New upstream version 7.5.4
Willi Mann
3 years ago
| 163 | 163 | are declared in the files under these directories. You can change the |
| 164 | 164 | default values to modify how or what is displayed with logwatch. |
| 165 | 165 | |
| 166 | One variable available to all services, and which by default is not | |
| 167 | specified, is the 'Detail' variable (note that it is not preceded by | |
| 168 | a '$' symbol). Specifying a Detail value will override the global | |
| 169 | Detail level, for that service only. | |
| 166 | Two variables are available to all services, and not specified by | |
| 167 | default. They are the 'Detail' variable and the 'Pre_Ignore' | |
| 168 | variables. The use of these two variables are described at the | |
| 169 | end of this section. | |
| 170 | 170 | |
| 171 | 171 | There are two mechanisms for customizing the variables: |
| 172 | 172 | |
| 262 | 262 | |
| 263 | 263 | will cause the messages file to be ignored for those same services, |
| 264 | 264 | and only the syslog file will be used. |
| 265 | ||
| 266 | An earlier reference was made to the two variables available to all | |
| 267 | services: Detail and Pre_Ignore. Note that neither is preceded by | |
| 268 | a '$' symbol when used in the configuration file. | |
| 269 | ||
| 270 | Specifying a Detail value will override the global Detail level, for | |
| 271 | that service only. As with the corresponding command option, 'Detail' | |
| 272 | can be an integer of zero or higher, or the values Low, Medium, or | |
| 273 | High, which correspond to the integers 0, 5, and 10, respectively. | |
| 274 | ||
| 275 | Specifying a Pre_Ignore variable with a regular expression value will | |
| 276 | use that regular expression as the argument to 'egrep' to filter the | |
| 277 | log statements. The filter is applied before the service script is run. | |
| 278 | This is in contrast to the regular expressions in the ignore.conf file | |
| 279 | (described in Section 3.A above), which filter the output after the | |
| 280 | service script is run. Also, the declarations in the ignore.conf file | |
| 281 | are applied to all services. | |
| 265 | 282 | |
| 266 | 283 | |
| 267 | 284 | 5. Customizing the Scripts |
| 295 | 312 | ----------------- |
| 296 | 313 | |
| 297 | 314 | There is only one required line in the logfile group config file. This |
| 298 | command is called 'LogFile'. | |
| 315 | statement is called 'LogFile'. | |
| 299 | 316 | |
| 300 | 317 | # This will be the logfile named 'messages' in the default logfile |
| 301 | 318 | # directory (probably /var/log). |
| 302 | 319 | LogFile = messages |
| 303 | 320 | |
| 304 | # You can also give this command with an absolute path, like this: | |
| 321 | # You can also give this value with an absolute path. For example: | |
| 305 | 322 | LogFile = /var/log/messages |
| 306 | 323 | |
| 307 | 324 | You can have as many LogFile entries as you wish. All the files specified |
| 308 | 325 | will be merged into one input stream for any filters that use this logfile |
| 309 | group. You can also use standard wildcards when you specify the filename. | |
| 310 | ||
| 311 | Another command that is optional is called 'Archive'. You can specify a | |
| 312 | file to also include in the data stream if the '--archives' option is used. | |
| 313 | If these files do not exist it is okay. For example: | |
| 326 | group. | |
| 327 | ||
| 328 | The 'Archive' statement is optional. Specifying it will include the | |
| 329 | corresponding files in the data stream if the '--archives' option is | |
| 330 | used. For example: | |
| 314 | 331 | |
| 315 | 332 | # These 2 'Archive' entries will allow users of most Red Hat Linux |
| 316 | 333 | # systems to access their archives of the 'messages' logfile: |
| 320 | 337 | # It is best just to include both of these so that the logfile group |
| 321 | 338 | # will work for most systems. |
| 322 | 339 | |
| 340 | When specifying filenames for either the LogFile or Archive statements, | |
| 341 | you can use standard regexps (for example, *, ?, or [0-9]). In addition, | |
| 342 | filenames with spaces are possible by enclosing them in single quotes. | |
| 343 | ||
| 344 | For either the LogFile or Archive statements, the corresponding files | |
| 345 | need not exist. In that case, the statement is ignored. Because of this, | |
| 346 | many Logfile groups have multiple LogFile or Archive statements for many | |
| 347 | different OS implementations; only those that exist will be used. | |
| 348 | ||
| 323 | 349 | Now, the general theory is that the LogFile Group should apply the date |
| 324 | 350 | range requested. If the logfile is in the standard syslog format, you can |
| 325 | 351 | use the shared script 'ApplyStdDate' to filter out only the appropriate log |
| 350 | 376 | You should probably copy an existing config for another service to create |
| 351 | 377 | a new one. |
| 352 | 378 | |
| 353 | There is only one required line. This is the command 'LogFile'. The | |
| 354 | LogFile command allows you to specify one or more *LogFile Groups* (as | |
| 379 | There is only one required line. This is the statement 'LogFile'. The | |
| 380 | LogFile statement allows you to specify one or more *LogFile Groups* (as | |
| 355 | 381 | described above) that this filter will process. Remember, any filter can |
| 356 | 382 | process any number of LogFile Groups, and any LogFile Group may contain the |
| 357 | 383 | data from any number of logfiles (and archives). |
| 567 | 593 | ======================= |
| 568 | 594 | |
| 569 | 595 | The introduction of this document listed additional sources of information. |
| 570 | In addition, the website http://www.logwatch.org contains: | |
| 596 | In addition, the website https://sourceforge.net/projects/logwatch/ contains: | |
| 571 | 597 | - the current (and some archived) distributions of Logwatch |
| 572 | - access to mailing lists where comments, suggestions, bug reports, | |
| 573 | etc., are welcome. | |
| 574 | - access to the svn repository, for the very latest code. | |
| 598 | - access to a ticket database for bugs, patches, and requests | |
| 599 | - access to the git repository, for the very latest code. | |
| 575 | 600 | |
| 576 | 601 | If you do create new services or enhancements that you feel would be useful |
| 577 | to other people, please send them to the mailing list 'logwatch-devel at | |
| 578 | lists.sourceforge.net'. | |
| 602 | to other people, please post them under: | |
| 603 | https://sourceforge.net/p/logwatch/patches/ | |
| 579 | 604 | |
| 580 | 605 | If you send patches, please make sure that you have the latest version |
| 581 | of the file from svn, and send the patch file in unified format | |
| 582 | (using 'svn diff' or 'diff -u') as an attachment. | |
| 606 | of the file from git, and send the patch file in unified format. | |
| 607 | Alternatively, create a git merge request. | |
| 583 | 608 | |
| 584 | 609 | Enhancement suggestions are more likely to be implemented if patch files |
| 585 | 610 | implementing the change are sent. |
| 21 | 21 | Archive = cron-* |
| 22 | 22 | Archive = archiv/cron-* |
| 23 | 23 | |
| 24 | *RemoveService = anacron | |
| 24 | *RemoveService = anacron,atd | |
| 25 | 25 | |
| 26 | 26 | # vi: shiftwidth=3 tabstop=3 et |
| 0 | 0 | LogFile = dovecot |
| 1 | Archive = dovecot* | |
| 1 | Archive = dovecot?* | |
| 2 | 2 | *ApplyStdDate = "%b %d %H:%M:%S " |
| 5 | 5 | # New php service, by Jeremias Reith. |
| 6 | 6 | # |
| 7 | 7 | ############################################################################### |
| 8 | # This was written and is maintained by: | |
| 8 | # This was written by: | |
| 9 | 9 | # Jeremias Reith <jr@terragate.net> |
| 10 | # | |
| 11 | 10 | # Please send all comments, suggestions, bug reports, |
| 12 | # etc, to jr@terragate.net and logwatch-devel@logwatch.org | |
| 13 | # | |
| 11 | # etc, to logwatch-devel@lists.sourceforge.net. | |
| 14 | 12 | ############################################################################### |
| 15 | 13 | |
| 16 | 14 | # What actual file? Defaults to LogPath if not absolute path.... |
| 20 | 20 | |
| 21 | 21 | # Yes = True = On = 1 |
| 22 | 22 | # No = False = Off = 0 |
| 23 | ||
| 24 | # Default Log Directory | |
| 25 | # All log-files are assumed to be given relative to this directory. | |
| 26 | LogDir = /var/log | |
| 27 | 23 | |
| 28 | 24 | # You can override the default temp directory (/tmp) here |
| 29 | 25 | TmpDir = /var/cache/logwatch |
| 135 | 131 | # |
| 136 | 132 | #HostLimit = myhost |
| 137 | 133 | |
| 134 | # Default Log Directory | |
| 135 | # All log-files are assumed to be given relative to the LogDir directory. | |
| 136 | # Multiple LogDir statements are possible. Additional configuration variables | |
| 137 | # to set particular directories follow, so LogDir need not be set. | |
| 138 | #LogDir = /var/log | |
| 138 | 139 | # |
| 139 | 140 | # By default /var/adm is searched after LogDir. |
| 140 | 141 | #AppendVarAdmToLogDirs = 1 |
| 141 | ||
| 142 | 142 | # |
| 143 | 143 | # By default /var/log is to be searched after LogDir and /var/adm/ . |
| 144 | 144 | #AppendVarLogToLogDirs = 1 |
| 145 | ||
| 146 | 145 | # |
| 147 | # By default the current working directory is searched last after LogDir, /var/adm/, and /var/log/ . | |
| 148 | #AppendCWDToLogDirs = 1 | |
| 146 | # The current working directory can be searched after the above. Not set by | |
| 147 | # default. | |
| 148 | #AppendCWDToLogDirs = 0 | |
| 149 | 149 | |
| 150 | 150 | # vi: shiftwidth=3 tabstop=3 et |
| 45 | 45 | # Which logfile group... |
| 46 | 46 | LogFile = clam-update |
| 47 | 47 | |
| 48 | # Set to true to ignore messages about outdated clamav versions | |
| 49 | # Ignore_Outdated = 1 | |
| 50 | ||
| 48 | 51 | # vi: shiftwidth=3 tabstop=3 et |
| 26 | 26 | *EventLogOnlyService = Application |
| 27 | 27 | *RemoveHeaders |
| 28 | 28 | |
| 29 | # Ignore messages matching the given regex | |
| 30 | # $ignore_messages = Security policies were propagated with warning. 0x57 | |
| 31 | ||
| 32 | # Ignore messages about certain programs holding profile registry | |
| 33 | # entries open. This is a regular expression. | |
| 34 | # $ignore_profile_program = ^lsass\.exe$ | |
| 35 | ||
| 36 | # Ignore messages for these machines that can happen when they are off the | |
| 37 | # company netowrk (e.g. laptops). This is a regular expression. | |
| 38 | # $laptopsa = | |
| 39 | ||
| 29 | 40 | # vi: shiftwidth=3 tabstop=3 et |
| 26 | 26 | *EventLogOnlyService = security |
| 27 | 27 | *RemoveHeaders |
| 28 | 28 | |
| 29 | # Ignore messages matching the given regex | |
| 30 | # $ignore_messages = | |
| 31 | ||
| 29 | 32 | # vi: shiftwidth=3 tabstop=3 et |
| 26 | 26 | *EventLogOnlyService = system |
| 27 | 27 | *RemoveHeaders |
| 28 | 28 | |
| 29 | # Ignore messages matching the given regex | |
| 30 | # $ignore_messages = | |
| 31 | ||
| 29 | 32 | # vi: shiftwidth=3 tabstop=3 et |
| 16 | 16 | *OnlyService = Server_Administrator |
| 17 | 17 | *RemoveHeaders |
| 18 | 18 | |
| 19 | # Set this if you do not care about using non-certified drives | |
| 20 | # $omsa_ignore_non_certified_drives = 1 | |
| 21 | ||
| 19 | 22 | # vi: shiftwidth=3 tabstop=3 et |
| 10 | 10 | # If you want to ignore messagges about certain actions or modules, list |
| 11 | 11 | # them here, separated by ;'s. |
| 12 | 12 | # For example, machines with intermittent network connectivity might |
| 13 | # want to ignroe issues with forwarded messages. | |
| 13 | # want to ignore issues with forwarded messages. | |
| 14 | 14 | # rsyslogd_ignore_action = action 0 |
| 15 | 15 | # rsyslogd_ignore_modules = buildtin:omfwd |
| 16 | 16 |
| 37 | 37 | # This has no effect if the $Detail variable is greater than 5. |
| 38 | 38 | #$refused_connections_threshold = 10 |
| 39 | 39 | |
| 40 | # Setting the $illegal_users_threshold variable limits the listing of | |
| 41 | # "Illegal Users" from those IP addresses that have more than the | |
| 42 | # specified threshold | |
| 43 | #$illegal_users_threshold = 4 | |
| 44 | ||
| 45 | ||
| 40 | 46 | ######################################################## |
| 41 | 47 | # This was written and is maintained by: |
| 42 | 48 | # Kirk Bauer <kirk@kaybee.org> |
| 24 | 24 | |
| 25 | 25 | ######################################################## |
| 26 | 26 | # Please send all comments, suggestions, bug reports, |
| 27 | # etc, to logwatch-devel@logwatch.org | |
| 27 | # etc, to logwatch-devel@lists.sourceforge.net. | |
| 28 | 28 | ######################################################## |
| 29 | 29 | |
| 30 | 30 | # vi: shiftwidth=3 tabstop=3 et |
| 23 | 23 | |
| 24 | 24 | ######################################################## |
| 25 | 25 | # Please send all comments, suggestions, bug reports, |
| 26 | # etc, to logwatch-devel@logwatch.org | |
| 26 | # etc, to logwatch-devel@lists.sourceforge.net. | |
| 27 | 27 | ######################################################## |
| 28 | 28 | |
| 29 | 29 | # vi: shiftwidth=3 tabstop=3 et |
| 332 | 332 | if [ $systemd -eq 1 ]; then |
| 333 | 333 | install -m 0644 scheduler/logwatch.service /lib/systemd/system/logwatch.service |
