Codebase list logwatch / 0e442a1
Merge tag 'upstream/7.5.0' Upstream version 7.5.0 Willi Mann 5 years ago
37 changed file(s) with 246 addition(s) and 201 deletion(s). Raw diff Collapse all Expand all
+1
-1
LICENSE less more
0 Copyright (c) 2011 Kirk Bauer
0 Copyright (c) 2002-2018 Kirk Bauer
11
22 Permission is hereby granted, free of charge, to any person obtaining a copy of
33 this software and associated documentation files (the "Software"), to deal in
+1
-1
conf/logfiles/autorpm.conf less more
1010 ########################################################
1111
1212 # What actual file? Defaults to LogPath if not absolute path....
13 LogFile = /var/spool/autorpm/install.log
13 LogFile = ../spool/autorpm/install.log
1414
1515 # vi: shiftwidth=3 tabstop=3 et
+3
-3
conf/logfiles/bfd.conf less more
77 ##########################################################################
88
99 # Which logfile group...
10 LogFile = /var/log/bfd_log
11 Archive = /var/log/bfd_log.*
12 Archive = /var/log/bfd_log-*
10 LogFile = bfd_log
11 Archive = bfd_log.*
12 Archive = bfd_log-*
1313
1414
+1
-1
conf/logfiles/cron.conf less more
1111
1212 # What actual file? Defaults to LogPath if not absolute path....
1313 #Solaris is /var/cron/log -mgt
14 LogFile = /var/cron/log
14 LogFile = ../cron/log
1515 LogFile = cron
1616
1717 # If the archives are searched, here is one or more line
+4
-4
conf/logfiles/mysql.conf less more
44 ########################################################
55
66 # What actual file? Defaults to LogPath if not absolute path....
7 LogFile = /var/log/mysql/mysqld.err.1
8 LogFile = /var/log/mysql/mysqld.err
7 LogFile = mysql/mysqld.err.1
8 LogFile = mysql/mysqld.err
99
10 Archive = /var/log/mysql/mysqld.err.*.gz
11 Archive = /var/log/mysql/mysqld.err-*.gz
10 Archive = mysql/mysqld.err.*.gz
11 Archive = mysql/mysqld.err-*.gz
1212
1313 # Expand the repeats (actually just removes them now)
1414 *ExpandRepeats
+6
-1
conf/services/mdadm.conf less more
1212 # Logwatch will try to find md devices in /etc/mdadm.conf or
1313 # /etc/mdadm/mdadm.conf. If none of these files exist it can scan actively
1414 # for md devices. Set to 'Yes' to enable active scanning:
15 $MDADM_ENABLE_SCAN = No
15 $mdadm_enable_scan = No
16
17 # Logwatch will emit an error for md devices listed in /etc/mdadm.conf
18 # that are not present. If you do not want this (e.g. raid devices may come
19 # and go) then uncomment this
20 # $mdadm_ignore_missing = Yes
1621
1722 # Which logfile group...
1823 LogFile = NONE
+6
-0
conf/services/sssd.conf less more
1515 # OnlyService doesn't work with sssd services
1616 *RemoveHeaders = "^... .. ..:..:.. [^ ]* "
1717
18 # To completey ignore backend status messages, enable this
19 ignore_backed_status = No
20
21 # To ignore "Enumeration requested but not enabled" messages
22 ignore_enumeration_requested = No
23
1824 # vi: shiftwidth=3 tabstop=3 et
+0
-30
conf/services/zz-fortune.conf less more
0 ###########################################################################
1 # $Id$
2 ###########################################################################
3
4 # This just displays a fortune at the end of the report...
5
6 # You can put comments anywhere you want to. They are effective for the
7 # rest of the line.
8
9 # this is in the format of <name> = <value>. Whitespace at the beginning
10 # and end of the lines is removed. Whitespace before and after the = sign
11 # is removed. Everything is case *insensitive*.
12
13 # Yes = True = On = 1
14 # No = False = Off = 0
15
16 Title = "Fortune"
17
18 # Which logfile group...
19 LogFile = NONE
20
21 ########################################################
22 # This was written and is maintained by:
23 # Kirk Bauer <kirk@kaybee.org>
24 #
25 # Please send all comments, suggestions, bug reports,
26 # etc, to kirk@kaybee.org.
27 ########################################################
28
29 # vi: shiftwidth=3 tabstop=3 et
+8
-8
install_logwatch.sh less more
274274 if [ -d $MANDIR/man5 ] && [ -d $MANDIR/man8 ] && [ -d $MANDIR/man1 ] && [ $HAVE_MAKEWHATIS ]; then
275275 install -m 0644 logwatch.8 $MANDIR/man8
276276 install -m 0644 logwatch.conf.5 $MANDIR/man5
277 install -m 0644 override.conf.5 $MANDIR/man5
278 install -m 0644 ignore.conf.5 $MANDIR/man5
277 ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/ignore.conf.5
278 ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/override.conf.5
279279 install -m 0644 postfix-logwatch.1 $MANDIR/man1
280280 install -m 0644 amavis-logwatch.1 $MANDIR/man1
281281 #OpenBSD no -s
297297 fi
298298 else
299299 if [ $OS = "SunOS" ]; then
300 #Go for the safe install rather then editing man.cf
300 #Go for the safe install rather than editing man.cf
301301 mkdir -p $MANDIR/man1m > /dev/null 2>&1
302302 install -m 0644 logwatch.8 $MANDIR/man1m
303303 install -m 0644 logwatch.conf.5 $MANDIR/man1m
304 install -m 0644 override.conf.5 $MANDIR/man1m
305 install -m 0644 ignore.conf.5 $MANDIR/man1m
304 ln -sf $MANDIR/man1m/logwatch.conf.5 $MANDIR/man1m/ignore.conf.5
305 ln -sf $MANDIR/man1m/logwatch.conf.5 $MANDIR/man1m/override.conf.5
306306 install -m 0644 postfix-logwatch.1 $MANDIR/man1
307307 install -m 0644 amavis-logwatch.1 $MANDIR/man1
308308 catman -w -M $MANDIR/man1m
313313
314314 install -m 0755 -d $MANDIR/man5
315315 install -m 0644 logwatch.conf.5 $MANDIR/man5
316 install -m 0644 override.conf.5 $MANDIR/man5
317 install -m 0644 ignore.conf.5 $MANDIR/man5
316 ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/ignore.conf.5
317 ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/override.conf.5
318318
319319 install -m 0755 -d $MANDIR/man8
320320 install -m 0644 logwatch.8 $MANDIR/man8
335335 if [ ! -e /lib/systemd/system/multi-user.target.wants ]; then
336336 install -m 0755 -d /lib/systemd/system/multi-user.target.wants
337337 fi
338 ln -s ../logwatch.timer /lib/systemd/system/multi-user.target.wants/logwatch.timer
338 ln -sf ../logwatch.timer /lib/systemd/system/multi-user.target.wants/logwatch.timer
339339 printf "Created and enabled systemd logwatch.timer"
340340 elif [ -d /etc/cron.daily ]; then
341341 rm -f /etc/cron.daily/0logwatch
+2
-2
logwatch.conf.5 less more
2828
2929 .SH FILES
3030 .I /etc/logwatch/conf/logwatch.conf
31 .I /etc/logwatch/conf/logwatch.conf
32 .I /etc/logwatch/conf/logwatch.conf
31 .I /etc/logwatch/conf/ignore.conf
32 .I /etc/logwatch/conf/override.conf
3333 .I /usr/share/logwatch/default.conf/logwatch.conf
3434
3535 .SH "SEE ALSO"
+7
-4
scheduler/logwatch.cron less more
00 #!/bin/sh
11
2 #Set logwatch location
2 #Set logwatch executable location
33 LOGWATCH_SCRIPT="/usr/sbin/logwatch"
4 #Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf,
5 #but some are only for the nightly cronrun such as --output mail and should be set here.
