Merge tag 'upstream/7.5.0'
Upstream version 7.5.0
Willi Mann
5 years ago
0 | Copyright (c) 2011 Kirk Bauer | |
0 | Copyright (c) 2002-2018 Kirk Bauer | |
1 | 1 | |
2 | 2 | Permission is hereby granted, free of charge, to any person obtaining a copy of |
3 | 3 | this software and associated documentation files (the "Software"), to deal in |
10 | 10 | ######################################################## |
11 | 11 | |
12 | 12 | # What actual file? Defaults to LogPath if not absolute path.... |
13 | LogFile = /var/spool/autorpm/install.log | |
13 | LogFile = ../spool/autorpm/install.log | |
14 | 14 | |
15 | 15 | # vi: shiftwidth=3 tabstop=3 et |
7 | 7 | ########################################################################## |
8 | 8 | |
9 | 9 | # Which logfile group... |
10 | LogFile = /var/log/bfd_log | |
11 | Archive = /var/log/bfd_log.* | |
12 | Archive = /var/log/bfd_log-* | |
10 | LogFile = bfd_log | |
11 | Archive = bfd_log.* | |
12 | Archive = bfd_log-* | |
13 | 13 | |
14 | 14 |
11 | 11 | |
12 | 12 | # What actual file? Defaults to LogPath if not absolute path.... |
13 | 13 | #Solaris is /var/cron/log -mgt |
14 | LogFile = /var/cron/log | |
14 | LogFile = ../cron/log | |
15 | 15 | LogFile = cron |
16 | 16 | |
17 | 17 | # If the archives are searched, here is one or more line |
4 | 4 | ######################################################## |
5 | 5 | |
6 | 6 | # What actual file? Defaults to LogPath if not absolute path.... |
7 | LogFile = /var/log/mysql/mysqld.err.1 | |
8 | LogFile = /var/log/mysql/mysqld.err | |
7 | LogFile = mysql/mysqld.err.1 | |
8 | LogFile = mysql/mysqld.err | |
9 | 9 | |
10 | Archive = /var/log/mysql/mysqld.err.*.gz | |
11 | Archive = /var/log/mysql/mysqld.err-*.gz | |
10 | Archive = mysql/mysqld.err.*.gz | |
11 | Archive = mysql/mysqld.err-*.gz | |
12 | 12 | |
13 | 13 | # Expand the repeats (actually just removes them now) |
14 | 14 | *ExpandRepeats |
12 | 12 | # Logwatch will try to find md devices in /etc/mdadm.conf or |
13 | 13 | # /etc/mdadm/mdadm.conf. If none of these files exist it can scan actively |
14 | 14 | # for md devices. Set to 'Yes' to enable active scanning: |
15 | $MDADM_ENABLE_SCAN = No | |
15 | $mdadm_enable_scan = No | |
16 | ||
17 | # Logwatch will emit an error for md devices listed in /etc/mdadm.conf | |
18 | # that are not present. If you do not want this (e.g. raid devices may come | |
19 | # and go) then uncomment this | |
20 | # $mdadm_ignore_missing = Yes | |
16 | 21 | |
17 | 22 | # Which logfile group... |
18 | 23 | LogFile = NONE |
15 | 15 | # OnlyService doesn't work with sssd services |
16 | 16 | *RemoveHeaders = "^... .. ..:..:.. [^ ]* " |
17 | 17 | |
18 | # To completey ignore backend status messages, enable this | |
19 | ignore_backed_status = No | |
20 | ||
21 | # To ignore "Enumeration requested but not enabled" messages | |
22 | ignore_enumeration_requested = No | |
23 | ||
18 | 24 | # vi: shiftwidth=3 tabstop=3 et |
0 | ########################################################################### | |
1 | # $Id$ | |
2 | ########################################################################### | |
3 | ||
4 | # This just displays a fortune at the end of the report... | |
5 | ||
6 | # You can put comments anywhere you want to. They are effective for the | |
7 | # rest of the line. | |
8 | ||
9 | # this is in the format of <name> = <value>. Whitespace at the beginning | |
10 | # and end of the lines is removed. Whitespace before and after the = sign | |
11 | # is removed. Everything is case *insensitive*. | |
12 | ||
13 | # Yes = True = On = 1 | |
14 | # No = False = Off = 0 | |
15 | ||
16 | Title = "Fortune" | |
17 | ||
18 | # Which logfile group... | |
19 | LogFile = NONE | |
20 | ||
21 | ######################################################## | |
22 | # This was written and is maintained by: | |
23 | # Kirk Bauer <kirk@kaybee.org> | |
24 | # | |
25 | # Please send all comments, suggestions, bug reports, | |
26 | # etc, to kirk@kaybee.org. | |
27 | ######################################################## | |
28 | ||
29 | # vi: shiftwidth=3 tabstop=3 et |
274 | 274 | if [ -d $MANDIR/man5 ] && [ -d $MANDIR/man8 ] && [ -d $MANDIR/man1 ] && [ $HAVE_MAKEWHATIS ]; then |
275 | 275 | install -m 0644 logwatch.8 $MANDIR/man8 |
276 | 276 | install -m 0644 logwatch.conf.5 $MANDIR/man5 |
277 | install -m 0644 override.conf.5 $MANDIR/man5 | |
278 | install -m 0644 ignore.conf.5 $MANDIR/man5 | |
277 | ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/ignore.conf.5 | |
278 | ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/override.conf.5 | |
279 | 279 | install -m 0644 postfix-logwatch.1 $MANDIR/man1 |
280 | 280 | install -m 0644 amavis-logwatch.1 $MANDIR/man1 |
281 | 281 | #OpenBSD no -s |
297 | 297 | fi |
298 | 298 | else |
299 | 299 | if [ $OS = "SunOS" ]; then |
300 | #Go for the safe install rather then editing man.cf | |
300 | #Go for the safe install rather than editing man.cf | |
301 | 301 | mkdir -p $MANDIR/man1m > /dev/null 2>&1 |
302 | 302 | install -m 0644 logwatch.8 $MANDIR/man1m |
303 | 303 | install -m 0644 logwatch.conf.5 $MANDIR/man1m |
304 | install -m 0644 override.conf.5 $MANDIR/man1m | |
305 | install -m 0644 ignore.conf.5 $MANDIR/man1m | |
304 | ln -sf $MANDIR/man1m/logwatch.conf.5 $MANDIR/man1m/ignore.conf.5 | |
305 | ln -sf $MANDIR/man1m/logwatch.conf.5 $MANDIR/man1m/override.conf.5 | |
306 | 306 | install -m 0644 postfix-logwatch.1 $MANDIR/man1 |
307 | 307 | install -m 0644 amavis-logwatch.1 $MANDIR/man1 |
308 | 308 | catman -w -M $MANDIR/man1m |
313 | 313 | |
314 | 314 | install -m 0755 -d $MANDIR/man5 |
315 | 315 | install -m 0644 logwatch.conf.5 $MANDIR/man5 |
316 | install -m 0644 override.conf.5 $MANDIR/man5 | |
317 | install -m 0644 ignore.conf.5 $MANDIR/man5 | |
316 | ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/ignore.conf.5 | |
317 | ln -sf $MANDIR/man5/logwatch.conf.5 $MANDIR/man5/override.conf.5 | |
318 | 318 | |
319 | 319 | install -m 0755 -d $MANDIR/man8 |
320 | 320 | install -m 0644 logwatch.8 $MANDIR/man8 |
335 | 335 | if [ ! -e /lib/systemd/system/multi-user.target.wants ]; then |
336 | 336 | install -m 0755 -d /lib/systemd/system/multi-user.target.wants |
337 | 337 | fi |
338 | ln -s ../logwatch.timer /lib/systemd/system/multi-user.target.wants/logwatch.timer | |
338 | ln -sf ../logwatch.timer /lib/systemd/system/multi-user.target.wants/logwatch.timer | |
339 | 339 | printf "Created and enabled systemd logwatch.timer" |
340 | 340 | elif [ -d /etc/cron.daily ]; then |
341 | 341 | rm -f /etc/cron.daily/0logwatch |
28 | 28 | |
29 | 29 | .SH FILES |
30 | 30 | .I /etc/logwatch/conf/logwatch.conf |
31 | .I /etc/logwatch/conf/logwatch.conf | |