| 334 | 334 | install -m 0644 scheduler/logwatch.timer /lib/systemd/system/logwatch.timer |
| 335 | install -m 0644 scheduler/systemd.conf $BASEDIR/default.conf/systemd.conf | |
| 335 | 336 | if [ ! -e /lib/systemd/system/multi-user.target.wants ]; then |
| 336 | 337 | install -m 0755 -d /lib/systemd/system/multi-user.target.wants |
| 337 | 338 | fi |
| 0 | 0 | Summary: Analyzes and Reports on system logs |
| 1 | 1 | Name: logwatch |
| 2 | Version: 7.5.2 | |
| 2 | Version: 7.5.4 | |
| 3 | 3 | Release: 1 |
| 4 | 4 | License: MIT |
| 5 | 5 | Group: Applications/System |
| 111 | 111 | |
| 112 | 112 | |
| 113 | 113 | %changelog |
| 114 | * Wed Jul 22 2020 Bjorn <bjorn1@users.sourceforge.net> 7.5.4-1 | |
| 115 | ||
| 116 | * Wed Jan 22 2020 Bjorn <bjorn1@users.sourceforge.net> 7.5.3-1 | |
| 117 | ||
| 114 | 118 | * Mon Jul 22 2019 Bjorn <bjorn1@users.sourceforge.net> 7.5.2-1 |
| 115 | 119 | - Copying LICENSE to doc dir again |
| 116 | 120 | |
| 4 | 4 | |
| 5 | 5 | [Service] |
| 6 | 6 | Type=oneshot |
| 7 | ExecStart=/usr/sbin/logwatch | |
| 7 | # This first EnvironmentFile has the Logwatch default variables | |
| 8 | EnvironmentFile=-/usr/share/logwatch/default.conf/systemd.conf | |
| 9 | # This second EnvironmentFile is meant for system-specific | |
| 10 | # customization of variables, including overriding the defaults | |
| 11 | EnvironmentFile=-/etc/logwatch/conf/systemd.conf | |
| 12 | ExecStart=/usr/sbin/logwatch $LOGWATCH_OPTIONS |
| 0 | # This file contains the environment variables file for systemd. | |
| 1 | # They show the default values. | |
| 2 | ||
| 3 | # You can override them by declaring the same variable in the | |
| 4 | # systemd.conf file in the local configuration directory. By | |
| 5 | # default, this local configuration file is: | |
| 6 | # /etc/logwatch/conf/systemd.conf | |
| 7 | ||
| 8 | # Currently, the only defined variable is $LOGWATCH_OPTIONS, | |
| 9 | # which specifies the default options passed to the logwatch | |
| 10 | # executable when invoked with systemd. | |
| 11 | ||
| 12 | LOGWATCH_OPTIONS="--output mail" |
| 9 | 9 | |
| 10 | 10 | ######################################################## |
| 11 | 11 | # Specify version and build-date: |
| 12 | my $Version = '7.5.2'; | |
| 13 | my $VDate = '07/22/19'; | |
| 12 | my $Version = '7.5.4'; | |
| 13 | my $VDate = '07/22/20'; | |
| 14 | 14 | |
| 15 | 15 | ####################################################### |
| 16 | 16 | # Logwatch was originally written by: |
| 61 | 61 | use Getopt::Long; |
| 62 | 62 | use POSIX qw(uname); |
| 63 | 63 | use File::Temp qw/ tempdir /; |
| 64 | use Cwd; | |
| 64 | 65 | |
| 65 | 66 | eval "use lib \"$BaseDir/lib\";"; |
| 66 | 67 | eval "use Logwatch \':dates\'"; |
| 67 | 68 | |
| 68 | 69 | my (%Config, @ServiceList, @LogFileList, %ServiceData, %LogFileData); |
| 70 | my (@TempLogDirs, @LogDirs); | |
| 69 | 71 | my (@AllShared, @AllLogFiles, @FileList); |
| 70 | 72 | # These need to not be global variables one day |
| 71 | 73 | my (@ReadConfigNames, @ReadConfigValues); |
| 100 | 102 | $Config{'hostlimit'} = ""; |
| 101 | 103 | $Config{'appendvaradmtologdirs'} = 1; |
| 102 | 104 | $Config{'appendvarlogtologdirs'} = 1; |
| 103 | $Config{'appendcwdtologdirs'} = 1; | |
| 105 | $Config{'appendcwdtologdirs'} = 0; | |
| 104 | 106 | |
| 105 | 107 | if (-e "$ConfigDir/conf/html/header.html") { |
| 106 | 108 | $Config{'html_header'} = "$ConfigDir/conf/html/header.html"; |
| 118 | 120 | $Config{'html_footer'} = "$BaseDir/default.conf/html/footer.html"; |
| 119 | 121 | } |
| 120 | 122 | |
| 121 | # Logwatch now does some basic searching for logs | |
| 122 | # So if the log file is not in the log path it will check /var/adm | |
| 123 | # and then /var/log -mgt | |
| 124 | $Config{'logdir'} = "/var/log"; | |
| 125 | ||
| 126 | 123 | #Added to create switches for different os options -mgt |
| 127 | 124 | #Changed to POSIX to remove calls to uname and hostname |
| 128 | 125 | my ($OSname, $hostname, $release, $version, $machine) = POSIX::uname(); |
| 177 | 174 | } elsif (! grep(/^$ReadConfigValues[$i]$/, @ServiceList)) { |
| 178 | 175 | push @ServiceList, $ReadConfigValues[$i]; |
| 179 | 176 | } |
| 177 | } elsif ($ReadConfigNames[$i] eq "logdir") { | |
| 178 | push @TempLogDirs, $ReadConfigValues[$i]; | |
| 180 | 179 | } else { |
| 181 | 180 | $Config{$ReadConfigNames[$i]} = $ReadConfigValues[$i]; |
| 182 | 181 | } |
| 183 | 182 | } |
| 184 | ||
| 185 | my @LogDirs=("$Config{'logdir'}/"); | |
| 186 | push @LogDirs, "/var/adm/" if $Config{'appendvaradmtologdirs'}; | |
| 187 | push @LogDirs, "/var/log/" if $Config{'appendvarlogtologdirs'}; | |
| 188 | push @LogDirs, "" if $Config{'appendcwdtologdirs'}; | |
| 189 | 183 | |
| 190 | 184 | &CleanVars(); |
| 191 | 185 | |
| 204 | 198 | |
| 205 | 199 | &GetOptions ("d|detail=s" => \$Config{'detail'}, |
| 206 | 200 | "l|logfile=s@" => \@TempLogFileList, |
| 207 | "logdir=s" => \$Config{'logdir'}, | |
| 201 | "logdir=s@" => \@TempLogDirs, | |
| 208 | 202 | "s|service=s@" => \@TempServiceList, |
| 209 | 203 | "m|mailto=s" => \$tmp_mailto, |
| 210 | 204 | "filename=s" => \$tmp_savefile, |
| 227 | 221 | |
| 228 | 222 | $Help and &Usage(); |
| 229 | 223 | |
| 224 | push @TempLogDirs, "/var/adm/" if $Config{'appendvaradmtologdirs'}; | |
| 225 | push @TempLogDirs, "/var/log/" if $Config{'appendvarlogtologdirs'}; | |
| 226 | # Empty string for LogDirs entry interpreted as `cwd`, but set | |
| 227 | # explicitly here for more readable debug output | |
| 228 | push @TempLogDirs, getcwd() if $Config{'appendcwdtologdirs'}; | |
| 229 | ||
| 230 | my %logdirs_seen; | |
| 231 | for my $logdir (@TempLogDirs) { | |
| 232 | # add trainling slash to directory if not there | |
| 233 | unless ($logdir =~ m=/$=) { | |
| 234 | $logdir .= "/"; | |
| 235 | } | |
| 236 | # remove duplicates | |
| 237 | if (! $logdirs_seen{$logdir}++) { | |
| 238 | push (@LogDirs, $logdir); | |
| 239 | } else { | |
| 240 | if ($Config{'debug'} > 2) { | |
| 241 | print "Removing duplicate LogDir declaration $logdir\n"; | |
| 242 | } | |
| 243 | } | |
| 244 | } | |
| 245 | ||
| 230 | 246 | #Catch option exceptions and extra logic here -mgt |
| 231 | 247 | |
| 232 | 248 | if ($Config{'range'} =~ /help/i) { |
| 435 | 451 | |
| 436 | 452 | @{$LogFileData{$ThisLogFile}{'logfiles'}} = (); |
| 437 | 453 | @{$LogFileData{$ThisLogFile}{'archives'}} = (); |
| 454 | # We use hashes to keep track of duplicates | |
| 455 | my (%logfile_seen, %archive_seen); | |
| 438 | 456 | for (my $i = 0; $i <= $#ReadConfigNames; $i++) { |
| 439 | 457 | if (grep(/^$i$/, @Separators)) { |
| 440 | 458 | $count = 0; |
| 441 | 459 | } |
| 442 | my @TempLogFileList; | |
| 443 | 460 | if ($ReadConfigNames[$i] eq "logfile") { |
| 461 | my @TempLogFileList =(); | |
| 444 | 462 | #Lets try and find the logs -mgt |
| 445 | 463 | if ($ReadConfigValues[$i] eq "") { |
| 446 | 464 | @{$LogFileData{$ThisLogFile}{'logfiles'}} = (); |
| 465 | %logfile_seen = (); | |
| 447 | 466 | } else { |
| 448 | 467 | if ($ReadConfigValues[$i] !~ m=^/=) { |
| 449 | 468 | foreach my $dir (@LogDirs) { |
| 450 | # We glob to obtain filenames. We reverse in case | |
| 451 | # we use the decimal suffix (.0, .1, etc.) in filenames | |
| 452 | #@TempLogFileList = reverse(glob($dir . $ReadConfigValues[$i])); | |
| 453 | @TempLogFileList = sort{ | |
| 469 | # We glob to obtain filenames, and check existence | |
| 470 | push(@TempLogFileList, sort{ | |
| 454 | 471 | ($b =~ /(\d+)$/) <=> ($a =~ /(\d+)$/) || uc($a) cmp uc($b) |
| 455 | }(glob($dir . $ReadConfigValues[$i])); | |
| 456 | # And we check for existence once again, since glob | |
| 457 | # may return the search pattern if no files found. | |
| 458 | last if (@TempLogFileList && (-e $TempLogFileList[0])); | |
| 472 | }(grep {-e} glob($dir . $ReadConfigValues[$i]))); | |
| 459 | 473 | } |
| 460 | 474 | } else { |
| 461 | #@TempLogFileList = reverse(glob($ReadConfigValues[$i])); | |
| 462 | @TempLogFileList = sort{ | |
| 475 | push(@TempLogFileList, sort{ | |
| 463 | 476 | ($b =~ /(\d+)$/) <=> ($a =~ /(\d+)$/) || uc($a) cmp uc($b) |
| 464 | }(glob($ReadConfigValues[$i])); | |
| 477 | }(grep {-e} glob($ReadConfigValues[$i]))); | |
| 465 | 478 | } |
| 466 | ||
| 467 | # We attempt to remove duplicates. | |
| 468 | # Same applies to archives, in the next block. | |
| 469 | foreach my $TempLogFileName (@TempLogFileList) { | |
| 470 | if (grep(/^\Q$TempLogFileName\E$/, | |
| 471 | @{$LogFileData{$ThisLogFile}{'logfiles'}})) { | |
| 472 | if ($Config{'debug'} > 2) { | |
| 473 | print "Removing duplicate LogFile file $TempLogFileName from $ThisFile configuration.\n"; | |
| 474 | } | |
| 475 | } else { | |
| 476 | if (-e $TempLogFileName) { | |
| 477 | push @{$LogFileData{$ThisLogFile}{'logfiles'}}, | |
| 478 | $TempLogFileName; | |
| 479 | } | |
| 479 | } | |
| 480 | # We remove duplicates. | |
| 481 | # Same applies to archives, in the next block, so we keep | |
| 482 | # %logfile_seen hash for later use. | |
| 483 | if ($Config{'debug'} > 2) { | |
| 484 | for my $logfile (grep {$logfile_seen{$_}} @TempLogFileList) { | |
| 485 | print "Removing duplicate LogFile file $logfile from"; | |
| 486 | print " $ThisFile configuration.\n"; | |
| 487 | } | |
| 488 | } | |
| 489 | push(@{$LogFileData{$ThisLogFile}{'logfiles'}}, | |
| 490 | grep { ! $logfile_seen{$_}++ } @TempLogFileList); | |
| 491 | } elsif (($ReadConfigNames[$i] eq "archive") && ( $Config{'archives'} == 1)) { | |
| 492 | my @TempLogFileList =(); | |
| 493 | if ($ReadConfigValues[$i] eq "") { | |
| 494 | @{$LogFileData{$ThisLogFile}{'archives'}} = (); | |
| 495 | %archive_seen = (); | |
| 496 | } else { | |
| 497 | # Test if absolute path | |
| 498 | if ($ReadConfigValues[$i] !~ m=^/=) { | |
| 499 | foreach my $dir (@LogDirs) { | |
| 500 | # We glob to obtain filenames, and check existence | |
| 501 | push(@TempLogFileList, sort{ | |
| 502 | ($b =~ /(\d+)$/) <=> ($a =~ /(\d+)$/) || uc($a) cmp uc($b) | |
| 503 | }(grep {-e} glob($dir . $ReadConfigValues[$i]))); | |
| 504 | } | |
| 505 | } else { | |
| 506 | foreach my $dir (@LogDirs) { | |
| 507 | push(@TempLogFileList, sort{ | |
| 508 | ($b =~ /(\d+)$/) <=> ($a =~ /(\d+)$/) || uc($a) cmp uc($b) | |
| 509 | }(grep {-e} glob($ReadConfigValues[$i]))); | |
| 480 | 510 | } |
| 481 | 511 | } |
| 482 | 512 | } |
| 483 | } elsif (($ReadConfigNames[$i] eq "archive") && ( $Config{'archives'} == 1)) { | |
| 484 | if ($ReadConfigValues[$i] eq "") { | |
| 485 | @{$LogFileData{$ThisLogFile}{'archives'}} = (); | |
| 486 | } else { | |
| 487 | if ($ReadConfigValues[$i] !~ m=^/=) { | |
| 488 | foreach my $dir (@LogDirs) { | |
| 489 | # We glob to obtain filenames. We reverse in case | |
| 490 | # we use the decimal suffix (.0, .1, etc.) in filenames | |
| 491 | #@TempLogFileList = reverse(glob($dir . $ReadConfigValues[$i])); | |
| 492 | @TempLogFileList = sort{ | |
| 493 | ($b =~ /(\d+)$/) <=> ($a =~ /(\d+)$/) || uc($a) cmp uc($b) | |
| 494 | }(glob($dir . $ReadConfigValues[$i])); | |
| 495 | # And we check for existence once again, since glob | |
| 496 | # may return the search pattern if no files found. | |
| 497 | last if (@TempLogFileList && (-e $TempLogFileList[0])); | |
| 498 | } | |
| 499 | } else { | |
| 500 | #@TempLogFileList = reverse(glob($ReadConfigValues[$i])); | |
| 501 | @TempLogFileList = sort{ | |
| 502 | ($b =~ /(\d+)$/) <=> ($a =~ /(\d+)$/) || uc($a) cmp uc($b) | |
| 503 | }(glob($ReadConfigValues[$i])); | |
| 513 | ||
| 514 | # We remove duplicates. This time we also check | |
| 515 | # against the previous LogFile declarations. | |
| 516 | if ($Config{'debug'} > 2) { | |
| 517 | for my $logfile (grep {$archive_seen{$_}} @TempLogFileList) { | |
| 518 | print "Removing duplicate Archive file $logfile from"; | |
| 519 | print " $ThisFile configuration.\n"; | |
| 504 | 520 | } |
| 505 | ||
| 506 | # We attempt to remove duplicates. This time we also check | |
| 507 | # against the LogFile declarations. | |
| 508 | foreach my $TempLogFileName (@TempLogFileList) { | |
| 509 | if (grep(/^\Q$TempLogFileName\E$/, | |
| 510 | @{$LogFileData{$ThisLogFile}{'archives'}}) || | |
| 511 | grep(/^\Q$TempLogFileName\E$/, | |
| 512 | @{$LogFileData{$ThisLogFile}{'logfiles'}}) ) { | |
| 513 | if ($Config{'debug'} > 2) { | |
| 514 | print "Removing duplicate Archive file $TempLogFileName from $ThisFile configuration.\n"; | |
| 515 | } | |
| 516 | } else { | |
| 517 | if (-e $TempLogFileName) { | |
| 518 | push @{$LogFileData{$ThisLogFile}{'archives'}}, | |
| 519 | $TempLogFileName; | |
| 520 | } | |
| 521 | } | |
| 521 | for my $logfile (grep {$logfile_seen{$_}} @TempLogFileList) { | |
| 522 | print "Archive file $logfile in both LogFile and Archive"; | |
| 523 | print " declarations in $ThisFile configuration.\n"; | |
| 522 | 524 | } |
| 523 | 525 | } |
| 524 | ||
| 526 | push(@{$LogFileData{$ThisLogFile}{'archives'}}, | |
| 527 | grep {! $archive_seen{$_}++ } | |
| 528 | grep { ! $logfile_seen{$_}++ } @TempLogFileList); | |
| 525 | 529 | } elsif ($ReadConfigNames[$i] =~ /^\*/) { |
| 526 | 530 | if ($count == 0) { |
| 527 | 531 | @CmdList = (); |
| 697 | 701 | $ENV{'HOSTNAME'} = $Config{'hostname'}; |