6 #Other options to consider might be "--format html" or "--encode base64", man logwatch for more details.
4
5 # Add options to the OPTIONS variable. Most options should be defined in
6 # the file /etc/logwatch/conf/logwatch.conf, but some are only for the
7 # nightly cron run such as "--output mail" and should be set here.
8 # Other options to consider might be "--format html" or "--encode base64".
9 # See 'man logwatch' for more details.
710 OPTIONS="--output mail"
811
912 #Call logwatch
+1
-0
scripts/logfiles/samba/applydate less more
4545 mainloop: while ($ThisLine) {
4646 if ($ThisLine =~ m/^$SearchDate /o) {
4747 print $ThisLine;
48 $ThisLine = <STDIN>;
4849 }
4950 elsif ($ThisLine =~ m/^\[$SearchDate2/o) {
5051 chomp($ThisLine);
+4
-1
scripts/services/audit less more
128128 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 auid=[0-9]* ses=[0-9]* subj=.*res=success/) or
129129 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 old auid=[0-9]* new auid=[0-9]+ old ses=[0-9]* new ses=[0-9]+ res=1$/) or
130130 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 subj=.* old-auid=[0-9]* auid=[0-9]+ old-ses=[0-9]* ses=[0-9]+ res=1$/) or
131 # This will generate a journal entry for the service failure, success, or start/stop
132 ( $ThisLine =~ /type=113[01] audit\([0-9.]*:[0-9]*\): pid=1 uid=0 auid=[0-9]+ ses=[0-9]+ (?:subj=system_u:system_r:init_t:s0 )?msg='unit.* comm="systemd" .* res=.*'$/) or
133 ( $ThisLine =~ /SERVICE_(?:START|STOP) pid=1/) or
131134 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): cwd=".*"/) or
132135 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): user/) or
133136 ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): proctitle=/) or
306309 }
307310 }
308311
309 if (keys %OtherList) {
312 if (keys %OtherList and $Detail) {
310313 print "\n**Unmatched Entries**\n";
311314 foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) {
312315 print " $line: $OtherList{$line} Time(s)\n";
+7
-13
scripts/services/cisco less more
225225 elsif ( ($unmatched) = ($ThisLine =~ /%AUDIT-5-RUN_CONFIG/) ) {
226226 $ConfigChange{$host}++;
227227 }
228 elsif ( ($HASH) = ($ThisLine =~ /%AUDIT-5-STARTUP_CONFIG: Startup Configuration changed. Hash:\s(^\s)/) ) {
229 $StartConfigChange{host}++;
230 }
231228 elsif ( ($interface,$errortype,$withwho) = ($ThisLine =~ /duplex mismatch discovered on (.+) \(.*\), with (.*)/) ) {
232229 $DuplexMismatched{$host}{$interface." with ".$errortype}++;
233230 }
297294 elsif ( ($interface) = ($ThisLine =~ /UNDERFLO: (.*)/) ) {
298295 $Underflow{$host}{$interface}++;
299296 }
297 elsif ( ($interface) = ($ThisLine =~ /SYS-4-P2_WARN: (.*)/) ) {
298 $SYSWarn{$host}{$interface}++;
299 }
300300 elsif ( ($interface) = ($ThisLine =~ /P2_WARN: (.*)/) ) {
301301 $InvalidMulticast{$host}{$interface}++;
302302 }
360360 elsif ( ($interface) = ($ThisLine =~ /MLS-5-FLOWMASKCHANGE: (.*)/) ) {
361361 $MLSFlowmaskChanged{$host}{$interface}++;
362362 }
363 elsif ( ($interface) = ($ThisLine =~ /SYS-4-P2_WARN: (.*)/) ) {
364 $SYSWarn{$host}{$interface}++;
365 }
366363 elsif ( ($interface) = ($ThisLine =~ /SYS-3-CPUHOG: (.*)/) ) {
367364 $SYSCpuHog{$host}{$interface}++;
368365 }
409406 $CountersMsg{$host}{$interface}++;
410407 }
411408 elsif ( ($interface) = ($ThisLine =~ /DOT11-4-MAXRETRIES: Packet to client ....\.....\..... reached(.*)/) ) {
412 $Dot11Retrys{$host}{$interface}++;
413 }
414 elsif ( ($interface,$msg) = ($ThisLine =~ /DOT11-4-MAXRETRIES: Packet to client ....\.....\..... reached(.*)/) ) {
415409 $Dot11Retrys{$host}{$interface}++;
416410 }
417411 elsif ( ($radio,$interface) = ($ThisLine =~ /DOT11-6-ASSOC: Interface (.*), Station +(.*)/) ) {
573567 }
574568 }
575569
576 if (keys %$DuplicateAddress) {
570 if (keys %DuplicateAddress) {
577571 print "\nPort/Interface duplicate address :\n";
578 foreach $ThisOne (sort keys %$DuplicateAddress) {
579 print " " . $ThisOne . ":\n";
580 foreach $ThatOne (sort keys %{$$DuplicateAddress{$ThisOne}}) {
572 foreach $ThisOne (sort keys %DuplicateAddress) {
573 print " " . $ThisOne . ":\n";
574 foreach $ThatOne (sort keys %{$DuplicateAddress{$ThisOne}}) {
581575 print "\t " .$ThatOne . "\t: " . $DuplicateAddress{$ThisOne}{$ThatOne} . " Time(s)\n";
582576 }
583577 }
+1
-5
scripts/services/clamav less more
4949 ( $ThisLine =~ /^Protecting against \d+ viruses\./ ) or
5050 ( $ThisLine =~ /^Reading databases from/ ) or
5151 ( $ThisLine =~ /file removed\./ ) or
52 ( $ThisLine =~ /support enabled\./ ) or
53 ( $ThisLine =~ /support disabled\./ ) or
52 ( $ThisLine =~ / (?:dis|en)abled\.$/ ) or
5453 ( $ThisLine =~ /^Archive/ ) or
5554 ( $ThisLine =~ /^Running as user/ ) or
5655 ( $ThisLine =~ /^Log file size limit/ ) or
5756 ( $ThisLine =~ /^Bound to.*port \d*/ ) or
58 ( $ThisLine =~ /^Detection of broken executables enabled./ ) or
5957 ( $ThisLine =~ /^SIGHUP caught: re-opening log file./ ) or
6058 ( $ThisLine =~ /^Loaded \d+ signatures/ ) or
61 ( $ThisLine =~ /^Algorithmic detection enabled/ ) or
6259 ( $ThisLine =~ /^Mail: Recursion level limit set to \d+/ ) or
6360 ( $ThisLine =~ /clamd shutdown\s+succeeded/ ) or
6461 ( $ThisLine =~ /clamd startup\s+succeeded/ ) or
7067 ( $ThisLine =~ /Bytecode: Security mode set to /) or
7168 ( $ThisLine =~ /^No stats for Database check/ ) or
7269 ( $ThisLine =~ /^Received \d+ file descriptor\(s\) from systemd\.$/) or
73 ( $ThisLine =~ /^BlockMax heuristic detection (?:en|dis)abled\./) or
7470 0 # This line prevents blame shifting as lines are added above
7571 ) {
7672 # We do not care about these.
