisone : $OOM{$Thisone} Time(s)\n"; } diff --git a/scripts/services/mdadm b/scripts/services/mdadm index f09a682..a7a618a 100644 --- a/scripts/services/mdadm +++ b/scripts/services/mdadm @@ -26,6 +26,7 @@ my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my $enable_scan = $ENV{'mdadm_enable_scan'} || 0; +my $ignore_missing = $ENV{'mdadm_ignore_missing'} || 0; my @devices = (); if ( -f "/etc/mdadm.conf" ) { @@ -45,10 +46,14 @@ DEV: foreach my $dev (@devices) { my %mdhash; + if ($dev =~ //) { + next; + } + open(MDADM,"mdadm --misc --detail $dev 2>&1 |"); while () { if ($_ =~ /cannot open .*: No such file or directory/) { - print $_; + print $_ unless $ignore_missing; close(MDADM); next DEV; } diff --git a/scripts/services/named b/scripts/services/named index 57c89b4..14f092b 100755 --- a/scripts/services/named +++ b/scripts/services/named @@ -89,7 +89,7 @@ ($ThisLine =~ /stopping command channel on \S+/) or ($ThisLine =~ /Malformed response from/) or ($ThisLine =~ /client .* response from Internet for .*/) or - ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or +# ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or ($ThisLine =~ /client .+(?: \([^)]+\))?: query:/) or # Do we really want to ignore these? #($ThisLine =~ /unknown logging category/) or @@ -147,8 +147,12 @@ ($ThisLine =~ /refresh: NODATA response from master/) or ($ThisLine =~ /update with no effect/) or ($ThisLine =~ /reading built-in trusted keys from file/) or + ($ThisLine =~ /reading built-in trust anchors from file/) or ($ThisLine =~ /using built-in trusted-keys/) or ($ThisLine =~ /set up managed keys zone/) or + ($ThisLine =~ /managed-keys-zone.*key now trusted/) or + ($ThisLine =~ /dhcpupdate: forwarding update for zone/) or + ($ThisLine =~ /forwarded dynamic update: master [^ ]* returned: (NXRRSET|YXDOMAIN)/) or ($ThisLine =~ /using .* as GeoIP directory/) or ($ThisLine =~ /GEO-.* Build/) or ($ThisLine =~ /initializing GeoIP /) or @@ -164,8 +168,9 @@ ($ThisLine =~ /next key event: /) or ($ThisLine =~ /reconfiguring zone keys/) or ($ThisLine =~ /using built-in DLV key/) or - ($ThisLine =~ /reading built-in trusted keys from file/) or +# ($ThisLine =~ /reading built-in trusted keys from file/) or ($ThisLine =~ /all zones loaded/) or + ($ThisLine =~ /resolver priming query complete/) or ($ThisLine =~ /client .* signer .* approved/) or ($ThisLine =~ /stop limiting/) or # ignore this line because the following line describes the error @@ -238,6 +243,9 @@ } elsif ( ($Way,$Host) = ( $ThisLine =~ /([^ ]+): sendto\(\[([^ ]+)\].+\): Network is unreachable/ ) ) { $FullHost = LookupIP ($Host); $NetworkUnreachable{$Way}{$FullHost}++; + } elsif ( ($Host,$Way) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?(.*)#\d+(?: \(.*\))?: (?:view \w+: )?error ([^ ]+) response: network unreachable/ ) ) { + $FullHost = LookupIP ($Host); + $NetworkUnreachable{$Way}{$FullHost}++; } elsif ( ($Zone,$Message) = ( $ThisLine =~ /client [^\#]+#[^\:]+: (?:view \w+: )?updating zone '([^\:]+)': (.*)$/ ) ) { $ZoneUpdates{$Zone}{$Message}++; } elsif ( ($Host,$Zone) = ( $ThisLine =~ /approved AXFR from \[(.+)\]\..+ for \"(.+)\"/ ) ) { @@ -246,13 +254,13 @@ } elsif ( ($Client) = ( $ThisLine =~ /warning: client (.*) no more TCP clients/ ) ) { $FullClient = LookupIP ($Client); $DeniedTCPClient{$FullClient}++; - } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: (?:view \w+: )?query \(cache\) denied/ ) ) { + } elsif ( ($Client) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?(.*)#\d+(?: \(.