| 698 | 702 | $ENV{'OSname'} = $OSname; |
| 699 | 703 | |
| 704 | my $no_egrep = system("egrep -V > /dev/null 2>&1"); | |
| 705 | ||
| 700 | 706 | #split and splitmail also play with LOGWATCH_ONLY_HOSTNAME which is not shown by debug |
| 701 | 707 | if ($Config{'hostlimit'}) { |
| 702 | 708 | #Pass the list to ENV with out touching it |
| 721 | 727 | } |
| 722 | 728 | |
| 723 | 729 | ############################################################################# |
| 724 | ||
| 725 | unless ($Config{'logdir'} =~ m=/$=) { | |
| 726 | $Config{'logdir'} .= "/"; | |
| 727 | } | |
| 728 | 730 | |
| 729 | 731 | # Okay, now it is time to do pre-processing on all the logfiles... |
| 730 | 732 | |
| 889 | 891 | if ($FileText) { |
| 890 | 892 | my $Command = $FileText . $FilterText . ">" . $TempDir . $LogFile; |
| 891 | 893 | if ($Config{'debug'}>4) { |
| 892 | print "\nPreprocessing LogFile: " . $LogFile . "\n" . $Command . "\n"; | |
| 894 | print "\nPreprocessing LogFile: " . $LogFile . "\n " . | |
| 895 | $Config{'pathtocat'} . " " . $Command . "\n"; | |
| 893 | 896 | } |
| 894 | 897 | if ($LogFile !~ /^[-_\w\d]+$/) { |
| 895 | 898 | print STDERR "Unexpected filename: [[$LogFile]]. Not used\n" |
| 983 | 986 | sub CleanVars { |
| 984 | 987 | foreach (keys %Config) { |
| 985 | 988 | unless (defined $Config{$_} and |
| 986 | ($_ =~ /^(hostname|filename|mailto|logdir|hostlimit)$/ )) { | |
| 989 | # For the following config keys, do not make any changes to value | |
| 990 | ($_ =~ /^(hostname|filename|mailto|logdir|hostlimit|mailer)$/ )) { | |
| 987 | 991 | $Config{$_} = getInt($Config{$_}); |
| 988 | 992 | } |
| 989 | 993 | } |
| 1010 | 1014 | foreach (keys %Config) { |
| 1011 | 1015 | print $_ . ' -> ' . $Config{$_} . "\n"; |
| 1012 | 1016 | } |
| 1017 | print "Logdirs List:\n"; | |
| 1018 | &PrintStdArray(@LogDirs); | |
| 1013 | 1019 | print "Service List:\n"; |
| 1014 | 1020 | &PrintStdArray(@ServiceList); |
| 1015 | 1021 | print "\n"; |
| 1301 | 1307 | my $FileText = ""; |
| 1302 | 1308 | foreach $ThisFile (@FileList) { |
| 1303 | 1309 | if (-s $TempDir . $ThisFile) { |
| 1304 | $FileText .= ( $TempDir . $ThisFile . " "); | |
| 1310 | $FileText .= ( $TempDir . $ThisFile . " " ); | |
| 1305 | 1311 | } |
| 1306 | 1312 | } |
| 1307 | 1313 | |
| 1311 | 1317 | } |
| 1312 | 1318 | @EnvList = (); |
| 1313 | 1319 | |
| 1314 | my $FilterText = " "; | |
| 1320 | my $FilterText = ""; | |
| 1315 | 1321 | foreach (sort keys %{$ServiceData{$Service}}) { |
| 1316 | 1322 | my $cmd = $_; |
| 1317 | 1323 | if ($cmd =~ s/^\d+-\*//) { |
| 1318 | 1324 | if (-f "$ConfigDir/scripts/shared/$cmd") { |
| 1319 | $FilterText .= ("$PerlVersion $ConfigDir/scripts/shared/$cmd '$ServiceData{$Service}{$_}' |" ); | |
| 1325 | $FilterText .= ("$PerlVersion $ConfigDir/scripts/shared/$cmd '$ServiceData{$Service}{$_}' | " ); | |
| 1320 | 1326 | } elsif (-f "$BaseDir/scripts/shared/$cmd") { |
| 1321 | $FilterText .= ("$PerlVersion $BaseDir/scripts/shared/$cmd '$ServiceData{$Service}{$_}' |" ); | |
| 1327 | $FilterText .= ("$PerlVersion $BaseDir/scripts/shared/$cmd '$ServiceData{$Service}{$_}' | " ); | |
| 1322 | 1328 | } else { |
| 1323 | 1329 | die "Cannot find shared script $cmd\n"; |
| 1324 | 1330 | } |
| 1389 | 1395 | if ($FileList[0] eq 'none') { |
| 1390 | 1396 | $Command = " $FilterText 2>&1 "; |
| 1391 | 1397 | } elsif ($FileText) { |
| 1398 | $Command = " ( $Config{'pathtocat'} $FileText| " ; | |
| 1399 | if ($ServiceData{$Service}{pre_ignore}) { | |
| 1400 | if ($no_egrep) { | |
| 1401 | die "No egrep executable found, which is required when\n" . | |
| 1402 | "using the Pre_Ignore variable in configuration \n" . | |
| 1403 | "file ${Service}.conf\n"; | |
| 1404 | } else { | |
| 1405 | $Command .= "egrep -v \"$ServiceData{$Service}{pre_ignore}\" | "; | |
| 1406 | } | |
| 1407 | } | |
| 1392 | 1408 | if ($HostStrip ne " ") { |
| 1393 | $Command = " ( $Config{'pathtocat'} $FileText | $HostStrip | $FilterText) 2>&1 "; | |
| 1394 | } else { | |
| 1395 | $Command = " ( $Config{'pathtocat'} $FileText | $FilterText) 2>&1 "; | |
| 1409 | $Command .= "$HostStrip | "; | |
| 1396 | 1410 | } |
| 1411 | $Command .= "$FilterText) 2>&1 "; | |
| 1397 | 1412 | } |
| 1398 | 1413 | } |
| 1399 | 1414 | |
| 50 | 50 | ( $ThisLine =~ /^afp_zzz: (entering|waking up from) (normal|extended) sleep/ ) or |
| 51 | 51 | ( $ThisLine =~ /^afp_disconnect: trying primary reconnect/ ) or |
| 52 | 52 | ( $ThisLine =~ /^afp_disconnect: primary reconnect succeeded/ ) or |
| 53 | ( $ThisLine =~ /^Netatalk AFP\/TCP listening on /) or | |
| 53 | 54 | ( $ThisLine =~ /^Reconnect: transfering session to child/ ) or |
| 54 | 55 | ( $ThisLine =~ /^Reconnect: killing new session child.* after transfer/ ) or |
| 55 | 56 | ( $ThisLine =~ /^afp_dsi_transfer_session: successfull primary reconnect/ ) or |
| 54 | 54 | # will be output. |
| 55 | 55 | ######################################################################### |
| 56 | 56 | |
| 57 | use strict; | |
| 58 | use warnings; | |
| 57 | 59 | use Logwatch ':dates'; |
| 58 | 60 | |
| 59 | 61 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'}; |
| 62 | my $Ignore_Outdated = $ENV{'ignore_outdated'} || 0; | |
| 60 | 63 | |
| 61 | 64 | my $time = time; |
| 62 | 65 | my $Date; |
| 68 | 71 | |
| 69 | 72 | my %Starts; |
| 70 | 73 | my %Errors; |
| 74 | my %Outdated; | |
| 71 | 75 | my %Warnings; |
| 72 | 76 | |
| 73 | 77 | |
| 110 | 114 | } |
| 111 | 115 | } else { |
| 112 | 116 | $InRange = 0; |
| 117 | %Warnings = (); | |
| 113 | 118 | } |
| 114 | 119 | # $Version was already logged if necessary, so now we clear it |
| 115 | 120 | $Version = ""; |
| 119 | 124 | if ((my $Text) = ($ThisLine =~ /^ERROR: (.*)/)) { |
| 120 | 125 | $Errors{$Text}++; |
| 121 | 126 | } elsif (($Text) = ($ThisLine =~ /^WARNING: (.*)/)) { |
| 122 | $Warnings{$Text}++; | |
| 127 | if ($Text =~ /OUTDATED|Local version/) { | |
| 128 | next if $Ignore_Outdated; | |
| 129 | $Outdated{$Text}++; | |
| 130 | } else { | |
| 131 | $Warnings{$Text}++; | |
| 132 | } | |
| 123 | 133 | } |
| 124 | 134 | } |
| 125 | 135 | } |
| 157 | 167 | print "\n" . $Status; |
| 158 | 168 | }; |
| 159 | 169 | |
| 170 | ||
| 171 | if (keys %Outdated) { | |
| 172 | print "\n"; | |
| 173 | foreach my $Text (keys %Outdated) { | |
| 174 | print "$Text\n"; | |
| 175 | } | |
| 176 | } | |
| 177 | ||
| 160 | 178 | if ($Detail >= 10) { |
| 161 | 179 | if ((keys %Errors) or (keys %Warnings)) { |
| 162 | 180 | print "\nThe following ERRORS and/or WARNINGS were detected when\n"; |
| 205 | 205 | } |
| 206 | 206 | } |
| 207 | 207 | |
| 208 | if (%CRONDErr) { | |
| 209 | printf "\n crond daemon errors \n"; | |
| 210 | for $key (keys %CRONDErr) { | |
| 211 | print " " . $key . ": " . $CRONDErr{$key} . " time(s)\n"; | |
| 212 | } | |
| 213 | } | |
| 214 | ||
| 215 | if (%INCRONDErr) { | |
| 216 | printf "\n incrond daemon errors \n"; | |
| 217 | for $key (keys %INCRONDErr) { | |
| 218 | print " " . $key . ": " . $INCRONDErr{$key} . " time(s)\n"; | |
| 219 | } | |
| 220 | } | |
| 221 | ||
| 222 | if (%SELCONTErr) { | |
| 223 | printf "\n SELinux context error \n"; | |
| 224 | for $key (keys %SELCONTErr) { | |
| 225 | print " " . $key . ": " . $SELCONTErr{$key} . " time(s)\n"; | |
| 226 | } | |
| 227 | } | |
| 228 | ||
| 229 | if ($PAMAUTHErr) { | |
| 230 | printf "\nPAM authentication error: " . $PAMAUTHErr . " time(s)\n"; | |
| 231 | } | |
| 232 | ||
| 233 | if (%CHDIRErr) { | |
| 234 | printf "\nchdir command failed\n"; | |
| 235 | foreach (keys %CHDIRErr) { | |
| 236 | my ($File,$Cause) = split ","; | |
| 237 | print " for directory " . $File . " (" . $Cause . ")". ": " . $CHDIRErr{"$File,$Cause"} . " time(s)\n"; | |
| 238 | } | |
| 239 | } | |
| 240 | ||
| 241 | if ($CHUSERHErr) { | |
| 242 | printf "\nUser change error: " . $CHUSERHErr . " time(s)\n"; | |
| 243 | } | |
| 244 | ||
| 208 | 245 | if (keys %{$Runs} and ($Detail >= 5)) { |
| 209 | 246 | print "\n\nCommands Run:\n"; |
| 210 | 247 | foreach $i (sort {$a cmp $b} keys %{$Runs}) { |
| 230 | 267 | } |
| 231 | 268 | } |
| 232 | 269 | |
| 270 | if (keys %WFO) { | |
| 271 | foreach $i (keys %WFO) { | |
| 272 | printf "\n Wrong file owner (". $i ."): " . $WFO{$i}. " Time(s)\n"; | |
| 273 | } | |
| 274 | } | |
| 275 | ||
| 276 | if ($Ntpdate) { | |
| 277 | print "\nNtpdate: adjusted $Ntpdate times\n"; | |
| 278 | print "\tMinimum offset $ntpdateminoffset\n"; | |
| 279 | print "\tMaximum offset $ntpdatemaxoffset\n"; | |
| 280 | } | |
| 281 | ||
| 282 | if($ntpdatenosync) { | |
| 283 | print "\nNtpDate could not sync: $ntpdatenosync times\n"; | |
| 284 | } | |
| 285 | ||
| 233 | 286 | if ($Detail >= 10) { |
| 234 | 287 | if (keys %UserReloads) { |
| 235 | 288 | print " User crontabs reloaded:\n"; |
| 249 | 302 | if ($Reloads > 0) { |
| 250 | 303 | print "\nCRON Reloaded system crontab $Reloads Time(s)\n"; |
| 251 | 304 | } |
| 252 | } | |
| 253 | ||
| 254 | if (keys %WFO) { | |
| 255 | foreach $i (keys %WFO) { | |
| 256 | printf "\n Wrong file owner (". $i ."): " . $WFO{$i}. " Time(s)\n"; | |
| 257 | } | |
| 258 | } | |
| 259 | ||
| 260 | if ($Ntpdate) { | |
| 261 | print "\nNtpdate: adjusted $Ntpdate times\n"; | |
| 262 | print "\tMinimum offset $ntpdateminoffset\n"; | |
| 263 | print "\tMaximum offset $ntpdatemaxoffset\n"; | |
| 264 | } | |
| 265 | ||
| 266 | if($ntpdatenosync) { | |
| 267 | print "\nNtpDate could not sync: $ntpdatenosync times\n"; | |
| 268 | } | |
| 269 | ||
| 270 | if ($INCRONDSS) { | |
| 271 | printf "\n service incrond started " . $INCRONDSS . ": time(s)\n"; | |
| 272 | } | |
| 273 | ||
| 274 | if ($INCRONDStS) { | |
| 275 | printf "\n service incrond stoped " . $INCRONDStS . ": time(s)\n"; | |
| 276 | } | |
| 277 | ||
| 278 | if ((%INCRONDSTCr) || (%INCRONDUTCr)) { | |
| 279 | printf "\n created tables \n"; | |
| 280 | for $key (keys %INCRONDSTCr) { | |
| 281 | print " system table " . $key . " created " . $INCRONDSTCr{$key} . ": time(s)\n"; | |
| 282 | } | |
| 283 | for $key (keys %INCRONDUTCr) { | |
| 284 | print " table for user " . $key . " created " . $INCRONDUTCr{$key}. ": time(s)\n"; | |
| 285 | } | |
| 286 | } | |
| 287 | ||
| 288 | if ((%INCRONDSTCh) || (%INCRONDUTCh)) { | |
| 289 | printf "\n changes of tables \n"; | |
| 290 | for $key (keys %INCRONDSTCh) { | |
| 291 | print " system table " . $key . " changed " . $INCRONDSTCh{$key} . ": time(s)\n"; | |
| 292 | } | |
| 293 | for $key (keys %INCRONDUTCh) { | |
| 294 | print " table for user " . $key . "changed " . $INCRONDUTCh{$key} . ": time(s)\n"; | |
| 295 | } | |
| 296 | } | |
| 297 | ||
| 298 | if ((%INCRONDSTDe) || (%INCRONDUTDe)) { | |
| 299 | printf "\n destroyed tables \n"; | |
| 300 | for $key (keys %INCRONDSTDe) { | |
| 301 | print " system table " . $key . " destroyed " . $INCRONDSTDe{$key} . ": time(s)\n"; | |
| 302 | } | |
| 303 | for $key (keys %INCRONDUTDe) { | |
| 304 | print " table for user ". $key ." destroyed " .$INCRONDUTDe{$key} . ": time(s)\n"; | |
| 305 | } | |
| 306 | } | |
| 307 | ||
| 308 | if (%CRONDErr) { | |
| 309 | printf "\n crond daemon errors \n"; | |
| 310 | for $key (keys %CRONDErr) { | |
| 311 | print " " . $key . ": " . $CRONDErr{$key} . " time(s)\n"; | |
| 312 | } | |
| 313 | } | |
| 314 | ||
| 315 | if (%INCRONDErr) { | |
| 316 | printf "\n incrond daemon errors \n"; | |
| 317 | for $key (keys %INCRONDErr) { | |
| 318 | print " " . $key . ": " . $INCRONDErr{$key} . " time(s)\n"; | |
| 319 | } | |
| 320 | } | |
| 321 | ||
| 322 | if (%SELCONTErr) { | |
| 323 | printf "\n SELinux context error \n"; | |
| 324 | for $key (keys %SELCONTErr) { | |
| 325 | print " " . $key . ": " . $SELCONTErr{$key} . " time(s)\n"; | |
| 326 | } | |
| 327 | } | |
| 328 | ||
| 329 | if ($PAMAUTHErr) { | |
| 330 | printf "\nPAM authentication error: " . $PAMAUTHErr . " time(s)\n"; | |
| 331 | } | |
| 332 | ||
| 333 | if (%CHDIRErr) { | |
| 334 | printf "\nchdir command failed\n"; | |
| 335 | foreach (keys %CHDIRErr) { | |
| 336 | my ($File,$Cause) = split ","; | |
| 337 | print " for directory " . $File . " (" . $Cause . ")". ": " . $CHDIRErr{"$File,$Cause"} . " time(s)\n"; | |
| 338 | } | |
| 339 | } | |
| 340 | ||
| 341 | if ($CHUSERHErr) { | |
| 342 | printf "\nUser change error: " . $CHUSERHErr . " time(s)\n"; | |
| 305 | ||
| 306 | if ($INCRONDSS) { | |
| 307 | printf "\n service incrond started " . $INCRONDSS . ": time(s)\n"; | |
| 308 | } | |
| 309 | ||
| 310 | if ($INCRONDStS) { | |
| 311 | printf "\n service incrond stoped " . $INCRONDStS . ": time(s)\n"; | |
| 312 | } | |
| 313 | ||
| 314 | if ((%INCRONDSTCr) || (%INCRONDUTCr)) { | |
| 315 | printf "\n created tables \n"; | |
| 316 | for $key (keys %INCRONDSTCr) { | |
| 317 | print " system table " . $key . " created " . $INCRONDSTCr{$key} . ": time(s)\n"; | |
| 318 | } | |
| 319 | for $key (keys %INCRONDUTCr) { | |
| 320 | print " table for user " . $key . " created " . $INCRONDUTCr{$key}. ": time(s)\n"; | |
| 321 | } | |
| 322 | } | |
| 323 | ||
| 324 | if ((%INCRONDSTCh) || (%INCRONDUTCh)) { | |
| 325 | printf "\n changes of tables \n"; | |
| 326 | for $key (keys %INCRONDSTCh) { | |
| 327 | print " system table " . $key . " changed " . $INCRONDSTCh{$key} . ": time(s)\n"; | |
