Codebase list logwatch / 6789eab0-8213-4ff5-a7e8-da886e8a8791/main
* New upstream version 7.5.6 * {s,l}/clam-update.conf: fix encoding (lintian warning) Willi Mann authored 2 years ago Debian Janitor committed 2 years ago
24 changed file(s) with 279 addition(s) and 47 deletion(s). Raw diff Collapse all Expand all
+7
-5
conf/logwatch.conf less more
2424 # You can override the default temp directory (/tmp) here
2525 TmpDir = /var/cache/logwatch
2626
27 #Output/Format Options
28 #By default Logwatch will print to stdout in text with no encoding.
29 #To make email Default set Output = mail to save to file set Output = file
27 # Output/Format Options
28 # By default Logwatch will print to stdout in text with no encoding.
29 # To make email Default set Output = mail to save to file set Output = file
3030 Output = stdout
31 #To make Html the default formatting Format = html
31 # To make Html the default formatting Format = html
3232 Format = text
33 #To make Base64 [aka uuencode] Encode = base64
33 # To make Base64 [aka uuencode] Encode = base64
34 # Encode = none is the same as Encode = 8bit.
35 # You can also specify 'Encode = 7bit', but only if all text is ASCII only.
3436 Encode = none
3537
3638 # Input Encoding
+3
-2
conf/services/postfix.conf less more
7171 # Includes: postfix/smtpd, etc, postfix/policy-spf
7272 #*OnlyService = "postfix/[-\w]*"
7373 #$postfix_Syslog_Name = "postfix"
74 # Includes: postfix/smtpd, etc, postfix/policy-spf, postgrey, postfwd, policyd-spf
75 *OnlyService = "(?:post(?:fix|grey|fwd)|policyd-spf)(?:/[-\w]*)?"
74 # Includes: postfix/smtpd, etc, postfix/policy-spf, postgrey, postfwd,
75 # policyd-spf, as well as multiple service names, like postfix/relay/smtp
76 *OnlyService = "(?:post(?:fix|grey|fwd)|policyd-spf)(?:[-/\w]*)?"
7677 $postfix_Syslog_Name = "(?:post(?:fix|grey|fwd)|policyd-spf)"
7778
7879 # Ignored postfix services
+7
-0
debian/changelog less more
0 logwatch (7.5.6-1) unstable; urgency=medium
1
2 * New upstream version 7.5.6
3 * {s,l}/clam-update.conf: fix encoding (lintian warning)
4
5 -- Willi Mann <willi@debian.org> Fri, 05 Nov 2021 13:47:57 +0100
6
07 logwatch (7.5.5-1) unstable; urgency=medium
18
29 * New upstream version 7.5.5
+1
-1
debian/patches/0003-Ignore-ecryptfs-automounting-messages-in-cron.patch less more
77 1 file changed, 2 insertions(+), 1 deletion(-)
88
99 diff --git a/scripts/services/cron b/scripts/services/cron
10 index 869b515..7b04ffc 100644
10 index 45b857f..c85d077 100644
1111 --- a/scripts/services/cron
1212 +++ b/scripts/services/cron
1313 @@ -50,7 +50,8 @@ while (defined($ThisLine = <STDIN>)) {
+35
-0
debian/patches/0005-clam-update-Fix-encoding.patch less more
0 From: Willi Mann <willi@debian.org>
1 Date: Fri, 5 Nov 2021 13:44:49 +0100
2 Subject: clam-update: Fix encoding
3
4 ---
5 conf/logfiles/clam-update.conf | 2 +-
6 conf/services/clam-update.conf | 2 +-
7 2 files changed, 2 insertions(+), 2 deletions(-)
8
9 diff --git a/conf/logfiles/clam-update.conf b/conf/logfiles/clam-update.conf
10 index f0249e1..e331771 100644
11 --- a/conf/logfiles/clam-update.conf
12 +++ b/conf/logfiles/clam-update.conf
13 @@ -7,7 +7,7 @@
14 # Version: 1.0.1
15 # Minor documentation update
16 #
17 -# Written by: Lars Skjærlund <lars@skjaerlund.dk>
18 +# Written by: Lars Skjærlund <lars@skjaerlund.dk>
19 #########################################################################
20
21 #########################################################################
22 diff --git a/conf/services/clam-update.conf b/conf/services/clam-update.conf
23 index cf4d301..2ebaba8 100644
24 --- a/conf/services/clam-update.conf
25 +++ b/conf/services/clam-update.conf
26 @@ -7,7 +7,7 @@
27 # Version: 1.0.1
28 # Minor documentation update
29 #
30 -# Written by: Lars Skjærlund <lars@skjaerlund.dk>
31 +# Written by: Lars Skjærlund <lars@skjaerlund.dk>
32 #########################################################################
33
34 #########################################################################
+1
-0
debian/patches/series less more
11 0002-logfiles-vsftpd.conf-Use-custom-pattern-for-applystd.patch
22 0003-Ignore-ecryptfs-automounting-messages-in-cron.patch
33 0004-scripts-mdadm-Fix-parsing-of-mdadm.conf-handle-ignor.patch
4 0005-clam-update-Fix-encoding.patch
+1
-1
logwatch.8 less more
128128 .IP "\fB--encode\fR encoding"
129129 Encode report using
130130 .I encoding
131 - none [default], base64.