32 | .I /etc/logwatch/conf/logwatch.conf | |
31 | .I /etc/logwatch/conf/ignore.conf | |
32 | .I /etc/logwatch/conf/override.conf | |
33 | 33 | .I /usr/share/logwatch/default.conf/logwatch.conf |
34 | 34 | |
35 | 35 | .SH "SEE ALSO" |
0 | 0 | #!/bin/sh |
1 | 1 | |
2 | #Set logwatch location | |
2 | #Set logwatch executable location | |
3 | 3 | LOGWATCH_SCRIPT="/usr/sbin/logwatch" |
4 | #Add options to this line. Most options should be defined in /etc/logwatch/conf/logwatch.conf, | |
5 | #but some are only for the nightly cronrun such as --output mail and should be set here. | |
6 | #Other options to consider might be "--format html" or "--encode base64", man logwatch for more details. | |
4 | ||
5 | # Add options to the OPTIONS variable. Most options should be defined in | |
6 | # the file /etc/logwatch/conf/logwatch.conf, but some are only for the | |
7 | # nightly cron run such as "--output mail" and should be set here. | |
8 | # Other options to consider might be "--format html" or "--encode base64". | |
9 | # See 'man logwatch' for more details. | |
7 | 10 | OPTIONS="--output mail" |
8 | 11 | |
9 | 12 | #Call logwatch |
45 | 45 | mainloop: while ($ThisLine) { |
46 | 46 | if ($ThisLine =~ m/^$SearchDate /o) { |
47 | 47 | print $ThisLine; |
48 | $ThisLine = <STDIN>; | |
48 | 49 | } |
49 | 50 | elsif ($ThisLine =~ m/^\[$SearchDate2/o) { |
50 | 51 | chomp($ThisLine); |
128 | 128 | ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 auid=[0-9]* ses=[0-9]* subj=.*res=success/) or |
129 | 129 | ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 old auid=[0-9]* new auid=[0-9]+ old ses=[0-9]* new ses=[0-9]+ res=1$/) or |
130 | 130 | ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): pid=[0-9]* uid=0 subj=.* old-auid=[0-9]* auid=[0-9]+ old-ses=[0-9]* ses=[0-9]+ res=1$/) or |
131 | # This will generate a journal entry for the service failure, success, or start/stop | |
132 | ( $ThisLine =~ /type=113[01] audit\([0-9.]*:[0-9]*\): pid=1 uid=0 auid=[0-9]+ ses=[0-9]+ (?:subj=system_u:system_r:init_t:s0 )?msg='unit.* comm="systemd" .* res=.*'$/) or | |
133 | ( $ThisLine =~ /SERVICE_(?:START|STOP) pid=1/) or | |
131 | 134 | ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): cwd=".*"/) or |
132 | 135 | ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): user/) or |
133 | 136 | ( $ThisLine =~ /type=[0-9]+ audit\([0-9.]*:[0-9]*\): proctitle=/) or |
306 | 309 | } |
307 | 310 | } |
308 | 311 | |
309 | if (keys %OtherList) { | |
312 | if (keys %OtherList and $Detail) { | |
310 | 313 | print "\n**Unmatched Entries**\n"; |
311 | 314 | foreach my $line (sort {$OtherList{$b}<=>$OtherList{$a} } keys %OtherList) { |
312 | 315 | print " $line: $OtherList{$line} Time(s)\n"; |
225 | 225 | elsif ( ($unmatched) = ($ThisLine =~ /%AUDIT-5-RUN_CONFIG/) ) { |
226 | 226 | $ConfigChange{$host}++; |
227 | 227 | } |
228 | elsif ( ($HASH) = ($ThisLine =~ /%AUDIT-5-STARTUP_CONFIG: Startup Configuration changed. Hash:\s(^\s)/) ) { | |
229 | $StartConfigChange{host}++; | |
230 | } | |
231 | 228 | elsif ( ($interface,$errortype,$withwho) = ($ThisLine =~ /duplex mismatch discovered on (.+) \(.*\), with (.*)/) ) { |
232 | 229 | $DuplexMismatched{$host}{$interface." with ".$errortype}++; |
233 | 230 | } |
297 | 294 | elsif ( ($interface) = ($ThisLine =~ /UNDERFLO: (.*)/) ) { |
298 | 295 | $Underflow{$host}{$interface}++; |
299 | 296 | } |
297 | elsif ( ($interface) = ($ThisLine =~ /SYS-4-P2_WARN: (.*)/) ) { | |
298 | $SYSWarn{$host}{$interface}++; | |
299 | } | |
300 | 300 | elsif ( ($interface) = ($ThisLine =~ /P2_WARN: (.*)/) ) { |
301 | 301 | $InvalidMulticast{$host}{$interface}++; |
302 | 302 | } |
360 | 360 | elsif ( ($interface) = ($ThisLine =~ /MLS-5-FLOWMASKCHANGE: (.*)/) ) { |
361 | 361 | $MLSFlowmaskChanged{$host}{$interface}++; |
362 | 362 | } |
363 | elsif ( ($interface) = ($ThisLine =~ /SYS-4-P2_WARN: (.*)/) ) { | |
364 | $SYSWarn{$host}{$interface}++; | |
365 | } | |
366 | 363 | elsif ( ($interface) = ($ThisLine =~ /SYS-3-CPUHOG: (.*)/) ) { |
367 | 364 | $SYSCpuHog{$host}{$interface}++; |
368 | 365 | } |
409 | 406 | $CountersMsg{$host}{$interface}++; |
410 | 407 | } |
411 | 408 | elsif ( ($interface) = ($ThisLine =~ /DOT11-4-MAXRETRIES: Packet to client ....\.....\..... reached(.*)/) ) { |
412 | $Dot11Retrys{$host}{$interface}++; | |
413 | } | |
414 | elsif ( ($interface,$msg) = ($ThisLine =~ /DOT11-4-MAXRETRIES: Packet to client ....\.....\..... reached(.*)/) ) { | |
415 | 409 | $Dot11Retrys{$host}{$interface}++; |
416 | 410 | } |
417 | 411 | elsif ( ($radio,$interface) = ($ThisLine =~ /DOT11-6-ASSOC: Interface (.*), Station +(.*)/) ) { |
573 | 567 | } |
574 | 568 | } |
575 | 569 | |
576 | if (keys %$DuplicateAddress) { | |
570 | if (keys %DuplicateAddress) { | |
577 | 571 | print "\nPort/Interface duplicate address :\n"; |
578 | foreach $ThisOne (sort keys %$DuplicateAddress) { | |
579 | print " " . $ThisOne . ":\n"; | |
580 | foreach $ThatOne (sort keys %{$$DuplicateAddress{$ThisOne}}) { | |
572 | foreach $ThisOne (sort keys %DuplicateAddress) { | |
573 | print " " . $ThisOne . ":\n"; | |
574 | foreach $ThatOne (sort keys %{$DuplicateAddress{$ThisOne}}) { | |
581 | 575 | print "\t " .$ThatOne . "\t: " . $DuplicateAddress{$ThisOne}{$ThatOne} . " Time(s)\n"; |
582 | 576 | } |
583 | 577 | } |
49 | 49 | ( $ThisLine =~ /^Protecting against \d+ viruses\./ ) or |
50 | 50 | ( $ThisLine =~ /^Reading databases from/ ) or |
51 | 51 | ( $ThisLine =~ /file removed\./ ) or |
52 | ( $ThisLine =~ /support enabled\./ ) or | |
53 | ( $ThisLine =~ /support disabled\./ ) or | |
52 | ( $ThisLine =~ / (?:dis|en)abled\.$/ ) or | |
54 | 53 | ( $ThisLine =~ /^Archive/ ) or |
55 | 54 | ( $ThisLine =~ /^Running as user/ ) or |
56 | 55 | ( $ThisLine =~ /^Log file size limit/ ) or |
57 | 56 | ( $ThisLine =~ /^Bound to.*port \d*/ ) or |
58 | ( $ThisLine =~ /^Detection of broken executables enabled./ ) or | |
59 | 57 | ( $ThisLine =~ /^SIGHUP caught: re-opening log file./ ) or |
60 | 58 | ( $ThisLine =~ /^Loaded \d+ signatures/ ) or |
61 | ( $ThisLine =~ /^Algorithmic detection enabled/ ) or | |
62 | 59 | ( $ThisLine =~ /^Mail: Recursion level limit set to \d+/ ) or |
63 | 60 | ( $ThisLine =~ /clamd shutdown\s+succeeded/ ) or |
64 | 61 | ( $ThisLine =~ /clamd startup\s+succeeded/ ) or |
70 | 67 | ( $ThisLine =~ /Bytecode: Security mode set to /) or |
71 | 68 | ( $ThisLine =~ /^No stats for Database check/ ) or |
72 | 69 | ( $ThisLine =~ /^Received \d+ file descriptor\(s\) from systemd\.$/) or |
73 | ( $ThisLine =~ /^BlockMax heuristic detection (?:en|dis)abled\./) or | |
74 | 70 | 0 # This line prevents blame shifting as lines are added above |
75 | 71 | ) { |
76 | 72 | # We do not care about these. |
39 | 39 | ($ThisLine =~ /loading table .*/) or |