| 328 | } | |
| 329 | for $key (keys %INCRONDUTCh) { | |
| 330 | print " table for user " . $key . "changed " . $INCRONDUTCh{$key} . ": time(s)\n"; | |
| 331 | } | |
| 332 | } | |
| 333 | ||
| 334 | if ((%INCRONDSTDe) || (%INCRONDUTDe)) { | |
| 335 | printf "\n destroyed tables \n"; | |
| 336 | for $key (keys %INCRONDSTDe) { | |
| 337 | print " system table " . $key . " destroyed " . $INCRONDSTDe{$key} . ": time(s)\n"; | |
| 338 | } | |
| 339 | for $key (keys %INCRONDUTDe) { | |
| 340 | print " table for user ". $key ." destroyed " .$INCRONDUTDe{$key} . ": time(s)\n"; | |
| 341 | } | |
| 342 | } | |
| 343 | 343 | } |
| 344 | 344 | |
| 345 | 345 | if ($#OtherList >= 0) { |
| 187 | 187 | if ($Detail >= 7) { |
| 188 | 188 | $data{'DNS Mappings'}{$line}++; |
| 189 | 189 | } |
| 190 | } elsif ($line =~ s/^[Aa]dded reverse map from ([0-9a-fA-F.]+\.ip6\.arpa\.?) to ([a-zA-Z\d\._-]+)\s*$/Add reverse $1 -> $2/) { | |
| 191 | if ($Detail >= 7) { | |
| 192 | $data{'DNS Mappings'}{$line}++; | |
| 193 | } | |
| 190 | 194 | } elsif ($line =~ s/^[Rr]emoved reverse map on (\d+)\.(\d+)\.(\d+)\.(\d+)\.in-addr\.arpa\.?\s*$/Remove reverse $4.$3.$2.$1/) { |
| 191 | 195 | if ($Detail >= 7) { |
| 192 | 196 | $data{'DNS Mappings'}{$line}++; |
| 193 | 197 | } |
| 198 | } elsif ($line =~ s/^[Rr]emoved reverse map on ([0-9a-fA-F.]+\.ip6\.arpa\.?)/Remove reverse $1/) { | |
| 199 | if ($Detail >= 7) { | |
| 200 | $data{'DNS Mappings'}{$line}++; | |
| 201 | } | |
| 194 | 202 | } elsif ($line =~ s/^Added new forward map from ([a-zA-Z\d\._-]+) to ([\d\.]+)\s*$/Add forward $1 -> $2/) { |
| 195 | 203 | if ($Detail >= 7) { |
| 196 | 204 | $data{'DNS Mappings'}{$line}++; |
| 197 | 205 | } |
| 206 | } elsif ($line =~ s/^Added new forward map from ([a-zA-Z\d\._-]+) to ([0-9a-fA-F:]+)\s*$/Add forward $1 -> $2/) { | |
| 207 | if ($Detail >= 7) { | |
| 208 | $data{'DNS Mappings'}{$line}++; | |
| 209 | } | |
| 198 | 210 | } elsif ($line =~ s/^Removed forward map from ([a-zA-Z\d\._-]+) to ([\d\.]+)\s*$/Remove forward $1 -> $2/) { |
| 211 | if ($Detail >= 7) { | |
| 212 | $data{'DNS Mappings'}{$line}++; | |
| 213 | } | |
| 214 | } elsif ($line =~ s/^Removed forward map from ([a-zA-Z\d\._-]+) to ([0-9a-fA-F:]+)\s*$/Remove forward $1 -> $2/) { | |
| 199 | 215 | if ($Detail >= 7) { |
| 200 | 216 | $data{'DNS Mappings'}{$line}++; |
| 201 | 217 | } |
| 7 | 7 | ######################################################## |
| 8 | 8 | |
| 9 | 9 | ######################################################## |
| 10 | ## Copyright (c) 2014 Orion Poplawski | |
| 10 | ## Copyright (c) 2014-2019 Orion Poplawski | |
| 11 | 11 | ## Covered under the included MIT/X-Consortium License: |
| 12 | 12 | ## http://www.opensource.org/licenses/mit-license.php |
| 13 | 13 | ## All modifications and contributions by other persons to |
| 59 | 59 | or $ThisLine =~ /^ldbm_back_.* - conn=/ |
| 60 | 60 | or $ThisLine =~ /^ldbm_usn_init - backend: / |
| 61 | 61 | # https://pagure.io/389-ds-base/issue/48973 |
| 62 | or $ThisLine =~ /^default_mr_indexer_create: warning - plugin \[caseIgnoreIA5Match\] does not handle caseExactIA5Match/ | |
| 62 | or $ThisLine =~ /default_mr_indexer_create.*- [Pp]lugin \[caseIgnoreIA5Match\] does not handle caseExactIA5Match/ | |
| 63 | or $ThisLine =~ /^WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password/ | |
| 64 | or $ThisLine =~ /^ERR - NSACLPlugin - acl_parse - The ACL target .* does not exist/ | |
| 65 | or $ThisLine =~ /^ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition .*no CoS Templates found, which should be added before the CoS Definition/ | |
| 63 | 66 | ) { |
| 64 | 67 | #Ignore |
| 65 | 68 | } elsif ($ThisLine =~ /^ERR - / |
| 106 | 109 | } |
| 107 | 110 | |
| 108 | 111 | if (keys %Errors and keys %ErrorThreshold) { |
| 109 | LINE: foreach my $line (sort {$a cmp $b} keys %Errors) { | |
| 112 | LINE: foreach my $line (keys %Errors) { | |
| 110 | 113 | foreach my $regex (keys %ErrorThreshold) { |
| 111 | 114 | if ($line =~ /$regex/i and $Errors{$line} <= $ErrorThreshold{$regex}) { |
| 112 | 115 | delete $Errors{$line}; |
| 116 | 119 | } |
| 117 | 120 | } |
| 118 | 121 | |
| 122 | if (keys %Warnings and keys %ErrorThreshold) { | |
| 123 | LINE: foreach my $line (keys %Warnings) { | |
| 124 | foreach my $regex (keys %ErrorThreshold) { | |
| 125 | if ($line =~ /$regex/i and $Warnings{$line} <= $ErrorThreshold{$regex}) { | |
| 126 | delete $Warnings{$line}; | |
| 127 | next LINE; | |
| 128 | } | |
| 129 | } | |
| 130 | } | |
| 131 | } | |
| 132 | ||
| 119 | 133 | if (keys %Errors) { |
| 120 | 134 | print "\n** ERRORS **\n"; |
| 121 | 135 | foreach my $line (sort {$a cmp $b} keys %Errors) { |
| 76 | 76 | print " ". $ThisOne; |
| 77 | 77 | } |
| 78 | 78 | } |
| 79 | if (keys %PackageUpdate) { | |
| 80 | print "\nPackages Updated:\n"; | |
| 81 | chomp(my @Updated = sort {lc($a) cmp lc($b)} keys %PackageUpdated); | |
| 82 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdate) { | |
| 83 | print " ". shift(@Updated) ." -> ". $ThisOne; | |
| 79 | if (keys %PackageUpdate == keys %PackageUpdated) { | |
| 80 | if (keys %PackageUpdate) { | |
| 81 | print "\nPackages Updated:\n"; | |
| 82 | chomp(my @Updated = sort {lc($a) cmp lc($b)} keys %PackageUpdated); | |
| 83 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdate) { | |
| 84 | print " ". shift(@Updated) ." -> ". $ThisOne; | |
| 85 | } | |
| 86 | } | |
| 87 | } else { | |
| 88 | print "\nPackages Updated (Count Mismatch)"; | |
| 89 | if (keys %PackageUpdate) { | |
| 90 | print "\nPackages To Be Updated:\n"; | |
| 91 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdate) { | |
| 92 | print " ". $ThisOne; | |
| 93 | } | |
| 94 | } | |
| 95 | if (keys %PackageUpdated) { | |
| 96 | print "\nPackages Updated To:\n"; | |
| 97 | foreach $ThisOne (sort {lc($a) cmp lc($b)} keys %PackageUpdated) { | |
| 98 | print " ". $ThisOne; | |
| 99 | } | |
| 84 | 100 | } |
| 85 | 101 | } |
| 86 | 102 | if (keys %PackageDowngrade) { |
| 64 | 64 | my %LoginIMAP; |
| 65 | 65 | my %LoginPOP3; |
| 66 | 66 | my %MUAList; |
| 67 | my %MUASessionList; | |
| 67 | 68 | my %OtherList; |
| 68 | 69 | my %ProxyConnection; |
| 69 | 70 | my %ProxyConnectionIMAP; |
| 113 | 114 | my $dovecottag = qr/dovecot(?:\[\d+\])?:(?:\s*\[[^]]+\])?/; |
| 114 | 115 | |
| 115 | 116 | while (defined(my $ThisLine = <STDIN>)) { |
| 116 | # remove timestamp. We can't use *RemoveHeaders because we need the | |
| 117 | # service name | |
| 117 | # The *RemoveHeaders script is now invoked in the service configuration file | |
| 118 | # so this next line is no longer needed | |
| 118 | 119 | #$ThisLine =~ s/^\w{3} .\d \d\d:\d\d:\d\d (?:[^\s:]* |)//; |
| 119 | 120 | if ( ($ThisLine =~ /(?:ssl-build-param|ssl-params): SSL parameters regeneration completed/) or |
| 120 | 121 | ($ThisLine =~ /ssl-params: Generating SSL parameters/) or |
| 150 | 151 | $Connection{$Host}++; |
| 151 | 152 | } |
| 152 | 153 | } elsif ( (my ($User, $Host) = ( $ThisLine =~ /^(?:$dovecottag )?imap-login: Login: (.*?) \[(.*)\]/ ) ) or |
| 153 | (my ($User, $Host) = ( $ThisLine =~ /^(?:$dovecottag )?imap-login: (?:Info: )?Login: user=\<(.*?)\>.*rip=(.*), lip=/ ) ) ) { | |
| 154 | (my ($User, $Host, $Session) = ( $ThisLine =~ /^(?:$dovecottag )?imap-login: (?:Info: )?Login: user=\<(.*?)\>.*rip=(.*), lip=.*, session=<([^>]+)>/ ) ) ) { | |
| 154 | 155 | if ($Host !~ /$IgnoreHost/) { |
| 155 | 156 | $Host = hostName($Host); |
| 156 | 157 | $Login{$User}{$Host}++; |
| 157 | 158 | $LoginIMAP{$User}++; |
| 158 | 159 | $ConnectionIMAP{$Host}++; |
| 159 | 160 | $Connection{$Host}++; |
| 161 | if (defined($MUASessionList{$Session})) { | |
| 162 | $MUAList{$MUASessionList{$Session}}{$User}++; | |
| 163 | delete $MUASessionList{$Session}; | |
| 164 | } | |
| 160 | 165 | } |
| 161 | 166 | } elsif (my ($User, $Host) = ( $ThisLine =~ /managesieve-login: Login: user=\<(.*?)\>.*rip=(.*), lip=/ ) ) { |
| 162 | 167 | if ($Host !~ /$IgnoreHost/) { |
| 192 | 197 | $Deliver{$User}{$Mailbox}++; |
| 193 | 198 | |
| 194 | 199 | # LMTP-based Sieve delivery Dovecot 2.3 |
| 195 | } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\)(?:<[^>]+><[^>]+>)?: sieve: msgid=.*: stored mail into mailbox '?(.*)'?/ ) ) { | |
| 200 | } elsif (my ($User, $Mailbox) = ( $ThisLine =~ /^$dovecottag lmtp\((.*)\)(?:<[^>]+><[^>]+>)?: sieve: msgid=.*: stored mail into mailbox '(.*)'/ ) ) { | |
| 196 | 201 | $Deliver{$User}{$Mailbox}++; |
| 197 | 202 | |
| 198 | 203 | # sieve forward |
| 200 | 205 | $Forwarded{$User}{$Recip}++; |
| 201 | 206 | |
| 202 | 207 | # sieve pipe |
| 203 | } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?pipe action: piped message to program `.*'/) or | |
| 204 | my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\): sieve: (?:msgid=.*: )?left message in mailbox '.*'/) ) { | |
| 208 | } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\)(?:<[^>]+><[^>]+>)?: sieve: (?:msgid=.*: )?pipe action: piped message to program `.*'/) or | |
| 209 | my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:imap|lmtp)\((.*?)\)(?:<[^>]+><[^>]+>)?: sieve: (?:msgid=.*: )?left message in mailbox '.*'/) ) { | |
| 205 | 210 | # dovecot: imap(user@domain.com): sieve: pipe action: piped message to program `sa-learn-sieve.sh' |
| 206 | 211 | # dovecot: imap(user@domain.com): sieve: left message in mailbox 'INBOX.Spam' |
| 207 | 212 | # dovecot: lmtp(spam@domain.com): sieve: msgid=<6e3eb3f436fdca54@host.domain.com>: pipe action: piped message to program `sa-learn-sieve.sh' |
| 214 | 219 | } elsif (my ($User, $Recip) = ($ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*)\)(?:<[^>]+><[^>]+>)?:(?: .*:)? sieve: msgid=.* discarded duplicate vacation response to \<(.*)\>/ )) { |
| 215 | 220 | $VacationDup{$User}{$Recip}++; |
| 216 | 221 | |
| 217 | } elsif ( $ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\(.*\): .*sieve: msgid=.* marked message to be discarded if not explicitly delivered/ ) { | |
| 218 | # dovecot: lda(joe): sieve: msgid=<m$01$@com>: marked message to be discarded if not explicitly delivered (discard action) | |
| 222 | } elsif ( $ThisLine =~ /^$dovecottag (?:lda|deliver|lmtp)\((?:\d+, )?(.*)\)(?:<[^>]+><[^>]+>)?:(?: .*:)? sieve: msgid=.* [Mm]arked message to be discarded if not explicitly delivered/ ) { | |
| 223 | # dovecot: lda(joe)<3424><4kj83kjfhskjfh>: sieve: msgid=<m$01$@com>: discard action: marked message to be discarded if not explicitly delivered (discard action) | |
| 219 | 224 | # IGNORE |
| 220 | 225 | } elsif ( $ThisLine =~ /^$dovecottag lmtp\(.*\): Connect from/ ) { |
| 221 | 226 | # dovecot: [ID 583609 mail.info] lmtp(12782): Connect from local: 1 Time(s) |
| 223 | 228 | |
| 224 | 229 | } elsif ( $ThisLine =~ /^$dovecottag lmtp\(.*\): Disconnect from/ ) { |
| 225 | 230 | # dovecot: [ID 583609 mail.info] lmtp(12782): Disconnect from local: Client quit: 1 Time(s) |
| 231 | # IGNORE | |
| 232 | ||
| 233 | } elsif ($ThisLine =~ /^$dovecottag doveadm\(.*\)\: Executing command '.*' as '.*'/ or | |
| 234 | $ThisLine =~ /^$dovecottag doveadm\(.*\)(?:<[^>]+><[^>]+>)?: doveadm: .*/ ) { | |
| 235 | # dovecot: doveadm(::1): Executing command 'quota get' as 'user@domain.com' | |
| 236 | # dovecot: doveadm(user@domain.com)<11075><P/qmJj0ktF1DKwAAsNnMGQ>: doveadm: ::1 - - "POST /doveadm/v1 HTTP/1.1" 200 249 "http://localhost:8080/doveadm/v1" "" | |
| 226 | 237 | # IGNORE |
| 227 | 238 | |
| 228 | 239 | # Dovecot 2.0 proxy |
| 311 | 322 | # This is with imap_id_log = * enabled |
| 312 | 323 | } elsif (my ($User,$MUA) = ($ThisLine =~ /imap\((.*)\): ID sent: name=(.*)/)) { |
| 313 | 324 | $MUAList{$MUA}{$User}++; |
| 325 | # Need to match these later | |
| 326 | } elsif (my ($MUA, $Session) = ($ThisLine =~ /imap-login: ID sent: name=(.*): user=.*, session=<([^>]+)>/)) { | |
| 327 | $MUASessionList{$Session} = $MUA; | |
| 314 | 328 | # These are failed connections with imap_id_log = * enabled |
| 315 | 329 | } elsif ($ThisLine =~ /imap-login: ID sent: (?:name|vendor)=/) { |
| 316 | 330 | # Ignore |
| 22 | 22 | ## copyright please contact logwatch-devel@lists.sourceforge.net. |
| 23 | 23 | ######################################################### |
| 24 | 24 | |
| 25 | use strict; | |
| 26 | use warnings; | |
| 25 | 27 | use URI::URL; |
| 26 | 28 | |
| 27 | 29 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
| 30 | my $Ignore_messages = $ENV{'ignore_messages'} || '^$'; | |
| 31 | my $Ignore_profile_program = $ENV{'ignore_profile_program'} || '^$'; | |
| 32 | my $Laptops = $ENV{'laptops'} || '^$'; | |
| 33 | my %Applications; | |
| 28 | 34 | |
| 29 | while (defined($ThisLine = <STDIN>)) { | |
| 35 | while (defined(my $ThisLine = <STDIN>)) { | |
| 36 | # User specified ignore messages, lower cased | |
| 37 | next if $ThisLine =~ /$Ignore_messages/i; | |
| 38 | ||
| 30 | 39 | my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra); |
| 31 | 40 | #Determine format |
| 32 | 41 | if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4 |
| 43 | 52 | next; |
| 44 | 53 | } |
| 45 | 54 | next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen"; |
| 55 | next if $ExpandedString eq "N/A"; | |
| 56 | ||