+2
-1
scripts/services/cron less more
3939 ($ThisLine =~ /loading table .*/) or
4040 ($ThisLine =~ /void Inotify::Remove\(InotifyWatch\*\): removing watch failed/) or
4141 ($ThisLine =~ /error: \(22\) Invalid argument/) or
42 ($ThisLine =~ /pam_unix\(crond:session\): session (?:opened|closed) for user/)
42 ($ThisLine =~ /pam_unix\(crond:session\): session (?:opened|closed) for user/) or
43 ($ThisLine =~ /PAM pam_end: NULL pam handle passed/)
4344 ) {
4445 # Ignore
4546 } elsif (
+22
-0
scripts/services/dirsrv less more
1515
1616 use strict;
1717 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
18 my %ErrorThreshold;
19 if (defined($ENV{'error_threshold'})) {
20 foreach my $entry (split(',',$ENV{'error_threshold'})) {
21 my ($regex,$limit) = split(';',$entry);
22 $ErrorThreshold{$regex} = $limit;
23 }
24 }
25
1826 my %Errors;
1927 my %Warnings;
2028 my %Startup;
4856 } elsif ($ThisLine =~ /^ERR - /
4957 or $ThisLine =~ /error/i
5058 or $ThisLine =~ /^Detected Disorderly Shutdown/) {
59 # Remove some items that prevent de-duplication
60 $ThisLine =~ s/:\s+\d+\s+\d+//;
61 $ThisLine =~ s/change record \d+/change record/;
5162 $Errors{$ThisLine}++;
5263 } elsif ($ThisLine =~ /^WARN - /
5364 or $ThisLine =~ /warning/i
8394 $OtherList{$ThisLine}++;
8495 }
8596 $PreviousLine = $ThisLine;
97 }
98
99 if (keys %Errors and keys %ErrorThreshold) {
100 LINE: foreach my $line (sort {$a cmp $b} keys %Errors) {
101 foreach my $regex (keys %ErrorThreshold) {
102 if ($line =~ /$regex/i and $Errors{$line} <= $ErrorThreshold{$regex}) {
103 delete $Errors{$line};
104 next LINE;
105 }
106 }
107 }
86108 }
87109
88110 if (keys %Errors) {
+16
-0
scripts/services/dnf-rpm less more
3131 $PackageUpdated{$ThisLine}++;
3232 } elsif ( $ThisLine =~ s/^.* INFO Installed: ([^ ]+)/$1/ ) {
3333 $PackageInstalled{$ThisLine}++;
34 } elsif ( $ThisLine =~ s/^.* INFO Reinstalled: ([^ ]+)/$1/ ) {
35 $PackageReinstalled{$ThisLine}++;
3436 } elsif ( $ThisLine =~ s/^.* INFO Erased: ([^ ]+)/$1/ ) {
3537 $PackageErased{$ThisLine}++;
38 } elsif ( $ThisLine =~ s/^.* INFO Obsoleted: ([^ ]+)/$1/ ) {
39 $PackageObsoleted{$ThisLine}++;
3640 } elsif ( $ThisLine =~ m/INFO --- logging initialized ---/ ) {
3741 $ignoredlines++;
3842 } elsif ( $ThisLine =~ m/INFO Cleanup: / ) {
4953 print " " . $ThisOne;
5054 }
5155 }
56 if (keys %PackageReinstalled) {
57 print "\nPackages Reinstalled:\n";
58 foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageReinstalled) {
59 print " ". $ThisOne;
60 }
61 }
5262 if (keys %PackageUpdated) {
5363 print "\nPackages Updated:\n";
5464 foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdated) {
5868 if (keys %PackageErased) {
5969 print "\nPackages Erased:\n";
6070 foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageErased) {
71 print " ". $ThisOne;
72 }
73 }
74 if (keys %PackageObsoleted) {
75 print "\nPackages Obsoleted:\n";
76 foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageObsoleted) {
6177 print " ". $ThisOne;
6278 }
6379 }
+19
-2
scripts/services/dovecot less more
227227 $Deliver{$User}{$Mailbox}++;
228228
229229 # LMTP-based delivery
230 } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): [^:]+:(?:\d+:)? msgid=.*: saved mail to (.*)/ ) ) {
230 } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): .*msgid=.*: saved mail to (.*)/ ) ) {
231231 # dovecot: [ID 583609 mail.info] lmtp(12782, cloyce@headgear.org): jBt1EfjCMk3uMQAAm9eMBA: msgid=<4D32DB1F.3080707@c-dot.co.uk>: saved mail to INBOX
232 $Deliver{$User}{$Mailbox}++;
233
234 # LMTP-based delivery Dovecot 2.2.33
235 } elsif ( ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\): msgid=.*: saved mail to (.*)/ ) ) {
236 # dovecot: lmtp(user@domain.com): msgid=<0.0.B.B83.1D385668207AF06.0@b12.mta01.sendsmaily.info>: saved mail to INBOX
232237 $Deliver{$User}{$Mailbox}++;
233238
234239 # LMTP-based Sieve delivery
235240 } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): .*: sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) {
236241 $Deliver{$User}{$Mailbox}++;
237242
243 # LMTP-based Sieve delivery Dovecot 2.3
244 } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\): sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) {
245 $Deliver{$User}{$Mailbox}++;
246
238247 # sieve forward
239248 } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*?)\):(?: [^:]+:)? sieve: msgid=.* forwarded to \<(.*)\>/)) {
240249 $Forwarded{$User}{$Recip}++;
250
251 # sieve pipe
252 } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?pipe action: piped message to program `.*'/) or
253 my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?left message in mailbox '.*'/) ) {
254 # dovecot: imap(user@domain.com): sieve: pipe action: piped message to program `sa-learn-sieve.sh'
255 # dovecot: imap(user@domain.com): sieve: left message in mailbox 'INBOX.Spam'
256 # dovecot: lmtp(spam@domain.com): sieve: msgid=<6e3eb3f436fdca54@host.domain.com>: pipe action: piped message to program `sa-learn-sieve.sh'
257 # IGNORE
241258
242259 # sieve vacation
243260 } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*)\):(?: .*:)? sieve: msgid=.* sent vacation response to \<(.*)\>/)) {
298315 $Aborted{$Host}++;
299316 } elsif (my ($Reason) = ($ThisLine =~ /Aborted login \((.*)\):/)) {
300317 $Aborted{$Reason}++;
301 } elsif (my ($User,$IP) = ($ThisLine =~ /auth: LOGIN\((.*),(\d+\.\d+\.\d+\.\d+)\): Request timed out waiting for client to continue authentication/) ) {
318 } elsif (my ($User,$IP) = ($ThisLine =~ /auth: (?:LOGIN|login)\((.*),(\d+\.\d+\.\d+\.\d+)\): Request timed out waiting for client to continue authentication/) ) {
302319 $AuthTimedOut{$User}{$IP}++;
303320 } elsif (my ($Reason) = ($ThisLine =~ /auth: Warning: auth client \d+ disconnected with \d+ pending requests: (.*)/) ) {
304321 $AuthDisconnectedWithPending{$Reason}++;
+2
-2
scripts/services/fail2ban less more
114114 $ReInitializations++;
115115 } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) {
116116 # just ignore - this will be fixed within fail2ban and is harmless warning
117 } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (.*)/)) {
117 } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (\S+)/)) {
118118 $ServicesFound{$Service}{$Host}++;
119 } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (.*)/)) {
119 } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (\S+)/)) {
120120 $ServicesIgnored{$Service}{$Host}++;
121121 # Generic messages
122122 } elsif ( my ($Message) = ($ThisLine =~ / ERROR (.*)$/)) {
+1
-4
scripts/services/http less more
197197 # what to look for as an attack USE LOWER CASE!!!!!!