40 | 40 | ($ThisLine =~ /void Inotify::Remove\(InotifyWatch\*\): removing watch failed/) or |
41 | 41 | ($ThisLine =~ /error: \(22\) Invalid argument/) or |
42 | ($ThisLine =~ /pam_unix\(crond:session\): session (?:opened|closed) for user/) | |
42 | ($ThisLine =~ /pam_unix\(crond:session\): session (?:opened|closed) for user/) or | |
43 | ($ThisLine =~ /PAM pam_end: NULL pam handle passed/) | |
43 | 44 | ) { |
44 | 45 | # Ignore |
45 | 46 | } elsif ( |
15 | 15 | |
16 | 16 | use strict; |
17 | 17 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
18 | my %ErrorThreshold; | |
19 | if (defined($ENV{'error_threshold'})) { | |
20 | foreach my $entry (split(',',$ENV{'error_threshold'})) { | |
21 | my ($regex,$limit) = split(';',$entry); | |
22 | $ErrorThreshold{$regex} = $limit; | |
23 | } | |
24 | } | |
25 | ||
18 | 26 | my %Errors; |
19 | 27 | my %Warnings; |
20 | 28 | my %Startup; |
48 | 56 | } elsif ($ThisLine =~ /^ERR - / |
49 | 57 | or $ThisLine =~ /error/i |
50 | 58 | or $ThisLine =~ /^Detected Disorderly Shutdown/) { |
59 | # Remove some items that prevent de-duplication | |
60 | $ThisLine =~ s/:\s+\d+\s+\d+//; | |
61 | $ThisLine =~ s/change record \d+/change record/; | |
51 | 62 | $Errors{$ThisLine}++; |
52 | 63 | } elsif ($ThisLine =~ /^WARN - / |
53 | 64 | or $ThisLine =~ /warning/i |
83 | 94 | $OtherList{$ThisLine}++; |
84 | 95 | } |
85 | 96 | $PreviousLine = $ThisLine; |
97 | } | |
98 | ||
99 | if (keys %Errors and keys %ErrorThreshold) { | |
100 | LINE: foreach my $line (sort {$a cmp $b} keys %Errors) { | |
101 | foreach my $regex (keys %ErrorThreshold) { | |
102 | if ($line =~ /$regex/i and $Errors{$line} <= $ErrorThreshold{$regex}) { | |
103 | delete $Errors{$line}; | |
104 | next LINE; | |
105 | } | |
106 | } | |
107 | } | |
86 | 108 | } |
87 | 109 | |
88 | 110 | if (keys %Errors) { |
31 | 31 | $PackageUpdated{$ThisLine}++; |
32 | 32 | } elsif ( $ThisLine =~ s/^.* INFO Installed: ([^ ]+)/$1/ ) { |
33 | 33 | $PackageInstalled{$ThisLine}++; |
34 | } elsif ( $ThisLine =~ s/^.* INFO Reinstalled: ([^ ]+)/$1/ ) { | |
35 | $PackageReinstalled{$ThisLine}++; | |
34 | 36 | } elsif ( $ThisLine =~ s/^.* INFO Erased: ([^ ]+)/$1/ ) { |
35 | 37 | $PackageErased{$ThisLine}++; |
38 | } elsif ( $ThisLine =~ s/^.* INFO Obsoleted: ([^ ]+)/$1/ ) { | |
39 | $PackageObsoleted{$ThisLine}++; | |
36 | 40 | } elsif ( $ThisLine =~ m/INFO --- logging initialized ---/ ) { |
37 | 41 | $ignoredlines++; |
38 | 42 | } elsif ( $ThisLine =~ m/INFO Cleanup: / ) { |
49 | 53 | print " " . $ThisOne; |
50 | 54 | } |
51 | 55 | } |
56 | if (keys %PackageReinstalled) { | |
57 | print "\nPackages Reinstalled:\n"; | |
58 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageReinstalled) { | |
59 | print " ". $ThisOne; | |
60 | } | |
61 | } | |
52 | 62 | if (keys %PackageUpdated) { |
53 | 63 | print "\nPackages Updated:\n"; |
54 | 64 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdated) { |
58 | 68 | if (keys %PackageErased) { |
59 | 69 | print "\nPackages Erased:\n"; |
60 | 70 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageErased) { |
71 | print " ". $ThisOne; | |
72 | } | |
73 | } | |
74 | if (keys %PackageObsoleted) { | |
75 | print "\nPackages Obsoleted:\n"; | |
76 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageObsoleted) { | |
61 | 77 | print " ". $ThisOne; |
62 | 78 | } |
63 | 79 | } |
227 | 227 | $Deliver{$User}{$Mailbox}++; |
228 | 228 | |
229 | 229 | # LMTP-based delivery |
230 | } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): [^:]+:(?:\d+:)? msgid=.*: saved mail to (.*)/ ) ) { | |
230 | } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): .*msgid=.*: saved mail to (.*)/ ) ) { | |
231 | 231 | # dovecot: [ID 583609 mail.info] lmtp(12782, cloyce@headgear.org): jBt1EfjCMk3uMQAAm9eMBA: msgid=<4D32DB1F.3080707@c-dot.co.uk>: saved mail to INBOX |
232 | $Deliver{$User}{$Mailbox}++; | |
233 | ||
234 | # LMTP-based delivery Dovecot 2.2.33 | |
235 | } elsif ( ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\): msgid=.*: saved mail to (.*)/ ) ) { | |
236 | # dovecot: lmtp(user@domain.com): msgid=<0.0.B.B83.1D385668207AF06.0@b12.mta01.sendsmaily.info>: saved mail to INBOX | |
232 | 237 | $Deliver{$User}{$Mailbox}++; |
233 | 238 | |
234 | 239 | # LMTP-based Sieve delivery |
235 | 240 | } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((?:\d+, )?(.*?)\): .*: sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) { |
236 | 241 | $Deliver{$User}{$Mailbox}++; |
237 | 242 | |
243 | # LMTP-based Sieve delivery Dovecot 2.3 | |
244 | } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\): sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) { | |
245 | $Deliver{$User}{$Mailbox}++; | |
246 | ||
238 | 247 | # sieve forward |
239 | 248 | } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*?)\):(?: [^:]+:)? sieve: msgid=.* forwarded to \<(.*)\>/)) { |
240 | 249 | $Forwarded{$User}{$Recip}++; |
250 | ||
251 | # sieve pipe | |
252 | } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?pipe action: piped message to program `.*'/) or | |
253 | my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?left message in mailbox '.*'/) ) { | |
254 | # dovecot: imap(user@domain.com): sieve: pipe action: piped message to program `sa-learn-sieve.sh' | |
255 | # dovecot: imap(user@domain.com): sieve: left message in mailbox 'INBOX.Spam' | |
256 | # dovecot: lmtp(spam@domain.com): sieve: msgid=<6e3eb3f436fdca54@host.domain.com>: pipe action: piped message to program `sa-learn-sieve.sh' | |
257 | # IGNORE | |
241 | 258 | |
242 | 259 | # sieve vacation |
243 | 260 | } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*)\):(?: .*:)? sieve: msgid=.* sent vacation response to \<(.*)\>/)) { |
298 | 315 | $Aborted{$Host}++; |
299 | 316 | } elsif (my ($Reason) = ($ThisLine =~ /Aborted login \((.*)\):/)) { |
300 | 317 | $Aborted{$Reason}++; |
301 | } elsif (my ($User,$IP) = ($ThisLine =~ /auth: LOGIN\((.*),(\d+\.\d+\.\d+\.\d+)\): Request timed out waiting for client to continue authentication/) ) { | |
318 | } elsif (my ($User,$IP) = ($ThisLine =~ /auth: (?:LOGIN|login)\((.*),(\d+\.\d+\.\d+\.\d+)\): Request timed out waiting for client to continue authentication/) ) { | |
302 | 319 | $AuthTimedOut{$User}{$IP}++; |
303 | 320 | } elsif (my ($Reason) = ($ThisLine =~ /auth: Warning: auth client \d+ disconnected with \d+ pending requests: (.*)/) ) { |
304 | 321 | $AuthDisconnectedWithPending{$Reason}++; |
114 | 114 | $ReInitializations++; |
115 | 115 | } elsif ($ThisLine =~ /..,... WARNING: is not a valid IP address/) { |
116 | 116 | # just ignore - this will be fixed within fail2ban and is harmless warning |
117 | } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (.*)/)) { | |