| 57 | # Remove some items that prevent de-duplication | |
| 58 | $ExpandedString =~ s/(NextScheduled\S+|PID) \d+/$1 XXX/; | |
| 59 | $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,; | |
| 46 | 60 | |
| 47 | 61 | #print STDERR "ExpandedString = $ExpandedString\n"; |
| 48 | 62 | if ($Application =~ /Userenv/) { |
| 49 | 63 | $ExpandedString = "$UserName $ExpandedString"; |
| 50 | 64 | } |
| 51 | if ($Application =~ /AutoEnrollment/) { | |
| 65 | ||
| 66 | if ($Application eq "Application Error") { | |
| 67 | if (my ($exe, $exever, $module, $modulever) = | |
| 68 | ($ExpandedString =~ /Faulting application name: (.*), version: (\S+), time stamp: .*Faulting module name: (.*), version: (\S+)/)) { | |
| 69 | $Applications{$Application}->{"$Hostname: Faulting application name: $exe, version: $exever, module name: $module, version $modulever"}++; | |
| 70 | next; | |
| 71 | } | |
| 72 | } elsif ($Application eq "Application Hang") { | |
| 73 | if (my ($exe, $exever, $msg) = | |
| 74 | ($ExpandedString =~ /The program (.*) version (\S+) (.*) Process ID:/)) { | |
| 75 | $Applications{$Application}->{"$Hostname: The program $exe version $exever $msg"}++; | |
| 76 | next; | |
| 77 | } else { | |
| 78 | print "Application Hang: Cannot parse $ExpandedString\n"; | |
| 79 | } | |
| 80 | } elsif ($Application eq "AutoEnrollment") { | |
| 52 | 81 | #Ignore these - we don't run active directory |
| 53 | 82 | next if $ExpandedString =~ /Automatic certificate enrollment for local system failed to contact the active directory/; |
| 54 | } | |
| 55 | if ($Application =~ /Intel Alert/) { | |
| 83 | } elsif ($Application =~ /^Group Policy/) { | |
| 84 | next if $ExpandedString =~ /This error was suppressed/; | |
| 85 | next if $ExpandedString =~ /could not apply .* The network path was not found/ and $Hostname =~ /$Laptops/i; | |
| 86 | } elsif ($Application =~ /Intel Alert/) { | |
| 56 | 87 | #Ignore these |
| 57 | 88 | next if $ExpandedString =~ /Intel Alert Originator Manager loaded without security/; |
| 58 | 89 | next if $ExpandedString =~ /Service Initialized Successfully/; |
| 59 | } | |
| 60 | if ($Application =~ /LoadPerf/) { | |
| 90 | } elsif ($Application =~ /LoadPerf/) { | |
| 61 | 91 | #Ignore these |
| 62 | 92 | next if $ExpandedString =~ /Performance counters for the .* service were loaded successfully/; |
| 63 | 93 | next if $ExpandedString =~ /Performance counters for the .* service were removed successfully/; |
| 64 | } | |
| 65 | if ($Application =~ /NSCTOP/) { | |
| 94 | } elsif ($Application =~ /NSCTOP/) { | |
| 66 | 95 | #Ignore these |
| 67 | 96 | next if $ExpandedString =~ /Service started/; |
| 68 | } | |
| 69 | if ($Application =~ /Norton Ghost/) { | |
| 97 | } elsif ($Application eq "Microsoft-Windows-CertificationAuthority") { | |
| 98 | next if $ExpandedString =~ /The Active Directory connection to .* has been reestablished to/; | |
| 99 | } elsif ($Application eq "Microsoft-Windows-Search") { | |
| 100 | next if $ExpandedString =~ /The content source .* cannot be accessed. Context: Application, SystemIndex Catalog Details: The object was not found/; | |
| 101 | } elsif ($Application eq "Microsoft-Windows-User Profiles Service") { | |
| 102 | if ( my ($program) = ($ExpandedString =~ /^Windows detected your registry file is still in use by other applications or services. The file will be unloaded now\..* Process \d+ \(\\Device\\.*\\(.*)\) has opened key .*/)) { | |
| 103 | next if $program =~ /$Ignore_profile_program/; | |
| 104 | } | |
| 105 | } elsif ($Application =~ /Norton Ghost/) { | |
| 70 | 106 | #Ignore these |
| 71 | 107 | next if $ExpandedString =~ /Norton Ghost service started successfully/; |
| 72 | 108 | next if $ExpandedString =~ /A scheduled baseline backup of .* completed successfully/; |
| 73 | 109 | next if $ExpandedString =~ /A scheduled incremental backup of .* completed successfully/; |
| 74 | } | |
| 75 | if ($Application =~ /SNARE/) { | |
| 110 | } elsif ($Application =~ /SecurityCenter/) { | |
| 111 | #Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1 | |
| 112 | next if $ExpandedString =~ /The Security Center service has been stopped. It was prevented from running by a software group policy/; | |
| 113 | } elsif ($Application eq "SceCli") { | |
| 114 | next if $ExpandedString =~ /^Security policy cannot be propagated\. Cannot access the template\. Error code = 3\./ and $Hostname =~ /$Laptops/i; | |
| 115 | } elsif ($Application eq "ShadowProtectSPX") { | |
| 116 | next if $ExpandedString =~ /^Backup Finished/; | |
| 117 | next if $ExpandedString =~ /^Backup Failed .*\(\\\\.*The backup destination is not accessible/ and $Hostname =~ /$Laptops/i; | |
| 118 | } elsif ($Application =~ /SNARE/) { | |
| 76 | 119 | #Ignore these |
| 77 | 120 | next if $ExpandedString =~ /The service was started/; |
| 78 | 121 | next if $ExpandedString =~ /The service was stopped/; |
| 79 | } | |
| 80 | if ($Application =~ /SecurityCenter/) { | |
| 81 | #Ignore these - appears to be normal http://www.eventid.net/display.asp?eventid=1807&eventno=4468&source=SecurityCenter&phase=1 | |
| 82 | next if $ExpandedString =~ /The Security Center service has been stopped. It was prevented from running by a software group policy/; | |
| 83 | } | |
| 84 | ||
| 85 | if ($Application =~ /Symantec AntiVirus/) { | |
| 122 | } elsif ($Application eq "SpeechRuntime") { | |
| 123 | next if $ExpandedString =~ /^Audio Orchestrator Power Event: Battery Saver Turned On, Voice Activation Disabled/; | |
| 124 | } elsif ($Application =~ /Symantec AntiVirus/) { | |
| 86 | 125 | #Ignore these |
| 87 | 126 | next if $ExpandedString =~ /Symantec AntiVirus services startup was successful/; |
| 88 | 127 | next if $ExpandedString =~ /Scan Complete: Risks: 0/; |
| 91 | 130 | next if $ExpandedString =~ /Download of virus definition file from LiveUpdate server succeeded/; |
| 92 | 131 | next if $ExpandedString =~ /Virus definitions are current/; |
| 93 | 132 | next if $ExpandedString =~ /Could not scan \d+ files inside .* due to extraction errors encountered by the Decomposer Engines/; |
| 94 | } | |
| 95 | if ($Application =~ /cc.*Mgr/) { | |
| 133 | } elsif ($Application =~ /cc.*Mgr/) { | |
| 96 | 134 | #Ignore these |
| 97 | 135 | next if $ExpandedString =~ /service is starting/; |
| 98 | 136 | next if $ExpandedString =~ /service has started/; |
| 100 | 138 | |
| 101 | 139 | my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application"); |
| 102 | 140 | my $urlstr = $url->abs; |
| 103 | $Applications{$Application}->{"$Hostname $ExpandedString\n$url"}++; | |
| 141 | $Applications{$Application}->{"$Hostname: $ExpandedString\n$url"}++; | |
| 104 | 142 | } |
| 105 | 143 | |
| 106 | 144 | if (keys %Applications) { |
| 107 | foreach $Application (sort(keys %Applications)) { | |
| 145 | foreach my $Application (sort(keys %Applications)) { | |
| 108 | 146 | print "\n$Application\n"; |
| 109 | foreach $Error (sort(keys %{$Applications{$Application}})) { | |
| 147 | foreach my $Error (sort(keys %{$Applications{$Application}})) { | |
| 110 | 148 | print " $Error : $Applications{$Application}->{$Error} Times\n"; |
| 111 | 149 | } |
| 112 | 150 | } |
| 20 | 20 | use URI::URL; |
| 21 | 21 | |
| 22 | 22 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
| 23 | my $Ignore_messages = $ENV{'ignore_messages'} || '^$'; | |
| 23 | 24 | |
| 24 | 25 | my $SuccessAudits = 0; |
| 25 | 26 | my %SuccessAuditUsers; |
| 26 | 27 | my %FailureAudits; |
| 27 | 28 | my %SuccessAudits; |
| 28 | 29 | my %ClockSkew; |
| 30 | my %Errors; | |
| 31 | my %Information; | |
| 29 | 32 | my %UnknownUser; |
| 30 | 33 | my %UnknownClient; |
| 31 | 34 | my %BadPasswords; |
| 32 | 35 | my %TicketExpired; |
| 36 | my %AccessDenied; | |
| 33 | 37 | my %AccountChanged; |
| 34 | 38 | my %AccountCreated; |
| 35 | 39 | my %AccountDeleted; |
| 47 | 51 | my %OtherList; |
| 48 | 52 | |
| 49 | 53 | while (defined(my $ThisLine = <STDIN>)) { |
| 54 | # User specified ignore messages, lower cased | |
| 55 | next if $ThisLine =~ /$Ignore_messages/i; | |
| 56 | ||
| 50 | 57 | my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$SourceName2,$UserName,$SIDType,$EventLogType,$CategoryString,$DataString,$ExpandedString,$Extra); |
| 51 | 58 | #Determine format |
| 52 | 59 | if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4 |
| 107 | 114 | } |
| 108 | 115 | } |
| 109 | 116 | elsif ($EventLogType eq "Failure Audit") { |
| 110 | if (my ($account,$domain,$reason) = ($ExpandedString =~ /^An account failed to log on\..*Account For Which Logon Failed:.*Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Failure Reason:\s+(.+)\s+Status:.*Sub Status:/)) { | |
| 111 | $FailureAudits{"$Hostname Log On Failure for $domain\\$account: $reason"}++; | |
| 117 | if ($EventID == 4625) { | |
| 118 | # An account failed to log on | |
| 119 | if (my ($account,$domain,$reason) = ($ExpandedString =~ /Account For Which Logon Failed:.*Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Failure Reason:\s+(.+)\s+Status:.*Sub Status:/)) { | |
| 120 | $FailureAudits{"$Hostname Log On Failure for $domain\\$account: $reason"}++; | |
| 121 | } elsif (my ($account,$domain,$reason,$process) = ($ExpandedString =~ /Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Failure Reason:\s+(.+)\s+Status:.*Sub Status:.*Caller Process Name:\s+(.*)\s+Network Informaion:/)) { | |
| 122 | $FailureAudits{"$Hostname Log On Failure for $domain\\$account by $process: $reason"}++; | |
| 123 | } | |
| 112 | 124 | } elsif (my ($account,$domain,$process) = ($ExpandedString =~ /^A privileged service was called\..*Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Process Name:\s+(.+)\sService/)) { |
| 113 | 125 | $FailureAudits{"$Hostname Privileged service called for $domain\\$account: $process"}++ if $Detail; |
| 114 | 126 | } elsif ($EventID == 4768) { |
| 117 | 129 | if ($FailureCode eq "0x6") { |
| 118 | 130 | # Client not found in Kerberos database |
| 119 | 131 | $UnknownClient{"$Account\\$Realm $Client"}++; |
| 132 | } elsif ($FailureCode eq "0x12") { | |
| 133 | $AccountDisabled{"$Account\@$Realm $Client"}++; | |
| 120 | 134 | } elsif ($FailureCode eq "0x17") { |
| 121 | 135 | # Password has expired |
| 122 | 136 | $ExpiredPassword{"$UserName"}++; |
| 126 | 140 | } elsif ($EventID == 4769) { |
| 127 | 141 | # A Kerberos service ticket was requested |
| 128 | 142 | my ($Client,$FailureCode) = $ExpandedString =~ /Client Address:\s+(\S+)\s.*Failure Code:\s+(\w+)/; |
| 129 | #print STDERR "EventID=$EventID Client=$Client FailureCode=$FailureCode ExpandedString=$ExpandedString\n"; | |
| 130 | if ($FailureCode eq "0x1B") { | |
| 143 | #print STDER "EventID=$EventID Client=$Client FailureCode=$FailureCode ExpandedString=$ExpandedString\n"; | |
| 144 | if ($FailureCode eq "0x12") { | |
| 145 | $AccountDisabled{"$Client"}++; | |
| 146 | } elsif ($FailureCode eq "0x1B") { | |
| 131 | 147 | # KDC_ERR_MUST_USE_USER2USER Server principal valid for user-to-user only |
| 132 | 148 | # This is an informational response and not an issue |
| 133 | 149 | } elsif ($FailureCode eq "0x20") { |
| 172 | 188 | } else { |
| 173 | 189 | $FailureAudits{"$Hostname $ExpandedString\n$url"}++; |
| 174 | 190 | } |
| 191 | } elsif ($EventID == 4957 and $ExpandedString =~ /resolved to an empty set/) { | |
| 192 | # Windows Firewall did not apply the following rule - because it was not applicable | |
| 193 | } elsif ($EventID == 6273) { | |
| 194 | my ($account,$domain,$client) = ($ExpandedString =~ /Account Name:\s+(\S+)\s+Account Domain:\s+(\S+).*Client Friendly Name:\s+(\S+)/); | |
| 195 | $AccessDenied{"$account\\$domain $client"}++; | |
| 175 | 196 | } else { |
| 176 | 197 | $FailureAudits{"$Hostname $ExpandedString\n$url"}++; |
| 177 | 198 | } |
| 178 | 199 | } |
| 200 | elsif ($EventLogType eq "Error") { | |
| 201 | $ExpandedString =~ s/\s+\d+\s+\d+//; | |
| 202 | $Errors{"$Hostname $ExpandedString\n$url"}++; | |
| 203 | } | |
| 204 | elsif ($EventLogType eq "Information") { | |
| 205 | next if $ExpandedString =~ /The event logging service has shut down/; | |
| 206 | next if $Detail < 5; | |
| 207 | $Information{"$Hostname $ExpandedString\n$url"}++; | |
| 208 | } | |
| 179 | 209 | else { |
| 180 | 210 | # Report any unmatched entries... |
| 181 | 211 | chomp($ThisLine); |
| 182 | $OtherList{$ThisLine}++; | |
| 212 | $OtherList{"Type=$EventLogType $ThisLine"}++; | |
| 213 | } | |
| 214 | } | |
| 215 | ||
| 216 | if (keys %Errors) { | |
| 217 | print "\nERRORS:\n"; | |
| 218 | foreach my $Error (sort keys %Errors) { | |
| 219 | print " $Error : $Errors{$Error} Times\n"; | |
| 183 | 220 | } |
| 184 | 221 | } |
| 185 | 222 | |
| 243 | 280 | print "\nPassword Expired\n"; |
| 244 | 281 | foreach my $Account (sort keys %ExpiredPassword) { |
| 245 | 282 | print " $Account : $ExpiredPassword{$Account} Times\n"; |
| 283 | } | |
| 284 | } | |
| 285 | ||
| 286 | if (keys %AccessDenied) { | |
| 287 | print "\nAccess Denied\n"; | |
| 288 | foreach my $Item (sort keys %AccessDenied) { | |
| 289 | print " $Item : $AccessDenied{$Item} Times\n"; | |
| 246 | 290 | } |
| 247 | 291 | } |
| 248 | 292 | |
| 339 | 383 | foreach my $Error (sort keys %SuccessAudits) { |