*\))?: (?:view \w+: )?query \(cache\) (?:'.*' )?denied/ ) ) { $FullClient = LookupIP ($Client); $DeniedQuery{$FullClient}++; - } elsif ( ($Client) = ( $ThisLine =~ /client (.*)(#\d+)?: query '.*' denied/ ) ) { + } elsif ( ($Client) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?([^#]*)(#\d+)?(?: \(.*\))?: query '.*' denied/ ) ) { $FullClient = LookupIP ($Client); $DeniedQueryNoCache{$FullClient}++; - } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+: (?:view \w+: )?update '(.*)' denied/)) { + } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?([\.0-9a-fA-F:]+)#\d+: (?:view (\w+): )?update '(.*)' denied/)) { $ViewName = ($ViewName ? "/$ViewName" : ""); $UpdateDenied{"$Rhost ($Ldom$ViewName)"}++; } elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update forwarding '(.*)' denied/)) { diff --git a/scripts/services/postfix b/scripts/services/postfix index 86e9faa..a41d136 100755 --- a/scripts/services/postfix +++ b/scripts/services/postfix @@ -1887,7 +1887,7 @@ # Pass; identity=helo; client-ip=192.168.0.2; helo=example.com; envelope-from=<>; receiver=bogus@example.net # Permerror; identity=helo; client-ip=192.168.0.4; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net # Softfail; identity=mailfrom; client-ip=192.168.0.6; helo=example.com; envelope-from=f@example.com; receiver=yahl@example.org - if ($line =~ /^(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror); (.*)$/) { + if ($line =~ /^(?:prepend Received-SPF: )?(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror);? (.*)$/) { my $result = $1; my %params = $2 =~ /([-\w]+)=([^;]+)/g; #$params{'s'} = '*unknown' unless $params{'s'}; diff --git a/scripts/services/samba b/scripts/services/samba index 08aec31..8c377dc 100755 --- a/scripts/services/samba +++ b/scripts/services/samba @@ -141,7 +141,7 @@ ($ThisLine =~ /smbd\/reply\.c:reply_special\(\d+\) netbios connect: name1=.+ /) or ($ThisLine =~ /nmbd\/nmbd_browsesync\.c:announce_local_master_browser_to_domain_master_browser\(\d+\) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup .+ /) or ($ThisLine =~ /auth\/auth\.c:check_ntlm_password\(\d+\) check_ntlm_password: authentication for user \[.+\] -> \[.+\] -> \[.+\] succeeded/) or - ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or + ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(\d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or ($ThisLine =~ /===============================================================/) ) { #Don't care about these... diff --git a/scripts/services/secure b/scripts/services/secure index d220afc..6de031e 100755 --- a/scripts/services/secure +++ b/scripts/services/secure @@ -190,7 +190,7 @@ $ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //; my $temp = $ThisLine; $temp =~ s/^([^[:]+).*/$1/; - if ($Ignore =~ /\b\Q$temp\E\b/i) { next; } + if ($Ignore =~ /(\s|^)\Q$temp\E(\s|$)/i) { next; } #current sarge if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; } @@ -205,7 +205,6 @@ ( $ThisLine =~ /pam_unix\(.*:.*\)/) or ( $ThisLine =~ /pam_sss\(.*:.*\)/) or ( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or - ( $ThisLine =~ /^\/usr\/bin\/sudo:/) or ( $ThisLine =~ /^halt:/) or ( $ThisLine =~ /^com.apple.SecurityServer: Succeeded authorizing right system.(preferences|login.console|login.tty|login.done|privilege.admin) by process/) or ( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or @@ -213,7 +212,7 @@ ( $ThisLine =~ /^passwd\[\d+\]:/) or ( $ThisLine =~ /^passwd: gkr-pam: .