117 | } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Found (\S+)/)) { | |
118 | 118 | $ServicesFound{$Service}{$Host}++; |
119 | } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (.*)/)) { | |
119 | } elsif ( my ($Service,$Host) = ($ThisLine =~ /INFO\s+\[(.*)\] Ignore (\S+)/)) { | |
120 | 120 | $ServicesIgnored{$Service}{$Host}++; |
121 | 121 | # Generic messages |
122 | 122 | } elsif ( my ($Message) = ($ThisLine =~ / ERROR (.*)$/)) { |
197 | 197 | # what to look for as an attack USE LOWER CASE!!!!!! |
198 | 198 | # |
199 | 199 | my @exploits = ( |
200 | '^null$', | |
201 | 200 | '/\.\./\.\./\.\./', |
202 | 201 | '\.\./\.\./config\.sys', |
203 | 202 | '/\.\./\.\./\.\./autoexec\.bat', |
314 | 313 | } elsif ($logformat =~ /\G%\{User-Agent}i/gci) { |
315 | 314 | $parse_string[$parse_index] .= "(.*)"; |
316 | 315 | $parse_field[$parse_index][$parse_subindex++] = "agent"; |
317 | } elsif ($logformat =~ /\G%({.*?})?./gc) { | |
316 | } elsif ($logformat =~ /\G%(\{.*?\})?./gc) { | |
318 | 317 | $parse_string[$parse_index] .= "(.*?)"; |
319 | 318 | $parse_field[$parse_index][$parse_subindex++] = "not_used"; |
320 | 319 | } elsif ($logformat =~ /\G\|/gc) { |
575 | 574 | foreach my $j ( keys %{$hacks{$i}} ) { |
576 | 575 | print " $j $hacks{$i}{$j} Time(s) \n"; |
577 | 576 | } |
578 | } else { | |
579 | print "\n"; | |
580 | 577 | } |
581 | 578 | } |
582 | 579 | } |
104 | 104 | $UnalignedErrors{$1}++; |
105 | 105 | } elsif ($ThisLine =~ /([^(]*)\(\d+\): floating-point assist fault at ip/) { |
106 | 106 | $FPAssists{$1}++; |
107 | } elsif ($ThisLine =~ /Out of memory: (?:[KK]illed|[Kk]ill) process \d+ \((.*)\)/) { | |
108 | $OOM{$1}++; | |
109 | } elsif ($ThisLine =~ /(\S+) invoked oom-killer/) { | |
107 | } elsif ($ThisLine =~ /(?:[KK]illed|[Kk]ill) process \d+ \((.*)\)/) { | |
110 | 108 | $OOM{$1}++; |
111 | 109 | } elsif ($ThisLine =~ /(EDAC (MC|PCI)\d:.*)/) { |
112 | 110 | # Standard boot messages |
248 | 246 | } |
249 | 247 | |
250 | 248 | if (keys %OOM) { |
251 | print "\nWARNING: Out of memory killer killed these executables or their children\n"; | |
249 | print "\nWARNING: Out of memory killer killed these executables\n"; | |
252 | 250 | foreach my $Thisone ( sort {$a cmp $b} keys %OOM ) { |
253 | 251 | print " $Thisone : $OOM{$Thisone} Time(s)\n"; |
254 | 252 | } |
25 | 25 | |
26 | 26 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
27 | 27 | my $enable_scan = $ENV{'mdadm_enable_scan'} || 0; |
28 | my $ignore_missing = $ENV{'mdadm_ignore_missing'} || 0; | |
28 | 29 | |
29 | 30 | my @devices = (); |
30 | 31 | if ( -f "/etc/mdadm.conf" ) { |
44 | 45 | DEV: foreach my $dev (@devices) { |
45 | 46 | my %mdhash; |
46 | 47 | |
48 | if ($dev =~ /<ignore>/) { | |
49 | next; | |
50 | } | |
51 | ||
47 | 52 | open(MDADM,"mdadm --misc --detail $dev 2>&1 |"); |
48 | 53 | while (<MDADM>) { |
49 | 54 | if ($_ =~ /cannot open .*: No such file or directory/) { |
50 | print $_; | |
55 | print $_ unless $ignore_missing; | |
51 | 56 | close(MDADM); |
52 | 57 | next DEV; |
53 | 58 | } |
88 | 88 | ($ThisLine =~ /stopping command channel on \S+/) or |
89 | 89 | ($ThisLine =~ /Malformed response from/) or |
90 | 90 | ($ThisLine =~ /client .* response from Internet for .*/) or |
91 | ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or | |
91 | # ($ThisLine =~ /client .+ query \(cache\) '.*' denied/) or | |
92 | 92 | ($ThisLine =~ /client .+(?: \([^)]+\))?: query:/) or |
93 | 93 | # Do we really want to ignore these? |
94 | 94 | #($ThisLine =~ /unknown logging category/) or |
146 | 146 | ($ThisLine =~ /refresh: NODATA response from master/) or |
147 | 147 | ($ThisLine =~ /update with no effect/) or |
148 | 148 | ($ThisLine =~ /reading built-in trusted keys from file/) or |
149 | ($ThisLine =~ /reading built-in trust anchors from file/) or | |
149 | 150 | ($ThisLine =~ /using built-in trusted-keys/) or |
150 | 151 | ($ThisLine =~ /set up managed keys zone/) or |
152 | ($ThisLine =~ /managed-keys-zone.*key now trusted/) or | |
153 | ($ThisLine =~ /dhcpupdate: forwarding update for zone/) or | |
154 | ($ThisLine =~ /forwarded dynamic update: master [^ ]* returned: (NXRRSET|YXDOMAIN)/) or | |
151 | 155 | ($ThisLine =~ /using .* as GeoIP directory/) or |
152 | 156 | ($ThisLine =~ /GEO-.* Build/) or |
153 | 157 | ($ThisLine =~ /initializing GeoIP /) or |
163 | 167 | ($ThisLine =~ /next key event: /) or |
164 | 168 | ($ThisLine =~ /reconfiguring zone keys/) or |
165 | 169 | ($ThisLine =~ /using built-in DLV key/) or |
166 | ($ThisLine =~ /reading built-in trusted keys from file/) or | |
170 | # ($ThisLine =~ /reading built-in trusted keys from file/) or | |
167 | 171 | ($ThisLine =~ /all zones loaded/) or |
172 | ($ThisLine =~ /resolver priming query complete/) or | |
168 | 173 | ($ThisLine =~ /client .* signer .* approved/) or |
169 | 174 | ($ThisLine =~ /stop limiting/) or |
170 | 175 | # ignore this line because the following line describes the error |
237 | 242 | } elsif ( ($Way,$Host) = ( $ThisLine =~ /([^ ]+): sendto\(\[([^ ]+)\].+\): Network is unreachable/ ) ) { |
238 | 243 | $FullHost = LookupIP ($Host); |
239 | 244 | $NetworkUnreachable{$Way}{$FullHost}++; |
245 | } elsif ( ($Host,$Way) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?(.*)#\d+(?: \(.*\))?: (?:view \w+: )?error ([^ ]+) response: network unreachable/ ) ) { | |
246 | $FullHost = LookupIP ($Host); | |
247 | $NetworkUnreachable{$Way}{$FullHost}++; | |
240 | 248 | } elsif ( ($Zone,$Message) = ( $ThisLine =~ /client [^\#]+#[^\:]+: (?:view \w+: )?updating zone '([^\:]+)': (.*)$/ ) ) { |
241 | 249 | $ZoneUpdates{$Zone}{$Message}++; |
242 | 250 | } elsif ( ($Host,$Zone) = ( $ThisLine =~ /approved AXFR from \[(.+)\]\..+ for \"(.+)\"/ ) ) { |
245 | 253 | } elsif ( ($Client) = ( $ThisLine =~ /warning: client (.*) no more TCP clients/ ) ) { |
246 | 254 | $FullClient = LookupIP ($Client); |
247 | 255 | $DeniedTCPClient{$FullClient}++; |
248 | } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: (?:view \w+: )?query \(cache\) denied/ ) ) { | |
256 | } elsif ( ($Client) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?(.*)#\d+(?: \(.*\))?: (?:view \w+: )?query \(cache\) (?:'.*' )?denied/ ) ) { | |
249 | 257 | $FullClient = LookupIP ($Client); |
250 | 258 | $DeniedQuery{$FullClient}++; |
251 | } elsif ( ($Client) = ( $ThisLine =~ /client (.*)(#\d+)?: query '.*' denied/ ) ) { | |
259 | } elsif ( ($Client) = ( $ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?([^#]*)(#\d+)?(?: \(.*\))?: query '.*' denied/ ) ) { | |
252 | 260 | $FullClient = LookupIP ($Client); |
253 | 261 | $DeniedQueryNoCache{$FullClient}++; |
254 | } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+: (?:view \w+: )?update '(.*)' denied/)) { | |