| 340 | 384 | print " $Error : $SuccessAudits{$Error} Times\n"; |
| 341 | 385 | } |
| 386 | } | |
| 387 | } | |
| 388 | ||
| 389 | if (keys %Information) { | |
| 390 | print "\nInformational Messages:\n"; | |
| 391 | foreach my $Item (sort keys %Information) { | |
| 392 | print " $Item : $Information{$Item} Times\n"; | |
| 342 | 393 | } |
| 343 | 394 | } |
| 344 | 395 | |
| 25 | 25 | use strict; |
| 26 | 26 | |
| 27 | 27 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
| 28 | my $Ignore_messages = $ENV{'ignore_messages'} || '^$'; | |
| 29 | ||
| 28 | 30 | my %Errors; |
| 29 | 31 | my %RestartRequired; |
| 30 | 32 | my %Systems; |
| 33 | 35 | my %UpdatesReadyForInstall; |
| 34 | 36 | |
| 35 | 37 | while (defined(my $ThisLine = <STDIN>)) { |
| 38 | # User specified ignore messages, lower cased | |
| 39 | next if $ThisLine =~ /$Ignore_messages/i; | |
| 40 | ||
| 36 | 41 | my ($Hostname,$Criticality,$SourceName,$DateTime,$EventID,$System,$UserName,$SIDType,$EventLogType,$CategoryString,$DataString,$ExpandedString,$Extra); |
| 37 | 42 | #Determine format |
| 38 | 43 | if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4 |
| 50 | 55 | } |
| 51 | 56 | #print STDERR "ExpandedString = $ExpandedString\n"; |
| 52 | 57 | |
| 58 | next if ($EventLogType eq "Verbose"); | |
| 53 | 59 | next if ($EventLogType eq "Information" and $Detail < 10); |
| 60 | ||
| 61 | # Remove some items that prevent de-duplication | |
| 62 | if ($Detail < 10) { | |
| 63 | $ExpandedString =~ s/\d+ time\(s\)/XX times(s)/; | |
| 64 | $ExpandedString =~ s/requested by PID\s+\S+\s+//; | |
| 65 | $ExpandedString =~ s/processor \d+/processor X/; | |
| 66 | $ExpandedString =~ s/for \d+ seconds/for XX seconds/; | |
| 67 | $ExpandedString =~ s/(APPID|CLSID)\s+\{[0-9A-F\-]+\}/$1 {XXX}/g; | |
| 68 | } | |
| 54 | 69 | |
| 55 | 70 | if ($System eq "Application Popup") { |
| 56 | 71 | #Ignore these |
| 86 | 101 | #Ignore these |
| 87 | 102 | next if $ExpandedString =~ /^DFS has finished building all namespaces\.$/; |
| 88 | 103 | next if $ExpandedString =~ /^DFS server has finished initializing\.$/; |
| 104 | } | |
| 105 | ||
| 106 | if ($System eq "Microsoft-Windows-DNS-Client") { | |
| 107 | next if $ExpandedString =~ /^Name resolution for the name .* timed out/; | |
| 108 | next if $ExpandedString =~ /^The system failed to (?:register|update and remove) host .* resource records/; | |
| 109 | next if $ExpandedString =~ /^The system could not remove these host .* RRs/; | |
| 89 | 110 | } |
| 90 | 111 | |
| 91 | 112 | if ($System eq "Microsoft-Windows-FilterManager") { |
| 45 | 45 | ($ThisLine =~ /^Disconnected, ip=\[.*\]/) or |
| 46 | 46 | # uw-imapd |
| 47 | 47 | ($ThisLine =~ /^Moved \d+ bytes of new mail to.*$/) or |
| 48 | ($ThisLine =~ /^Unexpected client disconnect, while reading line.*$/) | |
| 48 | ($ThisLine =~ /^Unexpected client disconnect, while reading line.*$/) or | |
| 49 | ($ThisLine =~ /^ip=\[.*\], An unexpected TLS packet was received.*$/) or | |
| 50 | ($ThisLine =~ /^ip=\[.*\], Unexpected SSL connection shutdown.*$/) | |
| 49 | 51 | ) { |
| 50 | 52 | # Don't care about these... |
| 51 | 53 | } elsif ( ($User, $Host) = ( $ThisLine =~ /^Login user=(.*?) host=(.*\[.*\])$/ ) ) { |
| 64 | 66 | $Connection{$Host}++; |
| 65 | 67 | } elsif ( ($Host) = ( $ThisLine =~ /^Connection, ip=\[(.*)\]$/o ) ) { |
| 66 | 68 | $Connection{$Host}++; |
| 69 | } elsif ( ($Num, $Host) = ( $ThisLine =~ /^message repeated (.*) times: \[ Connection, ip=\[(.*)\]$/o ) ) { | |
| 70 | $Connection{$Host} += $Num; | |
| 67 | 71 | # } elsif ( ($User,$Downloaded,$DownloadSize,$Left,$LeftSize) = ( $ThisLine =~ /^Stats: (.*?) (.*?) (.*?) (.*?) (.*?)$/) ) { |
| 68 | 72 | # $DownloadedMessages{$User} += $Downloaded; |
| 69 | 73 | # $DownloadedMessagesSize{$User} += $DownloadSize; |
| 105 | 109 | $Logout{$User}{$Host}++; |
| 106 | 110 | $Logout2{$User}++; |
| 107 | 111 | $SocketErrors{$Host}++; |
| 112 | } elsif ( | |
| 113 | (( $ThisLine =~ /^.*error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.*$/)) or | |
| 114 | (( $ThisLine =~ /^.*error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher.*$/)) | |
| 115 | ) { | |
| 116 | $SocketErrors{'unknown'}++; | |
| 108 | 117 | } else { |
| 109 | 118 | # Report any unmatched entries... |
| 110 | 119 | # remove PID from named messages |
| 126 | 126 | } |
| 127 | 127 | # IPTABLES |
| 128 | 128 | elsif (($chain,$ifin,$ifout,$fromip,$toip,$proto,$rest) = ($ThisLine =~ /^(.*?)\s*IN=([\w\.\-]*).*?OUT=([\w\.\-]*).*?SRC=([\w\.:]+).*?DST=([\w\.:]+).*?PROTO=(\w+)(.*)/ )) { |
| 129 | ||
| 130 | # STATE_INVALID_DROP is generally uninteresting | |
| 131 | next if ($chain eq "STATE_INVALID_DROP:" and $Detail < 10); | |
| 129 | 132 | |
| 130 | 133 | # get a destination port number (or icmp type) if there is one |
| 131 | 134 | if (! ( ($toport) = ( $rest =~ /TYPE=(\w+)/ ) ) ) { |
| 7 | 7 | ######################################################## |
| 8 | 8 | |
| 9 | 9 | ######################################################## |
| 10 | ## Copyright (c) 2014 Orion Poplawski | |
| 10 | ## Copyright (c) 2014-2019 Orion Poplawski | |
| 11 | 11 | ## Covered under the included MIT/X-Consortium License: |
| 12 | 12 | ## http://www.opensource.org/licenses/mit-license.php |
| 13 | 13 | ## All modifications and contributions by other persons to |
| 23 | 23 | ######################################################### |
| 24 | 24 | |
| 25 | 25 | use strict; |
| 26 | use warnings; | |
| 26 | 27 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
| 27 | 28 | my $PoolThreshold = $ENV{'pool_threshold'} || 0; |
| 28 | 29 | my $PoolMetadataThreshold = $ENV{'pool_metadata_threshold'} || 0; |
| 41 | 42 | chomp($ThisLine); |
| 42 | 43 | # Seeing leading space on Fedora 26 |
| 43 | 44 | $ThisLine =~ s/^ *//; |
| 44 | if ($ThisLine =~ /^Thin (\S+) is now (\d+)% full/) { | |
| 45 | if ($ThisLine =~ /^pvscan\[\d+\] PV .* online(?:|, VG .* is complete)\.$/ | |
| 46 | or $ThisLine =~ /pvscan\[\d+\] VG .* run autoactivation/ | |
| 47 | # This happens often at startup | |
| 48 | or $ThisLine =~ /^WARNING: lvmetad is being updated, retrying/ | |
| 49 | ) { | |
| 50 | # Ignore | |
| 51 | } elsif ($ThisLine =~ /^(?:WARNING: )?Thin (\S+) is now (\d+(\.\d+)?)% full/) { | |
| 45 | 52 | $PoolUsed{$1} = $2 if $2 >= $PoolThreshold; |
| 46 | } elsif ($ThisLine =~ /^Thin metadata (\S+) is now (\d+)% full/) { | |
| 53 | } elsif ($ThisLine =~ /^(?:WARNING: )?Thin metadata (\S+) is now (\d+(\.\d+)?)% full/) { | |
| 47 | 54 | $PoolMetadataUsed{$1} = $2 if $2 >= $PoolMetadataThreshold; |
| 48 | 55 | } elsif ($ThisLine =~ /^Monitoring thin pool (\S+)\./) { |
| 49 | 56 | $MonitoringOn{$1}++; |
| 53 | 60 | $MonitoringOff{$1}++; |
| 54 | 61 | } elsif ($ThisLine =~ /^No longer monitoring snapshot (\S+)\./) { |
| 55 | 62 | $MonitoringSnapshotOff{$1}++; |
| 56 | } elsif ($ThisLine =~ /^Snapshot (\S+) is now (\d+)% full/) { | |
| 63 | } elsif ($ThisLine =~ /^(?:WARNING: )?Snapshot (\S+) is now (\d+(\.\d+)?)% full/) { | |
| 57 | 64 | $SnapshotUsed{$1} = $2 if $2 >= $SnapshotThreshold; |
| 58 | 65 | } elsif ($ThisLine =~ /^(\d+) logical volume\(s\) in volume group "(\S+)" monitored/) { |
| 59 | 66 | $MonitoringOn{$2}++; |
| 27 | 27 | # Logwatch project reserves the right to not accept such |
| 28 | 28 | # contributions. If you have made significant |
| 29 | 29 | # contributions to this script and want to claim |
| 30 | # copyright please contact logwatch-devel@logwatch.org. | |
| 30 | # copyright please contact logwatch-devel@lists.sourceforge.net. | |
| 31 | 31 | ########################################################################### |
| 32 | 32 | |
| 33 | 33 | use strict; |
| 59 | 59 | ($ThisLine =~ /running/) or |
| 60 | 60 | ($ThisLine =~ /NSTATS /) or |
| 61 | 61 | ($ThisLine =~ /Cleaned cache of \d+ RRs/) or |
| 62 | ($ThisLine =~ /max-cache-size .* setting to /) or | |
| 62 | 63 | ($ThisLine =~ /USAGE \d+ \d+ CPU=\d+.*/) or |
| 63 | 64 | ($ThisLine =~ /XSTATS /) or |
| 64 | 65 | ($ThisLine =~ /Ready to answer queries/) or |
| 85 | 86 | ($ThisLine =~ /configuring command channel from/) or |
| 86 | 87 | ($ThisLine =~ /interface ignored/) or |
| 87 | 88 | ($ThisLine =~ /no IPv6 interfaces found/) or |
| 88 | ($ThisLine =~ /using \d+ UDP listeners per interface/) or | |
| 89 | ($ThisLine =~ /using \d+ UDP listeners? per interface/) or | |
| 89 | 90 | ($ThisLine =~ /^running/) or |
| 90 | 91 | ($ThisLine =~ /^exiting/) or |
| 91 | 92 | ($ThisLine =~ /no longer listening/) or |
| 156 | 157 | ($ThisLine =~ /reading built-in trusted keys from file/) or |
| 157 | 158 | ($ThisLine =~ /reading built-in trust anchors from file/) or |
| 158 | 159 | ($ThisLine =~ /using built-in trusted-keys/) or |
| 160 | ($ThisLine =~ /using built-in keys instead/) or | |
| 159 | 161 | ($ThisLine =~ /set up managed keys zone/) or |
| 160 | 162 | ($ThisLine =~ /managed-keys-zone.*key now trusted/) or |
| 161 | 163 | ($ThisLine =~ /dhcpupdate: forwarding update for zone/) or |
| 163 | 165 | ($ThisLine =~ /using .* as GeoIP directory/) or |
| 164 | 166 | ($ThisLine =~ /GEO-.* Build/) or |
| 165 | 167 | ($ThisLine =~ /initializing GeoIP /) or |
| 168 | ($ThisLine =~ /looking for GeoIP2? databases in /) or | |
| 169 | ($ThisLine =~ /opened GeoIP2? database /) or | |
| 166 | 170 | # the following seems okay since it says "success" |
| 167 | 171 | ($ThisLine =~ /managed-keys-zone.*: No DNSKEY RRSIGs found for '.*': success/) or |
| 168 | 172 | ($ThisLine =~ /managed-keys-zone.*: Unable to fetch DNSKEY set '.*': timed out/) or |
| 175 | 179 | ($ThisLine =~ /next key event: /) or |
| 176 | 180 | ($ThisLine =~ /reconfiguring zone keys/) or |
| 177 | 181 | ($ThisLine =~ /using built-in DLV key/) or |
| 182 | ($ThisLine =~ /trust-anchor-telemetry/) or | |
| 178 | 183 | # ($ThisLine =~ /reading built-in trusted keys from file/) or |
| 179 | 184 | ($ThisLine =~ /all zones loaded/) or |
| 180 | 185 | ($ThisLine =~ /resolver priming query complete/) or |
| 181 | 186 | ($ThisLine =~ /client .* signer .* approved/) or |
| 182 | 187 | ($ThisLine =~ /stop limiting/) or |
| 188 | # Previous line appears to contain the error | |
| 189 | ($ThisLine =~ /client .*: query failed .* for .* at /) or | |
| 183 | 190 | # ignore this line because the following line describes the error |
| 184 | 191 | ($ThisLine =~ /unexpected error/) |
| 185 | 192 | ) { |
| 23 | 23 | ######################################################### |
| 24 | 24 | |
| 25 | 25 | use strict; |
| 26 | use warnings; | |
| 26 | 27 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
| 28 | my $IgnoreNonCertifiedDrives = $ENV{'omsa_ignore_non_certified_drives'} || 0; | |
| 27 | 29 | my %ServiceError; |
| 28 | 30 | my %ServiceMessage; |
| 29 | 31 | my %OtherList; |
| 35 | 37 | chomp($ThisLine); |
| 36 | 38 | my ($Service,$Message) = ($ThisLine =~ /^\d+ \d+ - (\w+) Service (.*)$/); |
| 37 | 39 | if ($Message =~ /fail|disable|replace/i) { |
| 40 | # Service erroneously detects failure on service startup | |
| 41 | next if (($Service eq "Instrumentation") and $Message =~ /^Power supply detected a failure.*Previous state was: Unknown/); | |
| 38 | 42 | $ServiceError{$Service}->{$Message}++; |
| 39 | 43 | } elsif (defined($Service)) { |
| 40 | 44 | # Skip informational messages if needed |
| 41 | next if (($Service == "Storage Service") and ($Message =~ /^The Patrol Read has (started|stopped)/) and ($Detail < 5)); | |
| 42 | next if (($Service == "Storage Service") and ($Message =~ /^The controller battery Learn cycle will start in (?:\d+) days\./) and ($Detail < 5)); | |
| 45 | if ($Service eq "Instrumentation") { | |
| 46 | # Service erroneously detects absence on service startup | |
| 47 | next if ($Message =~ /^Battery sensor detected absence value/); | |
| 48 | next if (($Message =~ /^IPMI status.*Interface:/) and ($Detail < 10)); | |
| 49 | next if (($Message =~ /^Server Administrator start.*/) and ($Detail < 10)); | |
| 50 | next if (($Message =~ /^Systems Management Data Manager (?:Started|Stopped)/) and ($Detail < 10)); | |
| 51 | } elsif ($Service eq "Storage") { | |
| 52 | next if (($Message =~ /^Controller event log: Battery (?:Present|charge complete|started charging|temperature is normal)/) and ($Detail < 5)); | |
| 53 | next if (($Message =~ /^Controller event log: (Board Revision|Controller hardware revision ID)/) and ($Detail < 10)); | |
| 54 | next if (($Message =~ /^Controller event log: Current capacity of the battery is above threshold/) and ($Detail < 5)); | |
| 55 | next if (($Message =~ /^Controller event log: Enclosure .* (:?communication restored|discovered)/) and ($Detail < 10)); | |
| 56 | next if (($Message =~ /^Controller event log: Firmware initialization started/) and ($Detail < 10)); | |
| 57 | next if (($Message =~ /^Controller event log: Inserted:/) and ($Detail < 5)); | |
| 58 | next if (($Message =~ /^Controller event log: PD .* is not a certified drive/) and ($IgnoreNonCertifiedDrives)); | |
| 59 | next if (($Message =~ /^Controller event log: Package version/) and ($Detail < 10)); | |
| 60 | next if (($Message =~ /^Controller event log: Patrol Read (started|stopped|resumed)/) and ($Detail < 5)); | |