198198 #
199199 my @exploits = (
200 '^null$',
201200 '/\.\./\.\./\.\./',
202201 '\.\./\.\./config\.sys',
203202 '/\.\./\.\./\.\./autoexec\.bat',
314313 } elsif ($logformat =~ /\G%\{User-Agent}i/gci) {
315314 $parse_string[$parse_index] .= "(.*)";
316315 $parse_field[$parse_index][$parse_subindex++] = "agent";
317 } elsif ($logformat =~ /\G%({.*?})?./gc) {
316 } elsif ($logformat =~ /\G%(\{.*?\})?./gc) {
318317 $parse_string[$parse_index] .= "(.*?)";
319318 $parse_field[$parse_index][$parse_subindex++] = "not_used";
320319 } elsif ($logformat =~ /\G\|/gc) {
575574 foreach my $j ( keys %{$hacks{$i}} ) {
576575 print " $j $hacks{$i}{$j} Time(s) \n";
577576 }
578 } else {
579 print "\n";
580577 }
581578 }
582579 }
+2
-4
scripts/services/kernel less more
104104 $UnalignedErrors{$1}++;
105105 } elsif ($ThisLine =~ /([^(]*)\(\d+\): floating-point assist fault at ip/) {
106106 $FPAssists{$1}++;
107 } elsif ($ThisLine =~ /Out of memory: (?:[KK]illed|[Kk]ill) process \d+ \((.*)\)/) {
108 $OOM{$1}++;
109 } elsif ($ThisLine =~ /(\S+) invoked oom-killer/) {
107 } elsif ($ThisLine =~ /(?:[KK]illed|[Kk]ill) process \d+ \((.*)\)/) {
110108 $OOM{$1}++;
111109 } elsif ($ThisLine =~ /(EDAC (MC|PCI)\d:.*)/) {
112110 # Standard boot messages
248246 }
249247
250248 if (keys %OOM) {
251 print "\nWARNING: Out of memory killer killed these executables or their children\n";
249 print "\nWARNING: Out of memory killer killed these executables\n";
252250 foreach my $Thisone ( sort {$a cmp $b} keys %OOM ) {
253251 print " $Thisone : $OOM{$Thisone} Time(s)\n";
254252 }
+6
-1
scripts/services/mdadm less more
2525
2626 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
2727 my $enable_scan = $ENV{'mdadm_enable_scan'} || 0;
28 my $ignore_missing = $ENV{'mdadm_ignore_missing'} || 0;
2829
2930 my @devices = ();
3031 if ( -f "/etc/mdadm.conf" ) {
4445 DEV: foreach my $dev (@devices) {
4546 my %mdhash;
4647
48 if ($dev =~ /<ignore>/) {
49 next;
50 }
51
4752 open(MDADM,"mdadm --misc --detail $dev 2>&1 |");
4853 while (<MDADM>) {
4954 if ($_ =~ /cannot open .*: No such file or directory/) {
50 print $_;
55 print $_ unless $ignore_missing;
5156 close(MDADM);
5257 next DEV;
5358 }
+13
-5
scripts/services/named less more
8888 ($ThisLine =~ /stopping command channel on \S+/) or
8989 ($ThisLine =~ /Malformed response from/) or
9090 ($ThisLine =~ /client .* response from Internet for .*/) or
91 ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or
91 # ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or
9292 ($ThisLine =~ /client .+(?: \([^)]+\))?: query:/) or
9393 # Do we really want to ignore these?
9494 #($ThisLine =~ /unknown logging category/) or
146146 ($ThisLine =~ /refresh: NODATA response from master/) or
147147 ($ThisLine =~ /update with no effect/) or
148148 ($ThisLine =~ /reading built-in trusted keys from file/) or
149 ($ThisLine =~ /reading built-in trust anchors from file/) or
149150 ($ThisLine =~ /using built-in trusted-keys/) or
150151 ($ThisLine =~ /set up managed keys zone/) or
152 ($ThisLine =~ /managed-keys-zone.*key now trusted/) or
153 ($ThisLine =~ /dhcpupdate: forwarding update for zone/) or
154 ($ThisLine =~ /forwarded dynamic update: master [^ ]* returned: (NXRRSET|YXDOMAIN)/) or
151155 ($ThisLine =~ /using .* as GeoIP directory/) or
152156 ($ThisLine =~ /GEO-.* Build/) or
153157 ($ThisLine =~ /initializing GeoIP /) or
163167 ($ThisLine =~ /next key event: /) or
164168 ($ThisLine =~ /reconfiguring zone keys/) or
165169 ($ThisLine =~ /using built-in DLV key/) or
166 ($ThisLine =~ /reading built-in trusted keys from file/) or
170 # ($ThisLine =~ /reading built-in trusted keys from file/) or
167171 ($ThisLine =~ /all zones loaded/) or
172 ($ThisLine =~ /resolver priming query complete/) or
168173 ($ThisLine =~ /client .* signer .* approved/) or
169174 ($ThisLine =~ /stop limiting/) or
170175 # ignore this line because the following line describes the error
237242 } elsif ( ($Way,$Host) = ( $ThisLine =~ /([^ ]+): sendto\(\[([^ ]+)\].+\): Network is unreachable/ ) ) {
238243 $FullHost = LookupIP ($Host);
239244 $NetworkUnreachable{$Way}{$FullHost}++;
245 } elsif ( ($Host,$Way) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?(.*)#\d+(?: \(.*\))?: (?:view \w+: )?error ([^ ]+) response: network unreachable/ ) ) {
246 $FullHost = LookupIP ($Host);
247 $NetworkUnreachable{$Way}{$FullHost}++;
240248 } elsif ( ($Zone,$Message) = ( $ThisLine =~ /client [^\#]+#[^\:]+: (?:view \w+: )?updating zone '([^\:]+)': (.*)$/ ) ) {
241249 $ZoneUpdates{$Zone}{$Message}++;
242250 } elsif ( ($Host,$Zone) = ( $ThisLine =~ /approved AXFR from \[(.+)\]\..+ for \"(.+)\"/ ) ) {
245253 } elsif ( ($Client) = ( $ThisLine =~ /warning: client (.*) no more TCP clients/ ) ) {
246254 $FullClient = LookupIP ($Client);
247255 $DeniedTCPClient{$FullClient}++;
248 } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: (?:view \w+: )?query \(cache\) denied/ ) ) {
256 } elsif ( ($Client) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?(.*)#\d+(?: \(.*\))?: (?:view \w+: )?query \(cache\) (?:'.*' )?denied/ ) ) {
249257 $FullClient = LookupIP ($Client);
250258 $DeniedQuery{$FullClient}++;
251 } elsif ( ($Client) = ( $ThisLine =~ /client (.*)(#\d+)?: query '.*' denied/ ) ) {
259 } elsif ( ($Client) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?([^#]*)(#\d+)?(?: \(.*\))?: query '.*' denied/ ) ) {
252260 $FullClient = LookupIP ($Client);
253261 $DeniedQueryNoCache{$FullClient}++;
254 } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+: (?:view \w+: )?update '(.*)' denied/)) {
262 } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?([\.0-9a-fA-F:]+)#\d+: (?:view (\w+): )?update '(.*)' denied/)) {
255263 $ViewName = ($ViewName ? "/$ViewName" : "");
256264 $UpdateDenied{"$Rhost ($Ldom$ViewName)"}++;
257265 } elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update forwarding '(.*)' denied/)) {