262 | } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client (?:\@0x[0-9a-fA-F]+ )?([\.0-9a-fA-F:]+)#\d+: (?:view (\w+): )?update '(.*)' denied/)) { | |
255 | 263 | $ViewName = ($ViewName ? "/$ViewName" : ""); |
256 | 264 | $UpdateDenied{"$Rhost ($Ldom$ViewName)"}++; |
257 | 265 | } elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update forwarding '(.*)' denied/)) { |
1886 | 1886 | # Pass; identity=helo; client-ip=192.168.0.2; helo=example.com; envelope-from=<>; receiver=bogus@example.net |
1887 | 1887 | # Permerror; identity=helo; client-ip=192.168.0.4; helo=example.com; envelope-from=f@example.com; receiver=bogus2@example.net |
1888 | 1888 | # Softfail; identity=mailfrom; client-ip=192.168.0.6; helo=example.com; envelope-from=f@example.com; receiver=yahl@example.org |
1889 | if ($line =~ /^(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror); (.*)$/) { | |
1889 | if ($line =~ /^(?:prepend Received-SPF: )?(Pass|Fail|None|Neutral|Permerror|Softfail|Temperror);? (.*)$/) { | |
1890 | 1890 | my $result = $1; |
1891 | 1891 | my %params = $2 =~ /([-\w]+)=([^;]+)/g; |
1892 | 1892 | #$params{'s'} = '*unknown' unless $params{'s'}; |
140 | 140 | ($ThisLine =~ /smbd\/reply\.c:reply_special\(\d+\) netbios connect: name1=.+ /) or |
141 | 141 | ($ThisLine =~ /nmbd\/nmbd_browsesync\.c:announce_local_master_browser_to_domain_master_browser\(\d+\) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup .+ /) or |
142 | 142 | ($ThisLine =~ /auth\/auth\.c:check_ntlm_password\(\d+\) check_ntlm_password: authentication for user \[.+\] -> \[.+\] -> \[.+\] succeeded/) or |
143 | ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or | |
143 | ($ThisLine =~ /rpc_server\/srv_samr_nt\.c:_samr_lookup_domain\(\d+\) Returning domain sid for domain ([^ ]) -> ([^ ])/) or | |
144 | 144 | ($ThisLine =~ /===============================================================/) |
145 | 145 | ) { |
146 | 146 | #Don't care about these... |
189 | 189 | $ThisLine =~ s/\[ID [0-9]+ [a-z]+\.[a-z]+\] //; |
190 | 190 | my $temp = $ThisLine; |
191 | 191 | $temp =~ s/^([^[:]+).*/$1/; |
192 | if ($Ignore =~ /\b\Q$temp\E\b/i) { next; } | |
192 | if ($Ignore =~ /(\s|^)\Q$temp\E(\s|$)/i) { next; } | |
193 | 193 | |
194 | 194 | #current sarge |
195 | 195 | if ($ThisLine =~ /^[^ :]*:( [0-9:\[\]\.]+|) \(pam_(unix|securetty)\)/i ) {next; } |
204 | 204 | ( $ThisLine =~ /pam_unix\(.*:.*\)/) or |
205 | 205 | ( $ThisLine =~ /pam_sss\(.*:.*\)/) or |
206 | 206 | ( $ThisLine =~ m/^[^ ]+\[\d+\]: connect from localhost$/ ) or |
207 | ( $ThisLine =~ /^\/usr\/bin\/sudo:/) or | |
208 | 207 | ( $ThisLine =~ /^halt:/) or |
209 | 208 | ( $ThisLine =~ /^com.apple.SecurityServer: Succeeded authorizing right system.(preferences|login.console|login.tty|login.done|privilege.admin) by process/) or |
210 | 209 | ( $ThisLine =~ /^pam_xauth\[\d+\]: call_xauth: child returned \d/) or |
212 | 211 | ( $ThisLine =~ /^passwd\[\d+\]:/) or |
213 | 212 | ( $ThisLine =~ /^passwd: gkr-pam: .*/) or |
214 | 213 | ( $ThisLine =~ /^reboot:/) or |
215 | ( $ThisLine =~ /^sudo:/) or | |
214 | ( $ThisLine =~ /^(?:\/usr\/bin\/)?sudo(?:\[\d+\])?:/) or | |
216 | 215 | ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or |
217 | 216 | ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or |
218 | 217 | ( $ThisLine =~ /warning: can.t get client address: Connection refused/) or |
276 | 275 | ( $ThisLine =~ /groupmod\[\d+\]: group changed in \/etc\/gshadow /) or # Details in other messages |
277 | 276 | ( $ThisLine =~ /gdm-session-worker\[\d+\]: pam_namespace\(gdm:session\): Unmount of [^ ]* failed, Device or resource busy/) or |
278 | 277 | ( $ThisLine =~ /pkexec: pam_systemd(.*): /) or |
279 | ( $ThisLine =~ /pkexec: \S+: Executing command /) or | |
278 | ( $ThisLine =~ /pkexec(?:\[\d+\])?: \S+: Executing command /) or | |
280 | 279 | ( $ThisLine =~ /su: pam_systemd(.*): Failed to parse message: /) or |
281 | 280 | ( $ThisLine =~ /pam_systemd\(su:session\): Cannot create session: Already (running in|occupied by) a session/) or |
282 | 281 | ( $ThisLine =~ /systemd-logind\[\d+\]: Removed session/) or |
285 | 284 | ( $ThisLine =~ /systemd-logind\[\d+\]: Failed to start session scope (\S+): Transaction is destructive\./) or |
286 | 285 | ( $ThisLine =~ /DIGEST-MD5 common mech free/) or |
287 | 286 | ( $ThisLine =~ /sshguard\[\d+\]: Reloading rotated file /) or |
287 | ( $ThisLine =~ /sshguard\[\d+\]: Session \d+ logged out/) or | |
288 | 288 | ( $ThisLine =~ /sshguard\[\d+\]: Exiting on signal/) or |
289 | 289 | ( $ThisLine =~ /sshguard\[\d+\]: Monitoring attacks from /) or |
290 | 290 | ( $ThisLine =~ /sshguard\[\d+\]: (?:message repeated \d+ times: \[ )?\S+: not blocking /) or |
427 | 427 | push @RemoveFromGroup, " user $1 from group $3\n"; |
428 | 428 | # This is an inetd lookup... $1 is the service (i.e. ftp), $2 is the response |
429 | 429 | # I don't think these are important to log at this time |
430 | } elsif ( $ThisLine =~ /^sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) { | |
431 | # sudo unauthorized commands | |
432 | push @SudoList, "$1: $3\n" unless ($2 eq ""); | |
433 | } elsif ( $ThisLine =~ /^\/usr\/bin\/sudo: ([^\s]+) : (command not allowed)?.+ ; COMMAND=(.*)$/ ) { | |
434 | # sudo unauthorized commands | |
435 | push @SudoList, "$1: $3\n" unless ($2 eq ""); | |
436 | 430 | } elsif ( ($service, $from) = ($ThisLine =~ /^xinetd\[\d+\]: FAIL: (.+) (?:address|libwrap|service_limit|connections per second) from=([\d.]+)/)) { |
437 | 431 | if ($Ignore =~ /\b\Q$service\E\b/i) { next; } |
438 | 432 | $Refused->{$service}->{$from}++; |
458 | 452 | $GroupChanged{"$ThisLine"}++; |
459 | 453 | } elsif ( ($Pid,$User,$Home,$NewHome) = ($ThisLine =~ /^usermod(\[\d+\])?: change user [`'](.*)' home from [`'](.*)' to [`'](.*)'/)) { |
460 | 454 | $HomeChange{$User}{"$Home -> $NewHome"}++; |
461 | } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) { | |
455 | } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' UID from [`'](.*)' to [`'](.*)'/)) { | |
462 | 456 | $UidChange{"$User: $From -> $To"}++; |
463 | } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) { | |
457 | } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' GID from [`'](.*)' to [`'](.*)'/)) { | |
464 | 458 | $GidChange{"$User: $From -> $To"}++; |
465 | } elsif ( ($User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) { | |
459 | } elsif ( ($Pid,$User,$From,$To) = ($ThisLine =~ /^usermod(\[\d+\])?: ?change user [`'](.*)' expiration from [`'](.*)' to [`'](.*)'/)) { | |
466 | 460 | $AccountExpiry{"$User: $From -> $To"}++; |
467 | 461 | # checkpassword-pam |
468 | 462 | } elsif ( ($PID) = ($ThisLine =~ /^checkpassword-pam\[(\d+)\]: Reading username and password/)) { |