| 61 | next if (($Message =~ /^Controller event log: Shutdown command received from host/) and ($Detail < 1)); | |
| 62 | next if (($Message =~ /^Controller event log: Time established as/) and ($Detail < 10)); | |
| 63 | next if (($Message =~ /^Controller event log: Unexpected sense: Encl PD .* CDB: 12 00 00 00 (:?04|20) 00, Sense: 5\/24\/00/) and ($IgnoreNonCertifiedDrives)); | |
| 64 | next if (($Message =~ /^Controller event log: Unexpected sense: PD .* CDB: 12 01 dc 01 1d 00, Sense: (4\/cf|5\/24)\/00/) and ($IgnoreNonCertifiedDrives)); | |
| 65 | next if (($Message =~ /^Disk found is not supplied by an authorized hardware provider/) and ($IgnoreNonCertifiedDrives)); | |
| 66 | next if (($Message =~ /^The battery charge cycle is complete\./) and ($Detail < 5)); | |
| 67 | next if (($Message =~ /^The controller battery Learn cycle will start in (?:\d+) days\./) and ($Detail < 5)); | |
| 68 | next if (($Message =~ /^The Patrol Read has (started|stopped|resumed)/) and ($Detail < 5)); | |
| 69 | } | |
| 43 | 70 | $ServiceMessage{$Service}->{$Message}++; |
| 44 | 71 | } else { |
| 45 | 72 | $OtherList{$ThisLine}++; |
| 21 | 21 | # and ensure full compatibility with the newer Openswan. |
| 22 | 22 | ########################################################################## |
| 23 | 23 | |
| 24 | # This is a scanner for logwatch (see www.logwatch.org) that processes | |
| 25 | # FreeSWAN's <http://www.freeswan.org/> Pluto log files and attempts to | |
| 24 | # This is a scanner for logwatch that processes FreeSWAN's | |
| 25 | # <http://www.freeswan.org/> Pluto log files and attempts to | |
| 26 | 26 | # make some sense out of them. |
| 27 | 27 | # |
| 28 | 28 | # Please CC suggestions to mcr@freeswan.org and/or design@lists.freeswan.org |
| 19 | 19 | ## Logwatch project reserves the right to not accept such |
| 20 | 20 | ## contributions. If you have made significant |
| 21 | 21 | ## contributions to this script and want to claim |
| 22 | ## copyright please contact logwatch-devel@logwatch.org. | |
| 22 | ## copyright please contact logwatch-devel@lists.sourceforge.net. | |
| 23 | 23 | ######################################################### |
| 24 | 24 | |
| 25 | 25 | # Detail level |
| 8 | 8 | |
| 9 | 9 | ####################################################### |
| 10 | 10 | ## Copyright (c) 2013 Teemu Ikonen |
| 11 | ## Copyright (c) 2019 Orion Poplawski | |
| 11 | 12 | ## Covered under the included MIT/X-Consortium License: |
| 12 | 13 | ## http://www.opensource.org/licenses/mit-license.php |
| 13 | 14 | ## All modifications and contributions by other persons to |
| 46 | 47 | my %ActionResumed; |
| 47 | 48 | my %ActionSuspended; |
| 48 | 49 | my %DaemonActions; |
| 50 | my %InvalidCerts; | |
| 49 | 51 | |
| 50 | 52 | LINE: |
| 51 | 53 | while (defined($ThisLine = <STDIN>)) { |
| 52 | 54 | chomp($ThisLine); |
| 53 | foreach $Message (%IgnoreMessages) { | |
| 55 | foreach $Message (keys %IgnoreMessages) { | |
| 54 | 56 | next LINE if $ThisLine =~ /$Message/i; |
| 55 | 57 | } |
| 56 | 58 | if (($Reason) = ($ThisLine =~ /^ ?\[origin software=\"rsyslogd\" .*\] (.*)/)) { |
| 66 | 68 | elsif (my ($Action, $Module) = $ThisLine =~ /action '(.*)' resumed \(module '(.*)'\)/) { |
| 67 | 69 | $ActionResumed{"$Action ($Module)"}++ unless defined $IgnoreActions{$Action} or defined $IgnoreModules{$Module}; |
| 68 | 70 | } |
| 71 | elsif (my ($Certificate) = $ThisLine =~ /invalid cert info: peer provided \d+ certificate\(s\)\. Certificate \d+ info: (.*); \[/) { | |
| 72 | $InvalidCertificate{$Certificate}++; | |
| 73 | } | |
| 69 | 74 | elsif ( |
| 75 | # More detail for this in the invalid cert info line above | |
| 76 | $ThisLine =~ /^not permitted to talk to peer, certificate invalid:/ or | |
| 70 | 77 | $ThisLine =~ /^rsyslogd\'s (groupid|userid) changed to/ or |
| 78 | $ThisLine =~ /^imjournal: journal files changed, reloading/ or | |
| 71 | 79 | $ThisLine =~ /^imjournal: journal reloaded/ or |
| 72 | 80 | $ThisLine =~ /^imuxsock: Acquired UNIX socket .* from systemd/ or |
| 73 | 81 | $ThisLine =~ /^message repeated \d+ times:/ or |
| 98 | 106 | print "\n"; |
| 99 | 107 | } |
| 100 | 108 | |
| 109 | if (keys %InvalidCertificate) { | |
| 110 | print "Invalid certificates:\n"; | |
| 111 | foreach my $Certificate (sort keys %InvalidCertificate) { | |
| 112 | print " $Certificate: $InvalidCertificate{$Certificate} Times\n"; | |
| 113 | } | |
| 114 | print "\n"; | |
| 115 | } | |
| 116 | ||
| 101 | 117 | if (($Detail >=10) and (keys %DaemonActions) ) { |
| 102 | 118 | print "Rsyslogd Actions:\n"; |
| 103 | 119 | foreach $Reason (sort keys %DaemonActions) { |
| 421 | 421 | } elsif (my ($mins, $secs) = ($ThisLine =~ /Scanning took ([0-9]*) minutes? and ([0-9]*) seconds?/)) { |
| 422 | 422 | $RootkitHunter{'time'}+= $mins*60 + $secs; |
| 423 | 423 | } |
| 424 | } elsif ($ThisLine =~ /systemd-logind(?:\[\d+\])?: New session \d+ of user (\w+)\./){ | |
| 424 | } elsif ($ThisLine =~ /systemd-logind(?:\[\d+\])?: New session \d+ of user (.*)\.$/){ | |
| 425 | 425 | $UserLogin{$1}++; |
| 426 | 426 | } elsif ($ThisLine =~ /sshguard\[\d+\]: Blocking (.*) for (.*)/) { |
| 427 | 427 | my ($attacker, $details) = ($1, $2); |
| 120 | 120 | my $OutdatedAliasdb = |
| 121 | 121 | my $OverSize = my $OverSizeBytes = my $RelayLocalhost = |
| 122 | 122 | my $RemoteProtocolError =my $SendmailStarts = |
| 123 | my $SendmailStopped = my $TLSAcceptFailed = my $TLSConnectFailed = | |
| 124 | my $TooManyRcpts = my $XS4ALL = | |
| 123 | my $SendmailStopped = my $TooManyRcpts = my $XS4ALL = | |
| 125 | 124 | 0; |
| 126 | 125 | |
| 127 | 126 | |
| 150 | 149 | $StatError, $StatFile, $Temp, |
| 151 | 150 | $Temp1, $ThisLine, $ThisOne, |
| 152 | 151 | $TimeoutSend, $TimeoutSendWarning, $TLSFile, |
| 152 | $TLSFrom, | |
| 153 | 153 | $TLSReason, $TotalBytes, $TotalNum, |
| 154 | 154 | $ToUser, $User, $Usr, |
| 155 | 155 | $Warning, $Directory, $Cause |
| 182 | 182 | %SPFResults, %Starttls, %StarttlsCert, |
| 183 | 183 | %StarttlsCipher, %StatDeferred, %StatFileError, |
| 184 | 184 | %StatRejected, %StatRejectedLog, |
| 185 | %SysErr, %Timeouts, | |
| 186 | %TLSFailed, %TLSFileMissing, %ToList, | |
| 185 | %SysErr, %Timeouts, %TLSAcceptFailed, | |
| 186 | %TLSConnectFailed, %TLSFileMissing, %ToList, | |
| 187 | 187 | %TooManyHops, %UnknownUsers, %UnknownUsersCheckRcpt, |
| 188 | 188 | %WUnsafe |
| 189 | 189 | ); |
| 359 | 359 | ( $ThisLine =~ /^STARTTLS=(server|client), init=1/ ) or |
| 360 | 360 | # file=deliver.c, LogLevel>13, LOG_INFO |
| 361 | 361 | ( $ThisLine =~ /^STARTTLS=client, start=ok$/ ) or |
| 362 | ||
| 362 | # file=readcf.c, LogLevel>9, LOG_NOTICE, starting in 8.16.1 | |
| 363 | # because the features string can be many things, we ignore those | |
| 364 | # strings that are not known errors. (Other error strings are | |
| 365 | # possible, but they don't match because they have more arguments.) | |
| 366 | ( $ThisLine =~ m/^tls_(srv|clt)_features= | |
| 367 | (?!too_short|only_one_of_CertFile\/KeyFile_specified)[^,]*, | |
| 368 | \ relay=([^\ ])*\ \[.*\]$/x ) or | |
| 369 | # file=tls.c, LogLevel>13, LOG_DEBUG, starting in 8.16.1 | |
| 370 | ( $ThisLine =~ /engine=.*, path=.*, ispre=\d+, pre=\d+, initialized=\d+$/ ) or | |
| 363 | 371 | # the following is described in tls.c as a bug in OpenSSL, and |
| 364 | 372 | # recommends that the error message be ignored (last checked on 8.15.2) |
| 365 | 373 | # file=tls.c, LogLevel>15, LOG_WARNING |
| 377 | 385 | # and yet another symptom of a connection shut down (EPIPE refers to "Broken pipe") |
| 378 | 386 | # file=srvsmtp.c, LogLevel>5, LOG_WARNING |
| 379 | 387 | ( $ThisLine =~ /^STARTTLS=server, error: accept failed=-1, reason=unknown, SSL_error=5, errno=${\Errno::EPIPE}, retry=/ ) or |
| 388 | # the following is a detailed SSL error log (from tlslogerr) | |
| 389 | # always preceded by a more user-friendly error message | |
| 390 | # file=srvrsmtp.c, LogLevel>8, LOG_WARNING | |
| 391 | ( $ThisLine =~ /STARTTLS=(?:\w*): \d*:error:\w{8}:[^:]*:[^:]*:([^:]*):/ ) or | |
| 380 | 392 | # the following is a log message introduced in 8.13.6 |
| 381 | 393 | # file=sfsasl.c, LogLevel>14, LOG_INFO |
| 382 | 394 | # tls_retry errors are either transient, or additional log info is issued and parsed |
| 806 | 818 | # file=tls.c, LogLevel>7, LOG_WARNING |
| 807 | 819 | } elsif ( ($TLSFile) = ($ThisLine=~ /STARTTLS=((server|client): file .* unsafe: .*)/) ) { |
| 808 | 820 | $TLSFileMissing{$TLSFile}++; |
| 809 | # file=srvrsmtp.c, LogLevel>8, LOG_WARNING | |
| 810 | } elsif ( ($TLSReason) = ($ThisLine=~ /STARTTLS=(?:\w*): \d*:error:\w{8}:[^:]*:[^:]*:([^:]*):/) ) { | |
| 811 | $TLSFailed{$TLSReason}++; | |
| 812 | # file=srvrsmtp.c, LogLevel>5, LOG_WARNING | |
| 813 | } elsif ($ThisLine=~ /STARTTLS=server, error: accept failed=/) { | |
| 814 | $TLSAcceptFailed++; | |
| 815 | # file=deliver.c, LogLevel>5, LOG_WARNING | |
| 816 | } elsif ($ThisLine=~ /STARTTLS=client, error: connect failed=/) { | |
| 817 | $TLSConnectFailed++; | |
| 821 | # file=srvrsmtp.c, LogLevel>5, LOG_WARNING; reason given as of 8.14.6 | |
| 822 | } elsif ( ($TLSReason, $TLSFrom) = ($ThisLine=~ /STARTTLS=server, error: accept failed=-?\d+, reason=([^,]*), (?:[^,]*,){3} relay=(.*)/) ) { | |
| 823 | $TLSAcceptFailed{$TLSReason}{$TLSFrom}++; | |
| 824 | # handle pre-8.14.6 | |
| 825 | } elsif ( ($TLSFrom) = ($ThisLine=~ /STARTTLS=server, error: accept failed=-?\d+, SSL_error=(?:[^,]*,){3} relay=(.*)/) ) { | |
| 826 | $TLSAcceptFailed{"no reason given"}{$TLSFrom}++; | |
| 827 | # file=deliver.c, LogLevel>5, LOG_WARNING; reason given as of 8.14.6 | |
| 828 | } elsif ( ($TLSReason) = ($ThisLine=~ /STARTTLS=client, error: connect failed=-?\d+. reason=([^,]*),/) ) { | |
| 829 | $TLSConnectFailed{$TLSReason}++; | |
| 830 | # handle pre-8.14.6 | |
| 831 | } elsif ($ThisLine=~ /STARTTLS=client, error: connect failed=-?\d+. SSL_error=/) { | |
| 832 | $TLSConnectFailed{"no reason given"}++; | |
| 818 | 833 | # file=tls.c, LogLevel>-1, LOG_INFO |
| 819 | 834 | } elsif (($CommonName,$StarttlsReason) = ($ThisLine =~ /^STARTTLS: (?:x509|TLS) cert verify: depth=[0-9]+ .*\/CN=([^\/,]*).* state=[0-9]+, reason=(.*)$/ )) { |
| 820 | 835 | $StarttlsCert{$StarttlsReason}{$CommonName}++; |
| 1421 | 1436 | |
| 1422 | 1437 | # SMTP Errors |
| 1423 | 1438 | |
| 1424 | if($TLSAcceptFailed > 0) { | |
| 1425 | eval "$PrintCond" if ($Detail >= 3); | |
| 1426 | print "\n\n$TLSAcceptFailed STARTTLS Accept Fail(s)" if ($Detail >= 3); | |
| 1427 | $TotalError[$ErrorIndex] += $TLSAcceptFailed; | |
| 1428 | } | |
| 1429 | ||
| 1430 | $TotalError[++$ErrorIndex] = 0; | |
| 1431 | ||
| 1432 | if($TLSConnectFailed > 0) { | |
| 1433 | eval "$PrintCond" if ($Detail >= 3); | |
| 1434 | print "\n\n$TLSConnectFailed STARTTLS Connect Fail(s)" if ($Detail >= 3); | |
| 1435 | $TotalError[$ErrorIndex] += $TLSConnectFailed; | |
| 1436 | } | |
| 1437 | ||
| 1438 | $TotalError[++$ErrorIndex] = 0; | |
| 1439 | ||
| 1440 | if (keys %TLSFailed && ($Detail >= 5)) { | |
| 1441 | eval "$PrintCond"; | |
| 1442 | print "\n and they failed because of:"; | |
| 1443 | foreach $TLSReason (keys %TLSFailed) { | |
| 1444 | print "\n $TLSReason"; | |
| 1445 | } | |
| 1446 | } | |
| 1439 | if (keys %TLSConnectFailed) { | |
| 1440 | eval "$PrintCond" if ($Detail >= 3); | |
| 1441 | print "\n\nTLS Connect Failed" if ($Detail >=3); | |
| 1442 | foreach $TLSReason (sort keys %TLSConnectFailed) { | |
| 1443 | PrettyTimes(" " . $TLSConnectFailed{$TLSReason}) | |
| 1444 | if ($Detail >= 5); | |
| 1445 | $TotalError[$ErrorIndex] += $TLSConnectFailed{$TLSReason}; | |
| 1446 | } | |
| 1447 | print "\n\tTotal: $TotalError[$ErrorIndex]" if( $Detail >=3 ); | |
| 1448 | } | |
| 1449 | $TotalError[++$ErrorIndex] = 0; | |
| 1450 | ||
| 1451 | if (keys %TLSAcceptFailed) { | |
| 1452 | eval "$PrintCond" if ($Detail >= 3); | |
| 1453 | print "\n\nTLS Failed Access" if ($Detail >=3); | |
| 1454 | foreach $TLSReason (sort keys %TLSAcceptFailed) { | |
| 1455 | print "\n $TLSReason" if ($Detail >= 5); | |
| 1456 | foreach $TLSFrom (sort keys %{$TLSAcceptFailed{$TLSReason}}) { | |
| 1457 | PrettyTimes(" " . PrettyHost($TLSFrom, 59), | |
| 1458 | $TLSAcceptFailed{$TLSReason}{$TLSFrom}) if ($Detail >= 5); | |
| 1459 | $TotalError[$ErrorIndex] += | |
| 1460 | $TLSAcceptFailed{$TLSReason}{$TLSFrom}; | |
| 1461 | } | |
| 1462 | } | |
| 1463 | print "\n\tTotal: $TotalError[$ErrorIndex]" if ($Detail >= 3); | |
| 1464 | } | |
| 1465 | $TotalError[++$ErrorIndex] = 0; | |
| 1447 | 1466 | |
| 1448 | 1467 | if (keys %BadAuth) { |
| 1449 | 1468 | eval "$PrintCond" if ($Detail >= 3); |
| 95 | 95 | # ignore |
| 96 | 96 | } elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), previous self-test completed without error/ )) { |
| 97 | 97 | # ignore |
| 98 | } elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), type changed from \'\w+\' to \'\w+\'/ )) { | |
| 98 | } elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), type changed from \'[\w,+]+\' to \'[\w,+]+\'/ )) { | |
| 99 | 99 | # ignore |
| 100 | 100 | } elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), state (?:read from|written to)/ )) { |