*/) or ( $ThisLine =~ /^reboot:/) or - ( $ThisLine =~ /^sudo:/) or + ( $ThisLine =~ /^(?:\/usr\/bin\/)?sudo(?:\[\d+\])?:/) or ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or ( $ThisLine =~ /warning: can.t get client address: Connection refused/) or @@ -277,7 +276,7 @@ ( $ThisLine =~ /groupmod\[\d+\]: group changed in \/etc\/gshadow /) or # Details in other messages ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) or ( $ThisLine =~ /pkexec: pam_systemd(.*): /) or - ( $ThisLine =~ /pkexec: \S+: Executing command /) or + ( $ThisLine =~ /pkexec(?:\[\d+\])?: \S+: Executing command /) or ( $ThisLine =~ /su: pam_systemd(.*): Failed to parse message: /) or ( $ThisLine =~ /pam_systemd\(su:session\): Cannot create session: Already (running in|occupied by) a session/) or ( $ThisLine =~ /systemd-logind\[\d+\]: Removed session/) or @@ -286,6 +285,7 @@ ( $ThisLine =~ /systemd-logind\[\d+\]: Failed to start session scope (\S+): Transaction is destructive\./) or ( $ThisLine =~ /DIGEST-MD5 common mech free/) or ( $ThisLine =~ /sshguard\[\d+\]: Reloading rotated file /) or + ( $ThisLine =~ /sshguard\[\d+\]: Session \d+ logged out/) or ( $ThisLine =~ /sshguard\[\d+\]: Exiting on signal/) or ( $ThisLine =~ /sshguard\[\d+\]: Monitoring attacks from /) or ( $ThisLine =~ /sshguard\[\d+\]: (?:message repeated \d+ times: \[ )?\S+: not blocking /) or @@ -428,12 +428,6 @@ push @RemoveFromGroup, " user $1 from group $3\n"; # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response # I don't think these are important to log at this time - } elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) { - # sudo unauthorized commands - push @SudoList, "$1: $3\n" unless ($2 eq ""); - } elsif ( $ThisLine =~ /^\/usr\/bin\/sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) { - # sudo unauthorized commands - push @SudoList, "$1: $3\n" unless ($2 eq ""); } elsif ( ($service, $from) = ($ThisLine =~ /^xinetd\[\d+\]: FAIL: (.+) (?:address|libwrap|service_limit|connections per second) from=([\d.]+)/)) { if ($Ignore =~ /\b\Q$service\E\b/i) { next; } $Refused->{$service}->{$from}++; @@ -459,11 +453,11 @@ $GroupChanged{"$ThisLine"}++; } elsif ( ($Pid,$User,$Home,$NewHome) = ($ThisLine =~ /^usermod(\[\d+\])?: change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) { $HomeChange{$User}{"$Home -> $NewHome"}++; - } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) { + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) { $UidChange{"$User: $From -> $To"}++; - } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) { + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) { $GidChange{"$User: $From -> $To"}++; - } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) { + } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) { $AccountExpiry{"$User: $From -> $To"}++; # checkpassword-pam } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) { @@ -842,11 +836,6 @@ print "spop3d connection errors:\t".$spop3d_errors."\n"; } -if ($#SudoList >= 0) { - print "\nUnauthorized sudo commands attempted (" . ($#SudoList + 1) . "):\n"; - print @SudoList; -} - if (keys %ChkPasswdPam) { print "\ncheckpassword-pam (SUID root PAM client):\n"; foreach $PID (sort {$a cmp $b} keys %ChkPasswdPam) { diff --git a/scripts/services/sendmail b/scripts/services/sendmail index d97e7a2..289742d 100644 --- a/scripts/services/sendmail +++ b/scripts/services/sendmail @@ -387,7 +387,8 @@ } # QueueID formats: in 8.11 it was \w{7}\d{5}, in 8.12+ it is \w{8}\d{6} -my $QueueIDFormat = "(?:\\w{7,9}\\d{5}|NOQUEUE)"; +# Also, PID