841 | 835 | print "spop3d connection errors:\t".$spop3d_errors."\n"; |
842 | 836 | } |
843 | 837 | |
844 | if ($#SudoList >= 0) { | |
845 | print "\nUnauthorized sudo commands attempted (" . ($#SudoList + 1) . "):\n"; | |
846 | print @SudoList; | |
847 | } | |
848 | ||
849 | 838 | if (keys %ChkPasswdPam) { |
850 | 839 | print "\ncheckpassword-pam (SUID root PAM client):\n"; |
851 | 840 | foreach $PID (sort {$a cmp $b} keys %ChkPasswdPam) { |
386 | 386 | } |
387 | 387 | |
388 | 388 | # QueueID formats: in 8.11 it was \w{7}\d{5}, in 8.12+ it is \w{8}\d{6} |
389 | my $QueueIDFormat = "(?:\\w{7,9}\\d{5}|NOQUEUE)"; | |
389 | # Also, PID can now be up to seven digits in 64-bit systems | |
390 | my $QueueIDFormat = "(?:\\w{7,9}\\d{5,7}|NOQUEUE)"; | |
390 | 391 | |
391 | 392 | # ENOENT refers to "no such file or directory" |
392 | 393 | my $ENOENT = Errno::ENOENT(); |
324 | 324 | $IllegalUsers{$host_ip}{$Temp}++; |
325 | 325 | } |
326 | 326 | |
327 | elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) { | |
328 | $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ | |
329 | } | |
327 | 330 | elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(.*)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?(S+)?(.*)?/) ) { |
328 | $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ | |
329 | } | |
330 | elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) { | |
331 | 331 | $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ |
332 | 332 | } |
333 | 333 |
314 | 314 | ($ThisLine =~ /Found matching \w+ key:/ ) or |
315 | 315 | ($ThisLine =~ /User child is on pid \d/ ) or |
316 | 316 | ($ThisLine =~ /Nasty PTR record .* is set up for [\da-fA-F.:]+, ignoring/) or |
317 | ($ThisLine =~ /Disconnected from (?:user \S+ |)[\da-fA-F.:]* port \d*/ ) or | |
317 | ($ThisLine =~ /Exiting on signal / ) or | |
318 | ($ThisLine =~ /Disconnected from [\da-fA-F.:]* port \d*/ ) or | |
319 | ($ThisLine =~ /Disconnected from user \S+ [\da-fA-F.:]* port \d*/ ) or | |
320 | ($ThisLine =~ /Disconnected from (authenticating|invalid) user \S+ [\da-fA-F.:]* port \d*/ ) or | |
321 | ($ThisLine =~ /Disconnecting( (authenticating|invalid) user .* port \d+)?: Too many authentication failures \[preauth\]/ ) or | |
322 | ($ThisLine =~ /Disconnecting( (authenticating|invalid) user .* port \d+)?: Change of username or service not allowed: .* \[preauth\]/ ) or | |
318 | 323 | ($ThisLine =~ /Failed to release session: Interrupted system call/) or |
319 | 324 | ($ThisLine =~ /Close session: user /) or |
320 | 325 | 0 # This line prevents blame shifting as lines are added above |
339 | 344 | $TooManyFailures{$User}++; |
340 | 345 | } elsif ( my ($User) = ( $ThisLine =~ /error: maximum authentication attempts exceeded for ([^ ]+) from [^ ]+ port \d+ ssh2 \[preauth\]/)) { |
341 | 346 | $TooManyFailures{$User}++; |
342 | } elsif ( $ThisLine =~ /Disconnecting: Too many authentication failures \[preauth\]/ ) { | |
343 | # Ignore these - should be covered by other messages | |
344 | } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (.+)/ ) { # ssh/openssh | |
347 | } elsif ( my ($User,$Host) = ( $ThisLine =~ /error: maximum authentication attempts exceeded for invalid user ([^ ]+) from ([^ ]+) port \d+ ssh2 \[preauth\]/)) { | |
348 | $IllegalUsers{$Host}{$User}++; | |
349 | } elsif ( $ThisLine =~ m/^(fatal: )?Did not receive ident(ification)? string from (\S+)/ ) { # ssh/openssh | |
345 | 350 | my $name = LookupIP($3); |
346 | 351 | $NoIdent{$name}++; |
347 | 352 | } elsif ( my ($Host) = ($ThisLine =~ /Could not write ident string to ([^ ]+)$/ )) { |
406 | 411 | $NoRevMap{"$Address($IP)"}++; |
407 | 412 | } elsif ( my (undef,$Address) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: can't verify hostname: getaddrinfo\(([^ ]*), AF_INET\) failed$/)) { |
408 | 413 | $NoRevMap{$Address}++; |
409 | } elsif ( (undef, my $Addresses) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: host [^ ]* mismatch: (.*)$/)) { | |
414 | } elsif ( my (undef,$Addresses) = ($ThisLine =~ /^warning: ([^ ]*), line \d+: host [^ ]* mismatch: (.*)$/)) { | |
410 | 415 | $MisMatch{$Addresses}++; |
411 | 416 | } elsif ( $ThisLine =~ m/subsystem request for sftp/ ) { |
412 | 417 | $sftpRequests++; |
420 | 425 | $NegotiationFailed{$Reason}{$Host}{$Offer}++; |
421 | 426 | } elsif ( my ($Prio,$Host,$Port,$Code,$Reason) = ($ThisLine =~ /^(error: )?Received disconnect from ([^ ]*)( port \d+)?: ?(\d+): (.*)$/)) { |
422 | 427 | # Reason 11 ({SSH,SSH2}_DISCONNECT_BY_APPLICATION) is expected, and logged at severity level INFO |
423 | if (($Code != 11) || ($Detail >= 30)) { | |
428 | if (($Reason =~ /preauth/) || ($Code != 11) || ($Detail >= 30)) { | |
424 | 429 | $DisconnectReceived{$Reason}{$Host}++; |
425 | 430 | } |
426 | 431 | } elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) { |
427 | 432 | $RootLogin{$Host}++; |
428 | 433 | } elsif ( my ($Error) = ($ThisLine =~ /^Cannot release PAM authentication\[\d\]: (.*)$/)) { |
429 | 434 | $PamReleaseFail{$Error}++; |
435 | } elsif ( my ($Error) = ($ThisLine =~ /^pam_systemd\(sshd:session\): Failed to release session: (.*)$/)) { | |
436 | $PamReleaseFail{$Error}++; | |
430 | 437 | } elsif ( my ($Error) = ( $ThisLine =~ m/^error: PAM: (.*)$/)) { |
438 | $PamError{$Error}++; | |
439 | } elsif ( my ($Error) = ( $ThisLine =~ m/pam_systemd\(sshd:session\): (Failed to create session: .*)$/)) { | |
431 | 440 | $PamError{$Error}++; |
432 | 441 | } elsif ( my ($Reason) = ( $ThisLine =~ m/pam_chroot\(.+\):\s+([^:])/)) { |
433 | 442 | $PamChroot{$Reason}++; |
452 | 461 | $DenyGroups{$User}++; |
453 | 462 | } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) from ([^ ]*) not allowed because none of user's groups are listed in AllowGroups/)) { |
454 | 463 | $AllowGroups{$User}++; |
455 | } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) does not exist/)) { | |
464 | } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) does not exist/)) { | |
456 | 465 | $NoShellUsers{$User}++; |
457 | } elsif ( ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) is not executable/)) { | |
466 | } elsif ( my ($User) = ($ThisLine =~ /^User ([^ ]*) not allowed because shell (\S+) is not executable/)) { | |
458 | 467 | $ShellNotExecutableUsers{$User}++; |
459 | } elsif ( ($User) = ($ThisLine =~ /^fatal: Access denied for user ([^ ]+) by PAM account configuration \[preauth\]/)) { | |
468 | } elsif ( my ($User) = ($ThisLine =~ /^fatal: Access denied for user ([^ ]+) by PAM account configuration \[preauth\]/)) { | |
460 | 469 | $PamDeny{$User}++; |
461 | 470 | } elsif ( my ($IP) = ($ThisLine =~ /^scanned from ([^ ]*)/) ) { |
462 | 471 | push @Scanned, $IP; |
615 | 624 | foreach my $Reason (sort {$a cmp $b} keys %NegotiationFailed) { |