| 101 | 101 | # ignore |
| 121 | 121 | || ($ThisLine =~ /smartd has fork/) |
| 122 | 122 | || ($ThisLine =~ /smartd (startup|shutdown) succeeded/) |
| 123 | 123 | || ($ThisLine =~ /Unable to register device (.*) \(no Directive -d removable\). Exiting/) |
| 124 | || ($ThisLine =~ /Device (.*), SATA disks accessed via libata are not currently supported by smartmontools./) | |
| 125 | || ($ThisLine =~ /Device: (.*), IE \(SMART\) not enabled, skip device/) | |
| 124 | || ($ThisLine =~ /Device .*, SATA disks accessed via libata are not currently supported by smartmontools./) | |
| 125 | || ($ThisLine =~ /Device: .*, IE \(SMART\) not enabled, skip device/) | |
| 126 | || ($ThisLine =~ /Device: .*, not ATA, no IDENTIFY DEVICE Structure/) | |
| 126 | 127 | || ($ThisLine =~ /^Try '.*' to turn on SMART features/) |
| 127 | 128 | || ($ThisLine =~ /Device: (.*), Bad IEC (SMART) mode page, err=-5, skip device/) |
| 128 | 129 | || ($ThisLine =~ /Drive: DEVICESCAN, implied '-a' Directive on line [\d]+ of file/) |
| 63 | 63 | ( $ThisLine =~ m/^spamd: server pid:/ ) or |
| 64 | 64 | ( $ThisLine =~ m/^prefork: adjust: \d+ idle children (less|more) than \d+ (min|max)imum idle children/ ) or |
| 65 | 65 | # Sendmail messages to ignore |
| 66 | ( $ThisLine =~ m/^alias database / ) or | |
| 67 | ( $ThisLine =~ m/^started as: / ) or | |
| 68 | ( $ThisLine =~ m/[0-9]* aliases, longest [0-9]* bytes, [0-9]* bytes total/ ) or | |
| 66 | 69 | ( $ThisLine =~ m/^AUTH=/ ) or |
| 67 | 70 | ( $ThisLine =~ m/^STARTTLS/ ) or |
| 68 | 71 | ( $ThisLine =~ m/^starting daemon \(/ ) or |
| 69 | 72 | ( $ThisLine =~ m/^ruleset=trust_auth/ ) or |
| 70 | 73 | ( $ThisLine =~ m/^ruleset=check_relay/ ) or |
| 74 | ( $ThisLine =~ m/^tls_srv_features=/ ) or | |
| 75 | ( $ThisLine =~ m/^tls_clt_features=/ ) or | |
| 76 | ( $ThisLine =~ m/^engine=/ ) or | |
| 71 | 77 | 0 # Always last in the list, so all above can say "or" at the end |
| 72 | 78 | ) { |
| 73 | 79 | ; # We don't care about these |
| 29 | 29 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; |
| 30 | 30 | my $IgnoreHost = $ENV{'sshd_ignore_host'} || ""; |
| 31 | 31 | my $RefusedConnectionsThreshold = $ENV{'refused_connections_threshold'} || 0; |
| 32 | my $IllegalUsersThreshold = $ENV{'illegal_users_threshold'} || 0; | |
| 32 | 33 | my $DebugCounter = 0; |
| 33 | 34 | |
| 34 | 35 | # No sense in running if 'sshd' doesn't even exist on this system... |
| 95 | 96 | my $StatusNoSuchFile = 0; |
| 96 | 97 | my $BytesSent = 0; |
| 97 | 98 | my $BytesReceived = 0; |
| 99 | my $NoCipher = 0; | |
| 98 | 100 | |
| 99 | 101 | if ( $Debug >= 5 ) { |
| 100 | 102 | print STDERR "\n\nDEBUG: Inside SSHD Filter \n\n"; |
| 109 | 111 | chomp($ThisLine); |
| 110 | 112 | if ( |
| 111 | 113 | ($ThisLine =~ /^pam_succeed_if: requirement "uid < 100" (not|was) met by user /) or |
| 114 | ($ThisLine =~ /^pam_succeed_if\(.*?\): requirement "uid >= 1000" (not|was) met by user /) or | |
| 112 | 115 | ($ThisLine =~ m/^(log: )?$/ ) or |
| 113 | 116 | ($ThisLine =~ m/^(log: )?\^\[\[60G/ ) or |
| 114 | 117 | ($ThisLine =~ m/^(log: )? succeeded$/ ) or |
| 367 | 370 | $ClientVers{$ClientVer}++; |
| 368 | 371 | } elsif (my ($Host,$Port) = ($ThisLine =~ /^error: connect_to (\S+) port (\d+): failed\.$/)) { |
| 369 | 372 | $ConnectFailed{"$Host port $Port"}++; |
| 373 | } elsif ($ThisLine =~ /^fatal: no matching cipher found: /) { | |
| 374 | $NoCipher++; | |
| 370 | 375 | } else { |
| 371 | 376 | # Report any unmatched entries... |
| 372 | 377 | unless ($ThisLine =~ /fwd X11 connect/) { |
| 495 | 500 | } |
| 496 | 501 | } |
| 497 | 502 | |
| 503 | if ($NoCipher && $Detail > 0) { | |
| 504 | print "\nNo matching cipher offered: " . timesplural($NoCipher); | |
| 505 | } | |
| 506 | ||
| 498 | 507 | if (keys %TooManyFailures) { |
| 499 | 508 | print "\nDisconnecting after too many authentication failures for user:\n"; |
| 500 | 509 | foreach my $User (sort {$a cmp $b} keys %TooManyFailures) { |
| 522 | 531 | } |
| 523 | 532 | |
| 524 | 533 | if (keys %IllegalUsers) { |
| 525 | print "\nIllegal users from:\n"; | |
| 534 | print "\nIllegal users from"; | |
| 535 | if ($IllegalUsersThreshold) { | |
| 536 | print " (with threshold >= $IllegalUsersThreshold)"; | |
| 537 | } | |
| 538 | print ":\n"; | |
| 526 | 539 | foreach my $ip (sort SortIP keys %IllegalUsers) { |
| 527 | 540 | my $name = LookupIP($ip); |
| 528 | 541 | my $totcount = 0; |
| 529 | 542 | foreach my $user (keys %{$IllegalUsers{$ip}}) { |
| 530 | 543 | $totcount += $IllegalUsers{$ip}{$user}; |
| 531 | } | |
| 532 | print " $name: " . timesplural($totcount); | |
| 533 | if ($Detail >= 5) { | |
| 534 | my $sort = CountOrder(%{$IllegalUsers{$ip}}); | |
| 535 | foreach my $user (sort $sort keys %{$IllegalUsers{$ip}}) { | |
| 536 | my $val = $IllegalUsers{$ip}{$user}; | |
| 537 | print " $user: " . timesplural($val); | |
| 544 | } | |
| 545 | if ($IllegalUsersThreshold == 0 || | |
| 546 | $totcount >= $IllegalUsersThreshold) { | |
| 547 | print " $name: " . timesplural($totcount); | |
| 548 | if ($Detail >= 5) { | |
| 549 | my $sort = CountOrder(%{$IllegalUsers{$ip}}); | |
| 550 | foreach my $user (sort $sort keys %{$IllegalUsers{$ip}}) { | |
| 551 | my $val = $IllegalUsers{$ip}{$user}; | |
| 552 | print " $user: " . timesplural($val); | |
| 553 | } | |
| 538 | 554 | } |
| 539 | 555 | } |
| 540 | 556 | } |
| 850 | 866 | } |
| 851 | 867 | } |
| 852 | 868 | |
| 853 | if ( ($Detail == 7 && keys %Krb_realm > 1) || ($Detail > 8 && keys %Krb_realm) ){ | |
| 869 | if ( ($Detail == 7 && keys %Krb_realm > 1) || ($Detail > 7 && keys %Krb_realm) ){ | |
| 854 | 870 | print "\nSuccessful Kerberos Authentication from ",(scalar keys %Krb_realm)," realm:\n"; |
| 855 | 871 | foreach my $realm (sort keys %Krb_realm) { |
| 856 | 872 | if($Detail > 9){ |
| 78 | 78 | $BackendOffline++ if $BackendStatus eq "offline"; |
| 79 | 79 | } elsif ($ThisLine =~ /^Enumeration requested but not enabled/) { |
| 80 | 80 | $EnumerationRequested++ unless $IgnoreEnumerationRequested; |
| 81 | } elsif ($Service eq "Daemon" && $ThisLine =~ /Keytab successfully retrieved and stored in:/) { | |
| 82 | # Ignore | |
| 81 | 83 | } elsif ($Service eq "p11_child" && $ThisLine =~ /Certificate .* not valid .*Certificate key usage inadequate for attempted operation/) { |
| 82 | 84 | # sssd ssh does not ignore certificates of different types - ignore the errors generated by it |
| 83 | 85 | $ignore_p11_child_error = 1; |
| 58 | 58 | |
| 59 | 59 | my $ThisLine; |
| 60 | 60 | while (defined($ThisLine = <STDIN>)) { |
| 61 | $ThisLine =~ s/LOG\d\[\d{1,5}:\d{15}\]: (.*)/$1/; | |
| 61 | $ThisLine =~ s/LOG\d\[(?:\d{1,5}:\d{15}|\w+)\]: (.*)/$1/; | |
| 62 | 62 | if ( $Debug >= 5 ) { |
| 63 | 63 | print STDERR "DEBUG($DebugCounter): $ThisLine"; |
| 64 | 64 | $DebugCounter++; |
| 83 | 83 | # ignore |
| 84 | 84 | } elsif ($ThisLine =~ m/^connect_blocking: getsockopt ([0-9a-fA-F.:]+: Connection refused) \(\d+\)$/) { |
| 85 | 85 | $errors{"connect_blocking: $1"}++; |
| 86 | } elsif ($ThisLine =~ m/^DH parameters updated/) { | |
| 87 | # ignore | |
| 86 | 88 | } elsif ($ThisLine =~ m/^(?:remote socket|local socket|accept): (Too many open files) \(\d+\)$/) { |
| 87 | 89 | $errors{"$1: increase the maximum number of open file descriptors"}++; |
| 88 | 90 | } elsif ($ThisLine =~ m/^Log file reopened$/) { |
| 105 | 107 | $stops++; |
| 106 | 108 | } elsif ($ThisLine =~ m/^transfer: s_poll_wait: TIMEOUTclose exceeded: closing$/) { |
| 107 | 109 | $notices{"TIMEOUTclose exceeded: closing connection"}++; |
| 110 | } elsif ($ThisLine =~ m/^Updating DH parameters/) { | |
| 111 | # ignore | |
| 108 | 112 | } elsif ($ThisLine =~ m/^(SSL_(?:accept|read|shutdown): .*|getpeerbyname: .*)(?: \(\d+\))?$/) { |
| 109 | 113 | $notices{$1}++; |
| 110 | 114 | } else { |
| 52 | 52 | while (defined(my $ThisLine = <STDIN>)) { |
| 53 | 53 | chomp($ThisLine); |
| 54 | 54 | if ($ThisLine =~ /^(Activat|Deactivat|Mount|Unmount|Reload|Start|Stopp)ing / or |
| 55 | $ThisLine =~ /^Finished / or | |
| 55 | 56 | # These events will be caught with the Unit X entered failed state message |
| 56 | 57 | $ThisLine =~ /^Failed to start / or |
| 57 | 58 | $ThisLine =~ /: Failed with result / or |
| 64 | 65 | $ThisLine =~ /^Closed .* [Ww]atch\.$/ or |
| 65 | 66 | $ThisLine =~ /^Closed (?:Multimedia|Sound) System\.$/ or |
| 66 | 67 | $ThisLine =~ /^Closed udev / or |
| 68 | $ThisLine =~ /: Consumed .* CPU time\.$/ or | |
| 67 | 69 | # crond will never restart process when it is restarted |
| 68 | 70 | $ThisLine =~ /^crond\.service: Found left-over process \d+ \(.*\) in control group while starting unit\. Ignoring\.$/ or |
| 69 | 71 | $ThisLine =~ /^Received SIGINT\./ or |
| 78 | 80 | $ThisLine =~ /^Reloading\.$/ or # Happens on each boot at switch root |
| 79 | 81 | $ThisLine =~ /^RTC configured in / or |
| 80 | 82 | $ThisLine =~ /^Running in initial RAM disk\.$/ or |
| 83 | $ThisLine =~ /^selinux: avc: *received policyload notice/ or | |
| 81 | 84 | $ThisLine =~ /^Set hostname to / or |
| 82 | 85 | $ThisLine =~ /^(?:Set up|Unset) automount Arbitrary Executable File Formats File System Automount Point\.$/ or |
| 83 | 86 | $ThisLine =~ /^Shutting down\.$/ or |
| 100 | 103 | $ThisLine =~ /Unit (.* is )?not needed anymore\. Stopping\./ or |
| 101 | 104 | $ThisLine =~ /State '(stop-sigterm|stop-final-sigterm)' timed out\. Killing\./ or |
| 102 | 105 | $ThisLine =~ /: Start(-pre)? operation timed out\. Terminating\./ or |
| 103 | $ThisLine =~ /Service hold-off time over, scheduling restart\./ or | |
| 104 | $ThisLine =~ /Service has no hold-off time, scheduling restart\./ or | |
| 106 | $ThisLine =~ /hold-?off time over, scheduling restart\./ or | |
| 107 | $ThisLine =~ /Service has no hold-off time.*, scheduling restart\./ or | |
| 105 | 108 | $ThisLine =~ /Scheduled restart job, restart counter is at .*\./ or |
| 106 | 109 | $ThisLine =~ /Stopping timed out\. Killing\./ or |
| 107 | 110 | $ThisLine =~ /^Timed out waiting for/ or |
| 148 | 151 | $ConfigError{$reason}{$service}++; |
| 149 | 152 | } elsif (my ($service) = ($ThisLine =~ /^Unit (.*) entered failed state\.$/)) { |
| 150 | 153 | $Failed{$service}++; |
| 154 | } elsif (my ($service) = ($ThisLine =~ /^(.*): Failed to execute command/)) { | |
| 155 | $Failed{$service}++; | |
| 151 | 156 | } elsif (my ($service) = ($ThisLine =~ /^(.*): Unit entered failed state\.$/)) { |
| 152 | 157 | $Failed{$service}++; |
| 153 | 158 | } elsif (my ($service) = ($ThisLine =~ /^(.*) failed with error code \d+\.$/)) { |
| 145 | 145 | ($source !~ /\/dev\/scd/ ) && |
| 146 | 146 | ($source !~ /\/dev\/sr/ ) && |
| 147 | 147 | ($source !~ /\/dev\/loop./) && |
| 148 | ($target !~ /^$diskfull_exclude_dirs/)) { | |
| 148 | ($target !~ /^$diskfull_exclude_dirs/i)) { | |
| 149 | 149 | print "$target ($source) => $used% Used. Warning: Disk Filling up.\n"; |
| 150 | 150 | } |
| 151 | 151 | } |
| 155 | 155 | #Main |
| 156 | 156 | |
| 157 | 157 | if ($OSname eq "Linux") { |
| 158 | $df_options = "-h -x tmpfs -x devtmpfs -x udf -x iso9660"; | |
| 158 | $df_options = "-h -x tmpfs -x devtmpfs -x udf -x iso9660 -x squashfs"; | |
| 159 | 159 | if ($local_disks_only) { $df_options .= " -l"; } |
| 160 | 160 | } elsif ($OSname eq "Darwin") { |
| 161 | $df_options = "-h"; | |
| 161 | $df_options = "-h -T nodevfs,autofs"; | |
| 162 | 162 | if ($local_disks_only) { $df_options .= " -l"; } |
| 163 | 163 | } elsif ($OSname eq "SunOS") { |
| 164 | 164 | if ( ($release eq "5.10") || ($release eq "5.9") || ($release eq "5.11") ) { |
| 166 | 166 | } |
| 167 | 167 | if ($local_disks_only) { $df_options .= " -l"; } |
| 168 | 168 | } elsif ($OSname eq "AIX") { |
| 169 | $df_options = ""; | |
| 170 | if ($local_disks_only) { $df_options .= " -P"; } | |
| 169 | $df_options = "-P"; | |
| 170 | if ($local_disks_only) { $df_options .= " -T local"; } | |
| 171 | 171 | } elsif ($OSname eq "GNU/kFreeBSD") { |
| 172 | 172 | $df_options = "-h -x tmpfs -x devtmpfs -x udf -x iso9660 -x devfs -x linprocfs -x sysfs -x fdescfs"; |
| 173 | 173 | if ($local_disks_only) { $df_options .= " -l"; } |
| 30 | 30 | ########################################################################### |
| 31 | 31 | #Main |
| 32 | 32 | |
| 33 | #Exit early if the report is not for the current host. | |
| 34 | use POSIX qw(uname); | |
| 35 | my $logwatch_hostname = $ENV{'LOGWATCH_ONLY_HOSTNAME'}; | |
| 36 | my ($OSname, $hostname, $release, $version, $machine) = POSIX::uname(); | |
| 37 | $hostname =~ s/\..*//; | |
| 38 | exit (0) if ($ENV{'LOGWATCH_ONLY_HOSTNAME'} and ($logwatch_hostname ne $hostname)); | |
| 39 | ||
| 33 | 40 | #Output sensors stats |
| 34 | 41 | |
| 35 | 42 | my $pathto_sensors = $ENV{'pathto_sensors'} || '/usr/bin/sensors'; |
| 51 | 51 | exit 0; |
| 52 | 52 | } |
| 53 | 53 | |
| 54 | my $pathto_zpool = $ENV{'pathto_zpool'} || '/usr/sbin/zpool'; | |
| 55 | my $pathto_zfs = $ENV{'pathto_zfs'} || '/usr/sbin/zfs'; | |
| 54 | my $pathto_zpool = $ENV{'pathto_zpool'} || 'zpool'; | |
| 55 | my $pathto_zfs = $ENV{'pathto_zfs'} || 'zfs'; | |
| 56 | 56 | my $summary_only = $ENV{'summary_only'} || ($detail < 5); |
| 57 | 57 | my $detail_only = $ENV{'detail_only'} || 0; |
| 58 | 58 |