can now be up to seven digits in 64-bit systems +my $QueueIDFormat = "(?:\\w{7,9}\\d{5,7}|NOQUEUE)"; # ENOENT refers to "no such file or directory" my $ENOENT = Errno::ENOENT(); diff --git a/scripts/services/sonicwall b/scripts/services/sonicwall index f8d3e59..a7e7702 100755 --- a/scripts/services/sonicwall +++ b/scripts/services/sonicwall @@ -325,10 +325,10 @@ $IllegalUsers{$host_ip}{$Temp}++; } + elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) { + $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ + } elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(.*)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?(S+)?(.*)?/) ) { - $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ - } - elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) { $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ } diff --git a/scripts/services/sshd b/scripts/services/sshd index 6ae85f8..47d32a2 100644 --- a/scripts/services/sshd +++ b/scripts/services/sshd @@ -315,7 +315,12 @@ ($ThisLine =~ /Found matching \w+ key:/ ) or ($ThisLine =~ /User child is on pid \d/ ) or ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or - ($ThisLine =~ /Disconnected from (?:user \S+ |)[\da-fA-F.:]* port \d*/ ) or + ($ThisLine =~ /Exiting on signal / ) or + ($ThisLine =~ /Disconnected from [\da-fA-F.:]* port \d*/ ) or + ($ThisLine =~ /Disconnected from user \S+ [\da-fA-F.:]* port \d*/ ) or + ($ThisLine =~ /Disconnected from (authenticating|invalid) user \S+ [\da-fA-F.:]* port \d*/ ) or + ($ThisLine =~ /Disconnecting( (authenticating|invalid) user .* port \d+)?: Too many authentication failures \[preauth\]/ ) or + ($ThisLine =~ /Disconnecting( (authenticating|invalid) user .* port \d+)?: Change of username or service not allowed: .* \[preauth\]/ ) or ($ThisLine =~ /Failed to release session: Interrupted system call/) or ($ThisLine =~ /Close session: user /) or 0 # This line prevents blame shifting as lines are added above @@ -340,9 +345,9 @@ $TooManyFailures{$User}++; } elsif ( my ($User) = ( $ThisLine =~ /error: maximum authentication attempts exceeded for ([^ ]+) from [^ ]+ port \d+ ssh2 \[preauth\]/)) { $TooManyFailures{$User}++; - } elsif ( $ThisLine =~ /Disconnecting: Too many authentication failures \[preauth\]/ ) { - # Ignore these - should be covered by other messages - } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh + } elsif ( my ($User,$Host) = ( $ThisLine =~ /error: maximum authentication attempts exceeded for invalid user ([^ ]+) from ([^ ]+) port \d+ ssh2 \[preauth\]/)) { + $IllegalUsers{$Host}{$User}++; + } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (\S+)/ ) { # ssh/openssh my $name = LookupIP($3); $NoIdent{$name}++; } elsif ( my ($Host) = ($ThisLine =~ /Could not write ident string to ([^ ]+)$/ )) { @@ -407,7 +412,7 @@ $NoRevMap{"$Address($IP)"}++; } elsif ( my (undef,$Address) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: can't verify hostname: getaddrinfo\(([^ ]*), AF_INET\) failed$/)) { $NoRevMap{$Address}++; - } elsif ( (undef, my $Addresses) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: host [^ ]* mismatch: (.*)$/)) { + } elsif ( my (undef,$Addresses) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: host [^ ]* mismatch: (.*)$/)) { $MisMatch{$Addresses}++; } elsif ( $ThisLine =~ m/subsystem request for sftp/ ) { $sftpRequests++; @@ -421,14 +426,18 @@ $NegotiationFailed{$Reason}{$Host}{$Offer}++; } elsif ( my ($Prio,$Host,$Port,$Code,$Reason) = ($ThisLine =~ /^(error: )?Received disconnect from ([^ ]*)( port \d+)?: ?