131 - none [default], base64, 7bit, 8bit [same as 'none'].
132132 .IP "\fB--numeric\fR"
133133 Inhibits additional name lookups, displaying IP addresses numerically.
134134 .IP "\fB--usage\fR"
+5
-1
logwatch.spec less more
00 Summary: Analyzes and Reports on system logs
11 Name: logwatch
2 Version: 7.5.5
2 Version: 7.5.6
33 Release: 1
44 License: MIT
55 Group: Applications/System
111111
112112
113113 %changelog
114 * Fri Jul 23 2021 Bjorn <bjorn1@users.sourceforge.net> 7.5.6-1
115
116 * Sat Jan 23 2021 Jason Pyeron <jpyeron@users.sourceforge.net> 7.5.5-1
117
114118 * Wed Jul 22 2020 Bjorn <bjorn1@users.sourceforge.net> 7.5.4-1
115119
116120 * Wed Jan 22 2020 Bjorn <bjorn1@users.sourceforge.net> 7.5.3-1
+5
-3
scripts/logwatch.pl less more
99
1010 ########################################################
1111 # Specify version and build-date:
12 my $Version = '7.5.5';
13 my $VDate = '01/22/21';
12 my $Version = '7.5.6';
13 my $VDate = '07/23/21';
1414
1515 #######################################################
1616 # Logwatch was originally written by:
11341134 print "--service <name>: *Name of a service definition to report on.\n";
11351135 print "--output <output type>: Report Output - stdout [default], mail, file.\n"; #8.0
11361136 print "--format <formatting>: Report Format - text [default], html.\n"; #8.0
1137 print "--encode <encoding>: Encoding to use - none [default], base64.\n"; #8.0
1137 print "--encode <encoding>: Encoding to use - none [default], base64, 7bit, 8bit [same as 'none'].\n"; #8.0
11381138 print "--mailto <addr>: Mail report to <addr>.\n";
11391139 print "--archives: Use archived log files too.\n";
11401140 print "--filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file].\n";
12001200 #Config{encode} switch
12011201 if ( $Config{'encode'} eq "base64" ) {
12021202 $out_mime .= "Content-transfer-encoding: base64\n";
1203 } elsif ( $Config{'encode'} eq "7bit" ) {
1204 $out_mime .= "Content-Transfer-Encoding: 7bit\n";
12031205 } else {
12041206 $out_mime .= "Content-Transfer-Encoding: 8bit\n";
12051207 }
+1
-1
scripts/services/amavis less more
24192419 # LMTP/SMTP connection
24202420 # NOTE: no longer used. size data now being obtained from Passed/Block line, as size info may not be available here
24212421 #elsif (my ($size) = ($p1 =~ /^[LS]MTP:(?:\[$re_IP\])?:\d+ [^:]+: [<(](?:.*?)[>)] -> \S+ (?:SIZE=(\d+))?.*?Received: / )) {
2422 elsif ($p1 =~ /^[LS]MTP:/) {
2422 elsif ($p1 =~ /^[LS]MTP ?:/) {
24232423 #TD LMTP::10024 /var/spool/amavis/tmp/amavis-20070119T144757-09086: <from@example.com> -> <to@sample.net> SIZE=1000 Received: from mail.sample.net ([127.0.0.1]) by localhost (mail.sample.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <to@sample.net>; Fri, 19 Jan 2007 15:41:45 -0800 (PST)
24242424 #TD SMTP:[127.0.0.1]:10024 /var/spool/amavis/tmp/amavis-20070119T144757-09086: <from@example.com> -> <to@sample.net>,<recip@sample.net> SIZE=2500000 Received: from mail.sample.net ([127.0.0.1]) by localhost (mail.sample.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <to@sample.net>; Fri, 19 Jan 2007 15:41:45 -0800 (PST)