616 | 625 | my $Total = 0; |
617 | 626 | print " $Reason"; |
627 | if ( $Detail > 0 ) { | |
628 | print "\n"; | |
629 | } | |
618 | 630 | foreach my $Host (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}}) { |
619 | 631 | my $HostTotal = 0; |
620 | 632 | foreach my $Offer (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}{$Host}}) { |
622 | 634 | } |
623 | 635 | $Total += $HostTotal; |
624 | 636 | if ( $Detail > 0 ) { |
625 | print "\n $Host: " . timesplural($HostTotal); | |
637 | print " $Host: " . timesplural($HostTotal); | |
626 | 638 | } |
627 | 639 | if ( $Detail > 5 ) { |
628 | 640 | foreach my $Offer (sort {$a cmp $b} keys %{$NegotiationFailed{$Reason}{$Host}}) { |
629 | 641 | my $tot = $NegotiationFailed{$Reason}{$Host}{$Offer}; |
630 | print "\n $Offer: " . timesplural($tot); | |
642 | print " $Offer: " . timesplural($tot); | |
631 | 643 | } |
632 | 644 | } |
633 | 645 | } |
634 | if( $Detail > 0 ) { | |
635 | print "\n"; | |
636 | } else { | |
646 | if ( $Detail == 0 ) { | |
637 | 647 | print ": " . timesplural($Total); |
638 | 648 | } |
639 | 649 | } |
15 | 15 | |
16 | 16 | use strict; |
17 | 17 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
18 | my $IgnoreBackendStatus = $ENV{'ignore_backend_status'} || 0; | |
19 | my $IgnoreEnumerationRequested = $ENV{'ignore_enumeration_requested'} || 0; | |
18 | 20 | my %Errors; |
19 | 21 | my $Service; |
20 | 22 | my %Starts; |
21 | 23 | my %Stops; |
22 | 24 | my %OtherList; |
25 | my $BackendStatus; | |
26 | my $BackendOffline = 0; | |
27 | my $EnumerationRequested = 0; | |
28 | my $ignore_p11_child_error = 0; | |
23 | 29 | |
24 | 30 | # Lines are of the form: |
25 | 31 | # sssd[service]: |
28 | 34 | chomp($ThisLine); |
29 | 35 | |
30 | 36 | # Strip off leading sssd: |
31 | $ThisLine =~ s/^sssd: //; | |
37 | $ThisLine =~ s/^sssd(?:\[\d+\])?: //; | |
38 | ||
39 | # Strip off duplicate timestamp if present | |
40 | $ThisLine =~ s/^\(... ... .\d \d\d:\d\d:\d\d \d\d\d\d\) //; | |
32 | 41 | |
33 | 42 | # Remove []s from debug messages if any |
34 | 43 | $ThisLine =~ s/^\[(\S+)\] /$1 /; |
45 | 54 | $Service = $1; |
46 | 55 | } |
47 | 56 | |
48 | if ($ThisLine =~ /^Starting up/) { | |
57 | # Ignore debug messages | |
58 | my ($debuglevel) = ($ThisLine =~ /\s\((0x[0-9a-f]{4})\):\s/); | |
59 | ||
60 | next if defined($debuglevel) && hex($debuglevel) > 16; | |
61 | if ($ThisLine =~ /Starting up/) { | |
49 | 62 | $Starts{$Service}++; |
50 | 63 | } elsif ($ThisLine =~ /^Shutting down/) { |
51 | 64 | $Stops{$Service}++; |
52 | 65 | } elsif ($ThisLine =~ /error/i) { |
53 | 66 | $Errors{$Service}->{$ThisLine}++; |
67 | } elsif (my ($status) = ($ThisLine =~ /Backend is (.*)/)) { | |
68 | $BackendStatus = $status; | |
69 | $BackendOffline++ if $BackendStatus eq "offline"; | |
70 | } elsif ($ThisLine =~ /^Enumeration requested but not enabled/) { | |
71 | $EnumerationRequested++ unless $IgnoreEnumerationRequested; | |
72 | } elsif ($Service eq "p11_child" && $ThisLine =~ /Certificate .* not valid .*Certificate key usage inadequate for attempted operation/) { | |
73 | # sssd ssh does not ignore certificates of different types - ignore the errors generated by it | |
74 | $ignore_p11_child_error = 1; | |
75 | } elsif ($Service eq "p11_child" && $ThisLine =~ /do_work failed/ && $ignore_p11_child_error) { | |
76 | } elsif ($Service eq "p11_child" && $ThisLine =~ /p11_child failed/ && $ignore_p11_child_error) { | |
77 | $ignore_p11_child_error = 0; | |
54 | 78 | } else { |
55 | 79 | $OtherList{"$Service: $ThisLine"}++; |
56 | 80 | } |
66 | 90 | } |
67 | 91 | } |
68 | 92 | |
93 | # sssd will generally start in offline mode, so don't alert if we've just started up | |
94 | if ($BackendOffline and (($Starts{"Daemon"} != $BackendOffline) or ($BackendStatus ne "online")) and not $IgnoreBackendStatus) { | |
95 | print "\nSSSD Backend went offline $BackendOffline Time(s),"; | |
96 | print " last status was $BackendStatus\n"; | |
97 | } | |
98 | ||
69 | 99 | if (keys %Starts and $Detail) { |
70 | 100 | print "\nSSSD Services Started:\n"; |
71 | 101 | foreach my $Service (sort {$a cmp $b} keys %Starts) { |
78 | 108 | foreach my $Service (sort {$a cmp $b} keys %Stops) { |
79 | 109 | print " $Service: " . $Stops{$Service} . " Time(s)\n"; |
80 | 110 | } |
111 | } | |
112 | ||
113 | if ($EnumerationRequested) { | |
114 | print "\nEnumeration requested but not enabled: $EnumerationRequested Time(s)\n"; | |
81 | 115 | } |
82 | 116 | |
83 | 117 | if (keys %OtherList) { |
79 | 79 | # handled in pam_unix |
80 | 80 | } elsif ($ThisLine =~ /pam_unix\(sudo:auth\): auth could not identify password for/) { |
81 | 81 | # handled in pam_unix |
82 | } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/) { | |
82 | } elsif ($ThisLine =~ /pam_sss\(sudo:auth\): authentication success/ | |
83 | or $ThisLine =~ /pam_systemd\(sudo:session\): Cannot create session: Already (running in|occupied by) a session/ | |
84 | ) { | |
83 | 85 | # Ignore |
84 | 86 | } elsif ($ThisLine =~ /(.+): conversation failed/) { |
85 | 87 | $ConFailed{$1}++; |
46 | 46 | $ThisLine =~ / failed\.$/ or |
47 | 47 | $ThisLine =~ /([Cc]ontrol|[Mm]ain|[Mm]ount) process exited, code=(exited|killed|dumped),? status=/ or |
48 | 48 | # Informational |
49 | $ThisLine =~ /^Closed .* [Ss]ockets?\.$/ or | |
49 | $ThisLine =~ /^Closed .*[\. ][Ss]ockets?\.$/ or | |
50 | 50 | $ThisLine =~ /^Closed .* [Ss]cheduler\.$/ or |
51 | 51 | $ThisLine =~ /^Closed .* [Ww]atch\.$/ or |
52 | $ThisLine =~ /^Closed (?:Multimedia|Sound) System\.$/ or | |
52 | 53 | $ThisLine =~ /^Closed udev / or |
54 | # crond will never restart process when it is restarted | |
55 | $ThisLine =~ /^crond\.service: Found left-over process \d+ \(.*\) in control group while starting unit\. Ignoring\.$/ or | |
53 | 56 | $ThisLine =~ /^Received SIGINT\./ or |
54 | 57 | $ThisLine =~ /^Deactivated / or |
55 | 58 | $ThisLine =~ /^Detected (architecture|virtualization) / or |
63 | 66 | $ThisLine =~ /^RTC configured in / or |
64 | 67 | $ThisLine =~ /^Running in initial RAM disk\.$/ or |
65 | 68 | $ThisLine =~ /^Set hostname to / or |
69 | $ThisLine =~ /^Set up automount Arbitrary Executable File Formats File System Automount Point\.$/ or | |
66 | 70 | $ThisLine =~ /^Shutting down\.$/ or |
67 | 71 | $ThisLine =~ /^Startup finished in / or |
68 | 72 | $ThisLine =~ /^Stopped / or |
72 | 76 | $ThisLine =~ /: Got notification message from PID \d+, but reception is disabled\./ or |
73 | 77 | $ThisLine =~ /: Got notification message from PID \d+, but reception only permitted for main PID \d+/ or |
74 | 78 | $ThisLine =~ /^systemd (\d+) running in system mode/ or |
79 | # This is preceeded by a more descriptive message | |