(\d+): (.*)$/)) { # Reason 11 ({SSH,SSH2}_DISCONNECT_BY_APPLICATION) is expected, and logged at severity level INFO - if (($Code != 11) || ($Detail >= 30)) { + if (($Reason =~ /preauth/) || ($Code != 11) || ($Detail >= 30)) { $DisconnectReceived{$Reason}{$Host}++; } } elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) { $RootLogin{$Host}++; } elsif ( my ($Error) = ($ThisLine =~ /^Cannot release PAM authentication\[\d\]: (.*)$/)) { $PamReleaseFail{$Error}++; + } elsif ( my ($Error) = ($ThisLine =~ /^pam_systemd\(sshd:session\): Failed to release session: (.*)$/)) { + $PamReleaseFail{$Error}++; } elsif ( my ($Error) = ( $ThisLine =~ m/^error: PAM: (.*)$/)) { + $PamError{$Error}++; + } elsif ( my ($Error) = ( $ThisLine =~ m/pam_systemd\(sshd:session\): (Failed to create session: .*)$/)) { $PamError{$Error}++; } elsif ( my ($Reason) = ( $ThisLine =~ m/pam_chroot\(.+\):\s+([^:])/)) { $PamChroot{$Reason}++; @@ -453,11 +462,11 @@ $DenyGroups{$User}++; } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) from ([^ ]*) not allowed because none of user's groups are listed in AllowGroups/)) { $AllowGroups{$User}++; - } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) does not exist/)) { + } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) does not exist/)) { $NoShellUsers{$User}++; - } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) is not executable/)) { + } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) is not executable/)) { $ShellNotExecutableUsers{$User}++; - } elsif ( ($User) = ($ThisLine =~ /^fatal: Access denied for user ([^ ]+) by PAM account configuration \[preauth\]/)) { + } elsif ( my ($User) = ($ThisLine =~ /^fatal: Access denied for user ([^ ]+) by PAM account configuration \[preauth\]/)) { $PamDeny{$User}++; } elsif ( my ($IP) = ($ThisLine =~ /^scanned from ([^ ]*)/) ) { push @Scanned, $IP; @@ -616,6 +625,9 @@ foreach my $Reason (sort {$a cmp $b} keys %NegotiationFailed) { my $Total = 0; print " $Reason"; + if ( $Detail > 0 ) { + print "\n"; + } foreach my $Host (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}}) { my $HostTotal = 0; foreach my $Offer (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}{$Host}}) { @@ -623,18 +635,16 @@ } $Total += $HostTotal; if ( $Detail > 0 ) { - print "\n $Host: " . timesplural($HostTotal); + print " $Host: " . timesplural($HostTotal); } if ( $Detail > 5 ) { foreach my $Offer (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}{$Host}}) { my $tot = $NegotiationFailed{$Reason}{$Host}{$Offer}; - print "\n $Offer: " . timesplural($tot); + print " $Offer: " . timesplural($tot); } } } - if( $Detail > 0 ) { - print "\n"; - } else { + if ( $Detail == 0 ) { print ": " . timesplural($Total); } } diff --git a/scripts/services/sssd b/scripts/services/sssd index 96f1248..f578a3d 100644 --- a/scripts/services/sssd +++ b/scripts/services/sssd @@ -16,11 +16,17 @@ use strict; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; +my $IgnoreBackendStatus = $ENV{'ignore_backend_status'} || 0; +my $IgnoreEnumerationRequested = $ENV{'ignore_enumeration_requested'} || 0; my %Errors; my $Service; my %Starts; my %Stops; my %OtherList; +my $BackendStatus; +my $BackendOffline = 0; +my $EnumerationRequested = 0; +my $ignore_p11_child_error = 0; # Lines are of the form: # sssd[service]: @@ -29,7 +35,10 @@ chomp($ThisLine); # Strip off leading sssd: - $ThisLine =~ s/^sssd: //; + $ThisLine =~ s/^sssd(?:\[\d+\])?: //; + + # Strip off duplicate timestamp if present + $ThisLine =~ s/^\(... ... .