+1
-1
scripts/services/postfix less more
18861886 # Pass; identity=helo; client-ip=192.168.0.2; helo=example.com; envelope-from=<>; receiver=bogus@example.net
18871887 # Permerror; identity=helo; client-ip=192.168.0.4; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net
18881888 # Softfail; identity=mailfrom; client-ip=192.168.0.6; helo=example.com; envelope-from=f@example.com; receiver=yahl@example.org
1889 if ($line =~ /^(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror); (.*)$/) {
1889 if ($line =~ /^(?:prepend Received-SPF: )?(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror);? (.*)$/) {
18901890 my $result = $1;
18911891 my %params = $2 =~ /([-\w]+)=([^;]+)/g;
18921892 #$params{'s'} = '*unknown' unless $params{'s'};
+1
-1
scripts/services/samba less more
140140 ($ThisLine =~ /smbd\/reply\.c:reply_special\(\d+\) netbios connect: name1=.+ /) or
141141 ($ThisLine =~ /nmbd\/nmbd_browsesync\.c:announce_local_master_browser_to_domain_master_browser\(\d+\) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup .+ /) or
142142 ($ThisLine =~ /auth\/auth\.c:check_ntlm_password\(\d+\) check_ntlm_password: authentication for user \[.+\] -> \[.+\] -> \[.+\] succeeded/) or
143 ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or
143 ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(\d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or
144144 ($ThisLine =~ /===============================================================/)
145145 ) {
146146 #Don't care about these...
+7
-18
scripts/services/secure less more
189189 $ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //;
190190 my $temp = $ThisLine;
191191 $temp =~ s/^([^[:]+).*/$1/;
192 if ($Ignore =~ /\b\Q$temp\E\b/i) { next; }
192 if ($Ignore =~ /(\s|^)\Q$temp\E(\s|$)/i) { next; }
193193
194194 #current sarge
195195 if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; }
204204 ( $ThisLine =~ /pam_unix\(.*:.*\)/) or
205205 ( $ThisLine =~ /pam_sss\(.*:.*\)/) or
206206 ( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or
207 ( $ThisLine =~ /^\/usr\/bin\/sudo:/) or
208207 ( $ThisLine =~ /^halt:/) or
209208 ( $ThisLine =~ /^com.apple.SecurityServer: Succeeded authorizing right system.(preferences|login.console|login.tty|login.done|privilege.admin) by process/) or
210209 ( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or
212211 ( $ThisLine =~ /^passwd\[\d+\]:/) or
213212 ( $ThisLine =~ /^passwd: gkr-pam: .*/) or
214213 ( $ThisLine =~ /^reboot:/) or
215 ( $ThisLine =~ /^sudo:/) or
214 ( $ThisLine =~ /^(?:\/usr\/bin\/)?sudo(?:\[\d+\])?:/) or
216215 ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or
217216 ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or
218217 ( $ThisLine =~ /warning: can.t get client address: Connection refused/) or
276275 ( $ThisLine =~ /groupmod\[\d+\]: group changed in \/etc\/gshadow /) or # Details in other messages
277276 ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) or
278277 ( $ThisLine =~ /pkexec: pam_systemd(.*): /) or
279 ( $ThisLine =~ /pkexec: \S+: Executing command /) or
278 ( $ThisLine =~ /pkexec(?:\[\d+\])?: \S+: Executing command /) or
280279 ( $ThisLine =~ /su: pam_systemd(.*): Failed to parse message: /) or
281280 ( $ThisLine =~ /pam_systemd\(su:session\): Cannot create session: Already (running in|occupied by) a session/) or
282281 ( $ThisLine =~ /systemd-logind\[\d+\]: Removed session/) or
285284 ( $ThisLine =~ /systemd-logind\[\d+\]: Failed to start session scope (\S+): Transaction is destructive\./) or
286285 ( $ThisLine =~ /DIGEST-MD5 common mech free/) or
287286 ( $ThisLine =~ /sshguard\[\d+\]: Reloading rotated file /) or
287 ( $ThisLine =~ /sshguard\[\d+\]: Session \d+ logged out/) or
288288 ( $ThisLine =~ /sshguard\[\d+\]: Exiting on signal/) or
289289 ( $ThisLine =~ /sshguard\[\d+\]: Monitoring attacks from /) or
290290 ( $ThisLine =~ /sshguard\[\d+\]: (?:message repeated \d+ times: \[ )?\S+: not blocking /) or
427427 push @RemoveFromGroup, " user $1 from group $3\n";
428428 # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response
429429 # I don't think these are important to log at this time
430 } elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {
431 # sudo unauthorized commands
432 push @SudoList, "$1: $3\n" unless ($2 eq "");
433 } elsif ( $ThisLine =~ /^\/usr\/bin\/sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) {
434 # sudo unauthorized commands
435 push @SudoList, "$1: $3\n" unless ($2 eq "");
436430 } elsif ( ($service, $from) = ($ThisLine =~ /^xinetd\[\d+\]: FAIL: (.+) (?:address|libwrap|service_limit|connections per second) from=([\d.]+)/)) {
437431 if ($Ignore =~ /\b\Q$service\E\b/i) { next; }
438432 $Refused->{$service}->{$from}++;
458452 $GroupChanged{"$ThisLine"}++;
459453 } elsif ( ($Pid,$User,$Home,$NewHome) = ($ThisLine =~ /^usermod(\[\d+\])?: change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) {
460454 $HomeChange{$User}{"$Home -> $NewHome"}++;
461 } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) {
455 } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) {
462456 $UidChange{"$User: $From -> $To"}++;
463 } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) {
457 } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) {
464458 $GidChange{"$User: $From -> $To"}++;
465 } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) {
459 } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) {
466460 $AccountExpiry{"$User: $From -> $To"}++;
467461 # checkpassword-pam
468462 } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) {
841835 print "spop3d connection errors:\t".$spop3d_errors."\n";
842836 }
843837
844 if ($#SudoList >= 0) {
845 print "\nUnauthorized sudo commands attempted (" . ($#SudoList + 1) . "):\n";
846 print @SudoList;
847 }
848
849838 if (keys %ChkPasswdPam) {
850839 print "\ncheckpassword-pam (SUID root PAM client):\n";