80 | $ThisLine =~ /^This usually indicates unclean termination of a previous run, or service implementation deficiencies\.$/ or | |
75 | 81 | $ThisLine =~ /Transaction is destructive\./ or |
76 | 82 | $ThisLine =~ /^Unit .* is bound to inactive unit .*\. Stopping, too\./ or |
77 | 83 | $ThisLine =~ /Unit (.* is )?not needed anymore\. Stopping\./ or |
92 | 98 | $ThisLine =~ /^[^ ]*\.mount: Directory \/[^ ]* to mount over is not empty, mounting anyway\.$/ or |
93 | 99 | # A known issue - reported by multiple distributions |
94 | 100 | $ThisLine =~ /^user\@\d+\.service: Failed at step CGROUP spawning \/usr\/lib\/systemd\/systemd: No such file or directory$/ or |
95 | $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \(plymouthd\)\.$/ or | |
101 | $ThisLine =~ /^Received SIGRTMIN\+2[01] from PID \d+ \((?:plymouthd|n\/a)\)\.$/ or | |
96 | 102 | # https://bugzilla.redhat.com/show_bug.cgi?id=1072368 |
97 | $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \(kill\)\.$/ or | |
103 | $ThisLine =~ /^Received SIGRTMIN\+24 from PID \d+ \((?:kill|n\/a)\)\.$/ or | |
98 | 104 | $ThisLine =~ /^Removed slice / or |
99 | 105 | $ThisLine =~ /^pam_unix\(systemd-user:session\): session (?:opened|closed) for user/ or |
100 | 106 | $ThisLine =~ /Adding .* random time\.$/ or |
126 | 126 | } |
127 | 127 | |
128 | 128 | sub DiskFull { |
129 | my $o = `$disk_cmd`; | |
130 | my @rows = split('\n', $o); | |
131 | foreach my $row (@rows) { | |
132 | my @fields = split(' ', $row); | |
133 | my $use = $fields[4]; | |
134 | $use =~ s/%//; | |
135 | if (($use > $diskfull_threshold) && | |
136 | ($fields[0] !~ /\/dev\/scd/ ) && | |
137 | ($fields[0] !~ /\/dev\/sr/ ) && | |
138 | ($fields[0] !~ /\/dev\/loop./) && | |
139 | ($fields[5] !~ /^$diskfull_exclude_dirs/i)) { | |
140 | print "$fields[5] ($fields[0]) => $fields[4] Used. Warning. Disk Filling up.\n"; | |
141 | } | |
142 | } | |
129 | my @rows = split('\n', `$disk_cmd`); | |
130 | # Remove header | |
131 | shift @rows; | |
132 | foreach my $row (@rows) { | |
133 | my ($source,$used,$target) = ($row =~ /^(.*?)(?:\s+\d+[KMGTP]?){3}\s+(\d+)%\s+(.*)$/); | |
134 | if (($used > $diskfull_threshold) && | |
135 | ($source !~ /\/dev\/scd/ ) && | |
136 | ($source !~ /\/dev\/sr/ ) && | |
137 | ($source !~ /\/dev\/loop./) && | |
138 | ($target !~ /^$diskfull_exclude_dirs/)) { | |
139 | print "$target ($source) => $used% Used. Warning: Disk Filling up.\n"; | |
140 | } | |
141 | } | |
143 | 142 | } |
144 | 143 | |
145 | 144 | ##################### |
155 | 154 | if ( ($release eq "5.10") || ($release eq "5.9") || ($release eq "5.11") ) { |
156 | 155 | $df_options = "-h"; |
157 | 156 | } |
158 | if ($local_disks_only) { $df_options .= " -l"; } | |
159 | } elsif ($OSname eq "HP-UX") { | |
160 | $df_options = ""; | |
161 | 157 | if ($local_disks_only) { $df_options .= " -l"; } |
162 | 158 | } elsif ($OSname eq "AIX") { |
163 | 159 | $df_options = ""; |
174 | 170 | $df_options = $ENV{'df_options'}; |
175 | 171 | }; |
176 | 172 | |
177 | if ($OSname eq "Linux") { | |
178 | $disk_cmd = "df $df_options"; | |
179 | } elsif ($OSname eq "Darwin") { | |
180 | $disk_cmd = "df $df_options"; | |
181 | } elsif ($OSname eq "SunOS") { | |
173 | if ($OSname eq "SunOS") { | |
182 | 174 | $disk_cmd = "/usr/xpg4/bin/df $df_options"; |
183 | 175 | } elsif ($OSname eq "HP-UX") { |
184 | 176 | $disk_cmd = "bdf $df_options"; |
0 | ########################################################################## | |
1 | # $Id$ | |
2 | ########################################################################## | |
3 | # Named 'zz-fortune' so that it will be the last to execute... | |
4 | ||
5 | ####################################################### | |
6 | ## Copyright (c) 2008 Kirk Bauer | |
7 | ## Covered under the included MIT/X-Consortium License: | |
8 | ## http://www.opensource.org/licenses/mit-license.php | |
9 | ## All modifications and contributions by other persons to | |
10 | ## this script are assumed to have been donated to the | |
11 | ## Logwatch project and thus assume the above copyright | |
12 | ## and licensing terms. If you want to make contributions | |
13 | ## under your own copyright or a different license this | |
14 | ## must be explicitly stated in the contribution an the | |
15 | ## Logwatch project reserves the right to not accept such | |
16 | ## contributions. If you have made significant | |
17 | ## contributions to this script and want to claim | |
18 | ## copyright please contact logwatch-devel@lists.sourceforge.net. | |
19 | ######################################################### | |
20 | ||
21 | my $env = ( $ENV{'REAL_LANG'} ? "LANG=".$ENV{'REAL_LANG'}." " : "" ). | |
22 | ( $ENV{'REAL_LC_ALL'} ? "LC_ALL=".$ENV{'REAL_LC_ALL'}." " : "" ); | |
23 | ||
24 | if (($ENV{'PRINTING'} eq "y" ) && (-f "/usr/games/fortune")) { | |
25 | #print "\n\n------------------ Fortune --------------------\n\n"; | |
26 | system("$env /usr/games/fortune"); | |
27 | print "\n"; | |
28 | } | |
29 | elsif (($ENV{'PRINTING'} eq "y" ) && (-f "/usr/bin/fortune")) { | |
30 | #print "\n\n------------------ Fortune --------------------\n\n"; | |
31 | system("$env /usr/bin/fortune"); | |
32 | print "\n"; | |
33 | } | |
34 | ||
35 | # vi: shiftwidth=3 tabstop=3 syntax=perl et | |
36 | # Local Variables: | |
37 | # mode: perl | |
38 | # perl-indent-level: 3 | |
39 | # indent-tabs-mode: nil | |
40 | # End: |
83 | 83 | my $unit_re = '['.join('', keys %units).']'; |
84 | 84 | |
85 | 85 | # Discover the pools |
86 | open POOLS, '-|', $pathto_zpool, qw(list -H -o name,size,allocated,free,dedupratio,capacity,health) or die "Error running 'zpool list': $!\n"; | |
86 | open POOLS, "$pathto_zpool list -H -o name,size,allocated,free,dedupratio,capacity,health 2>/dev/null |" or die "Error running 'zpool list': $!\n"; | |
87 | 87 | while(<POOLS>) { |
88 | 88 | chomp; |
89 | 89 | my ($name, $size, $used, $avail, $dedup, $cap, $health) = split(/\s+/); |
55 | 55 | if ( $Debug > 5 ) { print STDERR "DEBUG: NewTimeStamp: " . $NewTimeStamp . " ($ThisLine)\n"; } |
56 | 56 | } |
57 | 57 | } |
58 | elsif ($ThisLine =~ s/^\@40{6}([0-9a-f]{9})[0-9a-f]{8}\s// ) { | |
59 | if ( $Debug > 10 ) { | |
60 | print STDERR "DEBUG: potential Y2038 bug $1 is greater than 2038 and your perl version is $] see http://perldoc.perl.org/5.14.1/perl5120delta.html#Y2038-compliance\n"; | |
61 | } | |
62 | my $NewTimeStamp = scalar(localtime(hex($1))); | |
63 | if ($NewTimeStamp =~ /^$SearchDate$/) { | |
64 | print $ThisLine; | |
65 | if ( $Debug > 5 ) { print STDERR "DEBUG: NewTimeStamp: " . $NewTimeStamp . " ($ThisLine)\n"; } | |
66 | } | |
67 | } | |
58 | 68 | } |
59 | 69 | |
60 | 70 | # vi: shiftwidth=3 syntax=perl tabstop=3 et |