\d \d\d:\d\d:\d\d \d\d\d\d\) //; # Remove []s from debug messages if any $ThisLine =~ s/^\[(\S+)\] /$1 /; @@ -46,12 +55,27 @@ $Service = $1; } - if ($ThisLine =~ /^Starting up/) { + # Ignore debug messages + my ($debuglevel) = ($ThisLine =~ /\s\((0x[0-9a-f]{4})\):\s/); + + next if defined($debuglevel) && hex($debuglevel) > 16; + if ($ThisLine =~ /Starting up/) { $Starts{$Service}++; } elsif ($ThisLine =~ /^Shutting down/) { $Stops{$Service}++; } elsif ($ThisLine =~ /error/i) { $Errors{$Service}->{$ThisLine}++; + } elsif (my ($status) = ($ThisLine =~ /Backend is (.*)/)) { + $BackendStatus = $status; + $BackendOffline++ if $BackendStatus eq "offline"; + } elsif ($ThisLine =~ /^Enumeration requested but not enabled/) { + $EnumerationRequested++ unless $IgnoreEnumerationRequested; + } elsif ($Service eq "p11_child" && $ThisLine =~ /Certificate .* not valid .*Certificate key usage inadequate for attempted operation/) { + # sssd ssh does not ignore certificates of different types - ignore the errors generated by it + $ignore_p11_child_error = 1; + } elsif ($Service eq "p11_child" && $ThisLine =~ /do_work failed/ && $ignore_p11_child_error) { + } elsif ($Service eq "p11_child" && $ThisLine =~ /p11_child failed/ && $ignore_p11_child_error) { + $ignore_p11_child_error = 0; } else { $OtherList{"$Service: $ThisLine"}++; } @@ -67,6 +91,12 @@ } } +# sssd will generally start in offline mode, so don't alert if we've just started up +if ($BackendOffline and (($Starts{"Daemon"} != $BackendOffline) or ($BackendStatus ne "online")) and not $IgnoreBackendStatus) { + print "\nSSSD Backend went offline $BackendOffline Time(s),"; + print " last status was $BackendStatus\n"; +} + if (keys %Starts and $Detail) { print "\nSSSD Services Started:\n"; foreach my $Service (sort {$a cmp $b} keys %Starts) { @@ -79,6 +109,10 @@ foreach my $Service (sort {$a cmp $b} keys %Stops) { print " $Service: " . $Stops{$Service} . " Time(s)\n"; } +} + +if ($EnumerationRequested) { + print "\nEnumeration requested but not enabled: $EnumerationRequested Time(s)\n"; } if (keys %OtherList) { diff --git a/scripts/services/sudo b/scripts/services/sudo index 763dcdf..e790a25 100755 --- a/scripts/services/sudo +++ b/scripts/services/sudo @@ -80,7 +80,9 @@ # handled in pam_unix } elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) { # handled in pam_unix - } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/) { + } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/ + or $ThisLine =~ /pam_systemd\(sudo:session\): Cannot create session: Already (running in|occupied by) a session/ + ) { # Ignore } elsif ($ThisLine =~ /(.+): conversation failed/) { $ConFailed{$1}++; diff --git a/scripts/services/systemd b/scripts/services/systemd index 53849d5..6692902 100755 --- a/scripts/services/systemd +++ b/scripts/services/systemd @@ -47,10 +47,13 @@ $ThisLine =~ / failed\.$/ or $ThisLine =~ /([Cc]ontrol|[Mm]ain|[Mm]ount) process exited, code=(exited|killed|dumped),? status=/ or # Informational - $ThisLine =~ /^Closed .* [Ss]ockets?\.$/ or + $ThisLine =~ /^Closed .*[\. ][Ss]ockets?\.$/ or $ThisLine =~ /^Closed .* [Ss]cheduler\.$/ or $ThisLine =~ /^Closed .* [Ww]atch\.$/ or + $ThisLine =~ /^Closed (?:Multimedia|Sound) System\.$/ or $ThisLine =~ /^Closed udev / or + # crond will never restart process when it is restarted + $ThisLine =~ /^crond\.service: Found left-over process \d+ \(.*\) in control group while starting unit\. Ignoring\.