851840 foreach $PID (sort {$a cmp $b} keys %ChkPasswdPam) {
+2
-1
scripts/services/sendmail less more
386386 }
387387
388388 # QueueID formats: in 8.11 it was \w{7}\d{5}, in 8.12+ it is \w{8}\d{6}
389 my $QueueIDFormat = "(?:\\w{7,9}\\d{5}|NOQUEUE)";
389 # Also, PID can now be up to seven digits in 64-bit systems
390 my $QueueIDFormat = "(?:\\w{7,9}\\d{5,7}|NOQUEUE)";
390391
391392 # ENOENT refers to "no such file or directory"
392393 my $ENOENT = Errno::ENOENT();
+3
-3
scripts/services/sonicwall less more
324324 $IllegalUsers{$host_ip}{$Temp}++;
325325 }
326326
327 elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) {
328 $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++
329 }
327330 elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(.*)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?(S+)?(.*)?/) ) {
328 $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++
329 }
330 elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) {
331331 $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++
332332 }
333333
+24
-14
scripts/services/sshd less more
314314 ($ThisLine =~ /Found matching \w+ key:/ ) or
315315 ($ThisLine =~ /User child is on pid \d/ ) or
316316 ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or
317 ($ThisLine =~ /Disconnected from (?:user \S+ |)[\da-fA-F.:]* port \d*/ ) or
317 ($ThisLine =~ /Exiting on signal / ) or
318 ($ThisLine =~ /Disconnected from [\da-fA-F.:]* port \d*/ ) or
319 ($ThisLine =~ /Disconnected from user \S+ [\da-fA-F.:]* port \d*/ ) or
320 ($ThisLine =~ /Disconnected from (authenticating|invalid) user \S+ [\da-fA-F.:]* port \d*/ ) or
321 ($ThisLine =~ /Disconnecting( (authenticating|invalid) user .* port \d+)?: Too many authentication failures \[preauth\]/ ) or
322 ($ThisLine =~ /Disconnecting( (authenticating|invalid) user .* port \d+)?: Change of username or service not allowed: .* \[preauth\]/ ) or
318323 ($ThisLine =~ /Failed to release session: Interrupted system call/) or
319324 ($ThisLine =~ /Close session: user /) or
320325 0 # This line prevents blame shifting as lines are added above
339344 $TooManyFailures{$User}++;
340345 } elsif ( my ($User) = ( $ThisLine =~ /error: maximum authentication attempts exceeded for ([^ ]+) from [^ ]+ port \d+ ssh2 \[preauth\]/)) {
341346 $TooManyFailures{$User}++;
342 } elsif ( $ThisLine =~ /Disconnecting: Too many authentication failures \[preauth\]/ ) {
343 # Ignore these - should be covered by other messages
344 } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh
347 } elsif ( my ($User,$Host) = ( $ThisLine =~ /error: maximum authentication attempts exceeded for invalid user ([^ ]+) from ([^ ]+) port \d+ ssh2 \[preauth\]/)) {
348 $IllegalUsers{$Host}{$User}++;
349 } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (\S+)/ ) { # ssh/openssh
345350 my $name = LookupIP($3);
346351 $NoIdent{$name}++;
347352 } elsif ( my ($Host) = ($ThisLine =~ /Could not write ident string to ([^ ]+)$/ )) {
406411 $NoRevMap{"$Address($IP)"}++;
407412 } elsif ( my (undef,$Address) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: can't verify hostname: getaddrinfo\(([^ ]*), AF_INET\) failed$/)) {
408413 $NoRevMap{$Address}++;
409 } elsif ( (undef, my $Addresses) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: host [^ ]* mismatch: (.*)$/)) {
414 } elsif ( my (undef,$Addresses) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: host [^ ]* mismatch: (.*)$/)) {
410415 $MisMatch{$Addresses}++;
411416 } elsif ( $ThisLine =~ m/subsystem request for sftp/ ) {
412417 $sftpRequests++;
420425 $NegotiationFailed{$Reason}{$Host}{$Offer}++;
421426 } elsif ( my ($Prio,$Host,$Port,$Code,$Reason) = ($ThisLine =~ /^(error: )?Received disconnect from ([^ ]*)( port \d+)?: ?(\d+): (.*)$/)) {
422427 # Reason 11 ({SSH,SSH2}_DISCONNECT_BY_APPLICATION) is expected, and logged at severity level INFO
423 if (($Code != 11) || ($Detail >= 30)) {
428 if (($Reason =~ /preauth/) || ($Code != 11) || ($Detail >= 30)) {
424429 $DisconnectReceived{$Reason}{$Host}++;
425430 }
426431 } elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
427432 $RootLogin{$Host}++;
428433 } elsif ( my ($Error) = ($ThisLine =~ /^Cannot release PAM authentication\[\d\]: (.*)$/)) {
429434 $PamReleaseFail{$Error}++;
435 } elsif ( my ($Error) = ($ThisLine =~ /^pam_systemd\(sshd:session\): Failed to release session: (.*)$/)) {
436 $PamReleaseFail{$Error}++;
430437 } elsif ( my ($Error) = ( $ThisLine =~ m/^error: PAM: (.*)$/)) {
438 $PamError{$Error}++;
439 } elsif ( my ($Error) = ( $ThisLine =~ m/pam_systemd\(sshd:session\): (Failed to create session: .*)$/)) {
431440 $PamError{$Error}++;
432441 } elsif ( my ($Reason) = ( $ThisLine =~ m/pam_chroot\(.+\):\s+([^:])/)) {
433442 $PamChroot{$Reason}++;
452461 $DenyGroups{$User}++;
453462 } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) from ([^ ]*) not allowed because none of user's groups are listed in AllowGroups/)) {
454463 $AllowGroups{$User}++;
455 } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) does not exist/)) {
464 } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) does not exist/)) {
456465 $NoShellUsers{$User}++;
457 } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) is not executable/)) {
466 } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) is not executable/)) {
458467 $ShellNotExecutableUsers{$User}++;
459 } elsif ( ($User) = ($ThisLine =~ /^fatal: Access denied for user ([^ ]+) by PAM account configuration \[preauth\]/)) {
468 } elsif ( my ($User) = ($ThisLine =~ /^fatal: Access denied for user ([^ ]+) by PAM account configuration \[preauth\]/)) {
460469 $PamDeny{$User}++;
461470 } elsif ( my ($IP) = ($ThisLine =~ /^scanned from ([^ ]*)/) ) {
462471 push @Scanned, $IP;
615624 foreach my $Reason (sort {$a cmp $b} keys %NegotiationFailed) {
616625 my $Total = 0;
617626 print " $Reason";
627 if ( $Detail > 0 ) {
628 print "\n";
629 }