24252425 #TD SMTP::10024 /var/lib/amavis/tmp/amavis-27-26927: <from@example.com> -> <to@example.net> Received: from localhost ([127.0.0.1]) by localhost (example.com [127.0.0.1]) (amavisd-new, port 10024) with SMTP for <to@example.net>; Sat, 7 Jun 2008 23:09:34 +0200 (CEST)
+3
-0
scripts/services/cron less more
6262 if ($ThisLine =~ s/^CMD \((.+)\)\s*$/$1/) {
6363 $Runs->{$User}->{$ThisLine}++;
6464 $ExecutedCommand{$PID} = {command=>$ThisLine, user=>$User};
65 } elsif ($ThisLine =~ /^CMDEND/) {
66 # Ignore - already counted above
67 next;
6568 } elsif ($ThisLine =~ s/^CMD FINISH \((.+)\)\s*$/$1/) {
6669 $Runs->{$User}->{$ThisLine}++;
6770 } elsif ($ThisLine =~ s/^(END|CMD START) \((.+)\)\s*$/$1/) {
+1
-0
scripts/services/dhcpd less more
8080 ($line =~ /^pool [0-9a-f]+ /) or
8181 ($line =~ /^[^ ]* file: /) or
8282 ($line =~ /^reuse_lease: lease age \d+ \(secs\) under \d+\% threshold, reply with unaltered, existing lease for/) or
83 ($line =~ /GSSAPI Authentication for LDAP will not be used/) or
8384 0 # noop, but makes diffs easier when appending ignore statements
8485 ) {
8586 # Ignore these lines
+5
-3
scripts/services/evtapplication less more
5454 next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen";
5555 next if $ExpandedString eq "N/A";
5656
57 # Remove some items that prevent de-duplication
58 $ExpandedString =~ s/(NextScheduled\S+|PID) \d+/$1 XXX/;
59 $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,;
57 # Modify some items that prevent de-duplication
58 if ($Detail < 10) {
59 $ExpandedString =~ s/(NextScheduled\S+|PID) \d+/$1 XXX/;
60 $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,;
61 }
6062
6163 #print STDERR "ExpandedString = $ExpandedString\n";
6264 if ($Application =~ /Userenv/) {
+140
-0
scripts/services/evtmswindows less more
0
1 ########################################################
2 # Please file all bug reports, patches, and feature
3 # requests under:
4 # https://sourceforge.net/p/logwatch/_list/tickets
5 # Help requests and discusion can be filed under:
6 # https://sourceforge.net/p/logwatch/discussion/
7 ########################################################
8
9 ########################################################
10 ## Copyright (c) 2020 Orion Poplawski
11 ## Covered under the included MIT/X-Consortium License:
12 ## http://www.opensource.org/licenses/mit-license.php
13 ## All modifications and contributions by other persons to
14 ## this script are assumed to have been donated to the
15 ## Logwatch project and thus assume the above copyright
16 ## and licensing terms. If you want to make contributions
17 ## under your own copyright or a different license this
18 ## must be explicitly stated in the contribution an the
19 ## Logwatch project reserves the right to not accept such
20 ## contributions. If you have made significant
21 ## contributions to this script and want to claim
22 ## copyright please contact logwatch-devel@lists.sourceforge.net.