$/ or $ThisLine =~ /^Received SIGINT\./ or $ThisLine =~ /^Deactivated / or $ThisLine =~ /^Detected (architecture|virtualization) / or @@ -64,6 +67,7 @@ $ThisLine =~ /^RTC configured in / or $ThisLine =~ /^Running in initial RAM disk\.$/ or $ThisLine =~ /^Set hostname to / or + $ThisLine =~ /^Set up automount Arbitrary Executable File Formats File System Automount Point\.$/ or $ThisLine =~ /^Shutting down\.$/ or $ThisLine =~ /^Startup finished in / or $ThisLine =~ /^Stopped / or @@ -73,6 +77,8 @@ $ThisLine =~ /: Got notification message from PID \d+, but reception is disabled\./ or $ThisLine =~ /: Got notification message from PID \d+, but reception only permitted for main PID \d+/ or $ThisLine =~ /^systemd (\d+) running in system mode/ or + # This is preceeded by a more descriptive message + $ThisLine =~ /^This usually indicates unclean termination of a previous run, or service implementation deficiencies\.$/ or $ThisLine =~ /Transaction is destructive\./ or $ThisLine =~ /^Unit .* is bound to inactive unit .*\. Stopping, too\./ or $ThisLine =~ /Unit (.* is )?not needed anymore\. Stopping\./ or @@ -93,9 +99,9 @@ $ThisLine =~ /^[^ ]*\.mount: Directory \/[^ ]* to mount over is not empty, mounting anyway\.$/ or # A known issue - reported by multiple distributions $ThisLine =~ /^user\@\d+\.service: Failed at step CGROUP spawning \/usr\/lib\/systemd\/systemd: No such file or directory$/ or - $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \(plymouthd\)\.$/ or + $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \((?:plymouthd|n\/a)\)\.$/ or # https://bugzilla.redhat.com/show_bug.cgi?id=1072368 - $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \(kill\)\.$/ or + $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \((?:kill|n\/a)\)\.$/ or $ThisLine =~ /^Removed slice / or $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ or $ThisLine =~ /Adding .* random time\.$/ or diff --git a/scripts/services/zz-disk_space b/scripts/services/zz-disk_space index e298628..21682d0 100755 --- a/scripts/services/zz-disk_space +++ b/scripts/services/zz-disk_space @@ -127,20 +127,19 @@ } sub DiskFull { - my $o = `$disk_cmd`; - my @rows = split('\n', $o); - foreach my $row (@rows) { - my @fields = split(' ', $row); - my $use = $fields[4]; - $use =~ s/%//; - if (($use > $diskfull_threshold) && - ($fields[0] !~ /\/dev\/scd/ ) && - ($fields[0] !~ /\/dev\/sr/ ) && - ($fields[0] !~ /\/dev\/loop./) && - ($fields[5] !~ /^$diskfull_exclude_dirs/i)) { - print "$fields[5] ($fields[0]) => $fields[4] Used. Warning. Disk Filling up.\n"; - } - } + my @rows = split('\n', `$disk_cmd`); + # Remove header + shift @rows; + foreach my $row (@rows) { + my ($source,$used,$target) = ($row =~ /^(.*?)(?:\s+\d+[KMGTP]?){3}\s+(\d+)%\s+(.*)$/); + if (($used > $diskfull_threshold) && + ($source !~ /\/dev\/scd/ ) && + ($source !~ /\/dev\/sr/ ) && + ($source !~ /\/dev\/loop./) && + ($target !~ /^$diskfull_exclude_dirs/)) { + print "$target ($source) => $used% Used. Warning: Disk Filling up.\n"; + } + } } ##################### @@ -156,9 +155,6 @@ if ( ($release eq "5.10") || ($release eq "5.9") || ($release eq "5.11") ) { $df_options = "-h"; } - if ($local_disks_only) { $df_options .= " -l"; } -} elsif ($OSname eq "HP-UX") { - $df_options = ""; if ($local_disks_only) { $df_options .