618630 foreach my $Host (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}}) {
619631 my $HostTotal = 0;
620632 foreach my $Offer (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}{$Host}}) {
622634 }
623635 $Total += $HostTotal;
624636 if ( $Detail > 0 ) {
625 print "\n $Host: " . timesplural($HostTotal);
637 print " $Host: " . timesplural($HostTotal);
626638 }
627639 if ( $Detail > 5 ) {
628640 foreach my $Offer (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}{$Host}}) {
629641 my $tot = $NegotiationFailed{$Reason}{$Host}{$Offer};
630 print "\n $Offer: " . timesplural($tot);
642 print " $Offer: " . timesplural($tot);
631643 }
632644 }
633645 }
634 if( $Detail > 0 ) {
635 print "\n";
636 } else {
646 if ( $Detail == 0 ) {
637647 print ": " . timesplural($Total);
638648 }
639649 }
+36
-2
scripts/services/sssd less more
1515
1616 use strict;
1717 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
18 my $IgnoreBackendStatus = $ENV{'ignore_backend_status'} || 0;
19 my $IgnoreEnumerationRequested = $ENV{'ignore_enumeration_requested'} || 0;
1820 my %Errors;
1921 my $Service;
2022 my %Starts;
2123 my %Stops;
2224 my %OtherList;
25 my $BackendStatus;
26 my $BackendOffline = 0;
27 my $EnumerationRequested = 0;
28 my $ignore_p11_child_error = 0;
2329
2430 # Lines are of the form:
2531 # sssd[service]:
2834 chomp($ThisLine);
2935
3036 # Strip off leading sssd:
31 $ThisLine =~ s/^sssd: //;
37 $ThisLine =~ s/^sssd(?:\[\d+\])?: //;
38
39 # Strip off duplicate timestamp if present
40 $ThisLine =~ s/^\(... ... .\d \d\d:\d\d:\d\d \d\d\d\d\) //;
3241
3342 # Remove []s from debug messages if any
3443 $ThisLine =~ s/^\[(\S+)\] /$1 /;
4554 $Service = $1;
4655 }
4756
48 if ($ThisLine =~ /^Starting up/) {
57 # Ignore debug messages
58 my ($debuglevel) = ($ThisLine =~ /\s\((0x[0-9a-f]{4})\):\s/);
59
60 next if defined($debuglevel) && hex($debuglevel) > 16;
61 if ($ThisLine =~ /Starting up/) {
4962 $Starts{$Service}++;
5063 } elsif ($ThisLine =~ /^Shutting down/) {
5164 $Stops{$Service}++;
5265 } elsif ($ThisLine =~ /error/i) {
5366 $Errors{$Service}->{$ThisLine}++;
67 } elsif (my ($status) = ($ThisLine =~ /Backend is (.*)/)) {
68 $BackendStatus = $status;
69 $BackendOffline++ if $BackendStatus eq "offline";
70 } elsif ($ThisLine =~ /^Enumeration requested but not enabled/) {
71 $EnumerationRequested++ unless $IgnoreEnumerationRequested;
72 } elsif ($Service eq "p11_child" && $ThisLine =~ /Certificate .* not valid .*Certificate key usage inadequate for attempted operation/) {
73 # sssd ssh does not ignore certificates of different types - ignore the errors generated by it
74 $ignore_p11_child_error = 1;
75 } elsif ($Service eq "p11_child" && $ThisLine =~ /do_work failed/ && $ignore_p11_child_error) {
76 } elsif ($Service eq "p11_child" && $ThisLine =~ /p11_child failed/ && $ignore_p11_child_error) {
77 $ignore_p11_child_error = 0;
5478 } else {
5579 $OtherList{"$Service: $ThisLine"}++;
5680 }
6690 }
6791 }
6892
93 # sssd will generally start in offline mode, so don't alert if we've just started up
94 if ($BackendOffline and (($Starts{"Daemon"} != $BackendOffline) or ($BackendStatus ne "online")) and not $IgnoreBackendStatus) {
95 print "\nSSSD Backend went offline $BackendOffline Time(s),";
96 print " last status was $BackendStatus\n";
97 }
98
6999 if (keys %Starts and $Detail) {
70100 print "\nSSSD Services Started:\n";
71101 foreach my $Service (sort {$a cmp $b} keys %Starts) {
78108 foreach my $Service (sort {$a cmp $b} keys %Stops) {
79109 print " $Service: " . $Stops{$Service} . " Time(s)\n";
80110 }
111 }
112
113 if ($EnumerationRequested) {
114 print "\nEnumeration requested but not enabled: $EnumerationRequested Time(s)\n";
81115 }
82116
83117 if (keys %OtherList) {
+3
-1
scripts/services/sudo less more
7979 # handled in pam_unix
8080 } elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) {
8181 # handled in pam_unix
82 } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/) {
82 } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/
83 or $ThisLine =~ /pam_systemd\(sudo:session\): Cannot create session: Already (running in|occupied by) a session/
84 ) {
8385 # Ignore
8486 } elsif ($ThisLine =~ /(.+): conversation failed/) {
8587 $ConFailed{$1}++;
+9
-3
scripts/services/systemd less more
4646 $ThisLine =~ / failed\.$/ or
4747 $ThisLine =~ /([Cc]ontrol|[Mm]ain|[Mm]ount) process exited, code=(exited|killed|dumped),? status=/ or
4848 # Informational
49 $ThisLine =~ /^Closed .* [Ss]ockets?\.$/ or
49 $ThisLine =~ /^Closed .*[\. ][Ss]ockets?\.$/ or
5050 $ThisLine =~ /^Closed .* [Ss]cheduler\.$/ or
5151 $ThisLine =~ /^Closed .* [Ww]atch\.$/ or
52 $ThisLine =~ /^Closed (?:Multimedia|Sound) System\.$/ or
5253 $ThisLine =~ /^Closed udev / or
54 # crond will never restart process when it is restarted
55 $ThisLine =~ /^crond\.service: Found left-over process \d+ \(.*\) in control group while starting unit\. Ignoring\.$/ or
5356 $ThisLine =~ /^Received SIGINT\./ or
5457 $ThisLine =~ /^Deactivated / or
5558 $ThisLine =~ /^Detected (architecture|virtualization) / or
6366 $ThisLine =~ /^RTC configured in / or
6467 $ThisLine =~ /^Running in initial RAM disk\.$/ or
6568 $ThisLine =~ /^Set hostname to / or
69 $ThisLine =~ /^Set up automount Arbitrary Executable File Formats File System Automount Point\.$/ or
6670 $ThisLine =~ /^Shutting down\.$/ or
6771 $ThisLine =~ /^Startup finished in / or
6872 $ThisLine =~ /^Stopped / or
7276 $ThisLine =~ /: Got notification message from PID \d+, but reception is disabled\./ or
7377 $ThisLine =~ /: Got notification message from PID \d+, but reception only permitted for main PID \d+/ or
7478 $ThisLine =~ /^systemd (\d+) running in system mode/ or
79 # This is preceeded by a more descriptive message
80 $ThisLine =~ /^This usually indicates unclean termination of a previous run, or service implementation deficiencies\.$/ or