= " -l"; } } elsif ($OSname eq "AIX") { $df_options = ""; @@ -175,11 +171,7 @@ $df_options = $ENV{'df_options'}; }; -if ($OSname eq "Linux") { - $disk_cmd = "df $df_options"; -} elsif ($OSname eq "Darwin") { - $disk_cmd = "df $df_options"; -} elsif ($OSname eq "SunOS") { +if ($OSname eq "SunOS") { $disk_cmd = "/usr/xpg4/bin/df $df_options"; } elsif ($OSname eq "HP-UX") { $disk_cmd = "bdf $df_options"; diff --git a/scripts/services/zz-fortune b/scripts/services/zz-fortune deleted file mode 100755 index a7cd325..0000000 --- a/scripts/services/zz-fortune +++ /dev/null @@ -1,41 +0,0 @@ -########################################################################## -# $Id$ -########################################################################## -# Named 'zz-fortune' so that it will be the last to execute... - -####################################################### -## Copyright (c) 2008 Kirk Bauer -## Covered under the included MIT/X-Consortium License: -## http://www.opensource.org/licenses/mit-license.php -## All modifications and contributions by other persons to -## this script are assumed to have been donated to the -## Logwatch project and thus assume the above copyright -## and licensing terms. If you want to make contributions -## under your own copyright or a different license this -## must be explicitly stated in the contribution an the -## Logwatch project reserves the right to not accept such -## contributions. If you have made significant -## contributions to this script and want to claim -## copyright please contact logwatch-devel@lists.sourceforge.net. -######################################################### - -my $env = ( $ENV{'REAL_LANG'} ? "LANG=".$ENV{'REAL_LANG'}." " : "" ). - ( $ENV{'REAL_LC_ALL'} ? "LC_ALL=".$ENV{'REAL_LC_ALL'}." " : "" ); - -if (($ENV{'PRINTING'} eq "y" ) && (-f "/usr/games/fortune")) { - #print "\n\n------------------ Fortune --------------------\n\n"; - system("$env /usr/games/fortune"); - print "\n"; -} -elsif (($ENV{'PRINTING'} eq "y" ) && (-f "/usr/bin/fortune")) { - #print "\n\n------------------ Fortune --------------------\n\n"; - system("$env /usr/bin/fortune"); - print "\n"; -} - -# vi: shiftwidth=3 tabstop=3 syntax=perl et -# Local Variables: -# mode: perl -# perl-indent-level: 3 -# indent-tabs-mode: nil -# End: diff --git a/scripts/services/zz-zfs b/scripts/services/zz-zfs index 2e59c7e..74a8291 100644 --- a/scripts/services/zz-zfs +++ b/scripts/services/zz-zfs @@ -84,7 +84,7 @@ my $unit_re = '['.join('', keys %units).']'; # Discover the pools -open POOLS, '-|', $pathto_zpool, qw(list -H -o name,size,allocated,free,dedupratio,capacity,health) or die "Error running 'zpool list': $!\n"; +open POOLS, "$pathto_zpool list -H -o name,size,allocated,free,dedupratio,capacity,health 2>/dev/null |" or die "Error running 'zpool list': $!\n"; while() { chomp; my ($name, $size, $used, $avail, $dedup, $cap, $health) = split(/\s+/); diff --git a/scripts/shared/applytaidate b/scripts/shared/applytaidate index 4f7def7..e34567a 100755 --- a/scripts/shared/applytaidate +++ b/scripts/shared/applytaidate @@ -56,6 +56,16 @@ if ( $Debug > 5 ) { print STDERR "DEBUG: NewTimeStamp: " . $NewTimeStamp . " ($ThisLine)\n"; } } } + elsif ($ThisLine =~ s/^\@40{6}([0-9a-f]{9})[0-9a-f]{8}\s// ) { + if ( $Debug > 10 ) { + print STDERR "DEBUG: potential Y2038 bug $1 is greater than 2038 and your perl version is $] see http://perldoc.perl.org/5.14.1/perl5120delta.html#Y2038-compliance\n"; + } + my $NewTimeStamp = scalar(localtime(hex($1))); + if ($NewTimeStamp =~ /^$SearchDate$/) { + print $ThisLine; + if ( $Debug > 5 ) { print STDERR "DEBUG: NewTimeStamp: " . $NewTimeStamp . " ($ThisLine)\n"; } + } + } } # vi: shiftwidth=3 syntax=perl tabstop=3 et