7581 $ThisLine =~ /Transaction is destructive\./ or
7682 $ThisLine =~ /^Unit .* is bound to inactive unit .*\. Stopping, too\./ or
7783 $ThisLine =~ /Unit (.* is )?not needed anymore\. Stopping\./ or
9298 $ThisLine =~ /^[^ ]*\.mount: Directory \/[^ ]* to mount over is not empty, mounting anyway\.$/ or
9399 # A known issue - reported by multiple distributions
94100 $ThisLine =~ /^user\@\d+\.service: Failed at step CGROUP spawning \/usr\/lib\/systemd\/systemd: No such file or directory$/ or
95 $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \(plymouthd\)\.$/ or
101 $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \((?:plymouthd|n\/a)\)\.$/ or
96102 # https://bugzilla.redhat.com/show_bug.cgi?id=1072368
97 $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \(kill\)\.$/ or
103 $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \((?:kill|n\/a)\)\.$/ or
98104 $ThisLine =~ /^Removed slice / or
99105 $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ or
100106 $ThisLine =~ /Adding .* random time\.$/ or
+14
-22
scripts/services/zz-disk_space less more
126126 }
127127
128128 sub DiskFull {
129 my $o = `$disk_cmd`;
130 my @rows = split('\n', $o);
131 foreach my $row (@rows) {
132 my @fields = split(' ', $row);
133 my $use = $fields[4];
134 $use =~ s/%//;
135 if (($use > $diskfull_threshold) &&
136 ($fields[0] !~ /\/dev\/scd/ ) &&
137 ($fields[0] !~ /\/dev\/sr/ ) &&
138 ($fields[0] !~ /\/dev\/loop./) &&
139 ($fields[5] !~ /^$diskfull_exclude_dirs/i)) {
140 print "$fields[5] ($fields[0]) => $fields[4] Used. Warning. Disk Filling up.\n";
141 }
142 }
129 my @rows = split('\n', `$disk_cmd`);
130 # Remove header
131 shift @rows;
132 foreach my $row (@rows) {
133 my ($source,$used,$target) = ($row =~ /^(.*?)(?:\s+\d+[KMGTP]?){3}\s+(\d+)%\s+(.*)$/);
134 if (($used > $diskfull_threshold) &&
135 ($source !~ /\/dev\/scd/ ) &&
136 ($source !~ /\/dev\/sr/ ) &&
137 ($source !~ /\/dev\/loop./) &&
138 ($target !~ /^$diskfull_exclude_dirs/)) {
139 print "$target ($source) => $used% Used. Warning: Disk Filling up.\n";
140 }
141 }
143142 }
144143
145144 #####################
155154 if ( ($release eq "5.10") || ($release eq "5.9") || ($release eq "5.11") ) {
156155 $df_options = "-h";
157156 }
158 if ($local_disks_only) { $df_options .= " -l"; }
159 } elsif ($OSname eq "HP-UX") {
160 $df_options = "";
161157 if ($local_disks_only) { $df_options .= " -l"; }
162158 } elsif ($OSname eq "AIX") {
163159 $df_options = "";
174170 $df_options = $ENV{'df_options'};
175171 };
176172
177 if ($OSname eq "Linux") {
178 $disk_cmd = "df $df_options";
179 } elsif ($OSname eq "Darwin") {
180 $disk_cmd = "df $df_options";
181 } elsif ($OSname eq "SunOS") {
173 if ($OSname eq "SunOS") {
182174 $disk_cmd = "/usr/xpg4/bin/df $df_options";
183175 } elsif ($OSname eq "HP-UX") {
184176 $disk_cmd = "bdf $df_options";
+0
-41
scripts/services/zz-fortune less more
0 ##########################################################################
1 # $Id$
2 ##########################################################################
3 # Named 'zz-fortune' so that it will be the last to execute...
4
5 #######################################################
6 ## Copyright (c) 2008 Kirk Bauer
7 ## Covered under the included MIT/X-Consortium License:
8 ## http://www.opensource.org/licenses/mit-license.php
9 ## All modifications and contributions by other persons to
10 ## this script are assumed to have been donated to the
11 ## Logwatch project and thus assume the above copyright
12 ## and licensing terms. If you want to make contributions
13 ## under your own copyright or a different license this
14 ## must be explicitly stated in the contribution an the
15 ## Logwatch project reserves the right to not accept such
16 ## contributions. If you have made significant
17 ## contributions to this script and want to claim
18 ## copyright please contact logwatch-devel@lists.sourceforge.net.
19 #########################################################
20
21 my $env = ( $ENV{'REAL_LANG'} ? "LANG=".$ENV{'REAL_LANG'}." " : "" ).
22 ( $ENV{'REAL_LC_ALL'} ? "LC_ALL=".$ENV{'REAL_LC_ALL'}." " : "" );
23
24 if (($ENV{'PRINTING'} eq "y" ) && (-f "/usr/games/fortune")) {
25 #print "\n\n------------------ Fortune --------------------\n\n";
26 system("$env /usr/games/fortune");
27 print "\n";
28 }
29 elsif (($ENV{'PRINTING'} eq "y" ) && (-f "/usr/bin/fortune")) {
30 #print "\n\n------------------ Fortune --------------------\n\n";
31 system("$env /usr/bin/fortune");
32 print "\n";
33 }
34
35 # vi: shiftwidth=3 tabstop=3 syntax=perl et
36 # Local Variables:
37 # mode: perl
38 # perl-indent-level: 3
39 # indent-tabs-mode: nil
40 # End:
+1
-1
scripts/services/zz-zfs less more
8383 my $unit_re = '['.join('', keys %units).']';
8484
8585 # Discover the pools
86 open POOLS, '-|', $pathto_zpool, qw(list -H -o name,size,allocated,free,dedupratio,capacity,health) or die "Error running 'zpool list': $!\n";
86 open POOLS, "$pathto_zpool list -H -o name,size,allocated,free,dedupratio,capacity,health 2>/dev/null |" or die "Error running 'zpool list': $!\n";
8787 while(<POOLS>) {
8888 chomp;
8989 my ($name, $size, $used, $avail, $dedup, $cap, $health) = split(/\s+/);
+10
-0
scripts/shared/applytaidate less more
5555 if ( $Debug > 5 ) { print STDERR "DEBUG: NewTimeStamp: " . $NewTimeStamp . " ($ThisLine)\n"; }
5656 }
5757 }
58 elsif ($ThisLine =~ s/^\@40{6}([0-9a-f]{9})[0-9a-f]{8}\s// ) {
59 if ( $Debug > 10 ) {
60 print STDERR "DEBUG: potential Y2038 bug $1 is greater than 2038 and your perl version is $] see http://perldoc.perl.org/5.14.1/perl5120delta.html#Y2038-compliance\n";
61 }
62 my $NewTimeStamp = scalar(localtime(hex($1)));
63 if ($NewTimeStamp =~ /^$SearchDate$/) {
64 print $ThisLine;
65 if ( $Debug > 5 ) { print STDERR "DEBUG: NewTimeStamp: " . $NewTimeStamp . " ($ThisLine)\n"; }
66 }
67 }
5868 }
5969
6070 # vi: shiftwidth=3 syntax=perl tabstop=3 et