23 #########################################################
24
25 use strict;
26 use warnings;
27 use URI::URL;
28
29 my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
30 my $Ignore_messages = $ENV{'ignore_messages'} || '^$';
31 my $Ignore_profile_program = $ENV{'ignore_profile_program'} || '^$';
32 my @PowerShell_Summarize_Users = split(',',$ENV{'powershell_summarize_users'});
33 my $Laptops = $ENV{'laptops'} || '^$';
34 my %Applications;
35
36 while (defined(my $ThisLine = <STDIN>)) {
37 # User specified ignore messages, lower cased
38 next if $ThisLine =~ /$Ignore_messages/i;
39
40 my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra);
41 #Determine format
42 if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4
43 #Parse
44 ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
45 ($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
46 } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3
47 #Parse
48 ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
49 ($ThisLine =~ /MSWinEventLog\t(\d+)\t([^\t]+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/);
50 }
51 if (!defined($Hostname)) {
52 print STDERR "Cannot parse $ThisLine";
53 next;
54 }
55 next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen";
56 next if $ExpandedString eq "N/A";
57
58 next if $SourceName =~ /^Microsoft-Windows-Store/;
59 next if $SourceName eq "Microsoft-Windows-SettingSync/Debug";
60 next if $Application =~ /^Microsoft-Windows-SettingsSync/;
61 next if $Application eq "Windows-ApplicationModel-Store-SDK";
62 next if $Application eq "Microsoft-Windows-Store";
63 next if $Application eq "Microsoft-Windows-WMI-Activity";
64
65 if ($Application eq "Microsoft-Windows-GroupPolicy") {
66 next if $ExpandedString =~ /Completed Security Extension Processing in \d+ milliseconds\./;
67 next if $ExpandedString =~ /roup Policy failed to discover the Domain Controller details in \d+ milliseconds\./;
68 next if $ExpandedString =~ /Skipped .* Extension based on Group Policy client-side processing rules\./;
69 } elsif ($Application eq "Microsoft-Windows-Security-LessPrivilegedAppContainer") {
70 next if $ExpandedString =~ /^Access to the a resource has been denied for a less privileged app container/;
71 } elsif ($Application eq "Microsoft-Windows-SMBClient") {
72 next if $ExpandedString =~ /^A network connection was disconnected/;
73 next if $ExpandedString =~ /^Failed to establish a network connection/;
74 next if $ExpandedString =~ /^The client lost its session to the server/;
75 next if $ExpandedString =~ /^The connection to the share was lost/;
76 next if $ExpandedString =~ /^The The server name cannot be resolved/;
77 } elsif ($Application eq "Microsoft-Windows-SMBServer") {
78 if (my ($ClientName, $UserName, $ShareName) = ($ExpandedString =~ /The share denied access to the client.*Client Name: (.*) Client Address: .* User Name: (.*) Session ID: .* Share Name: (.*) Share Path:/)) {
79 $ExpandedString = "Access denied to share $ShareName by $UserName from $ClientName";
80 }
81 }
82
83 # Modify some items that prevent de-duplication
84 if ($Detail < 10) {
85 $ExpandedString =~ s/(Task-S-)[0-9-]+/$1XXX/g;
86 $ExpandedString =~ s/(guid:|GUID:|Guid:|Guid is|KEY:|known folder|interface|PRINTENUM\\)( ?\{)[0-9A-Fa-f-]+\}/$1${2}XXX}/g;
87 $ExpandedString =~ s/(ClientProcessId =|ElapsedTime\(ms\):|NextScheduled\S+|Process ID:?|PID|Transaction [^:]*Time \(msec\):|Try) \d+/$1 XXX/g;
88 $ExpandedString =~ s/[\d.]+ (milli|)seconds/XXX $1seconds/g;
89 $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,g;
90 $ExpandedString =~ s,\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d(?:\.\d+)?Z?,TIMESTAMP,g;
91 $ExpandedString =~ s/(Hash|Message ID|Session ID):( ?0x)[0-9A-F]{2,16}/$1:${2}XXXX/g;
92 $ExpandedString =~ s/\d+ms/Xms/g;
93 $ExpandedString =~ s/nstance "\{[^}]+\}"/nstance XXXX/g;
94 $ExpandedString =~ s/(adalCorrelationId|client|ID \(request\)): [0-9a-f-]+/$1: XXXX/g;
95 $ExpandedString =~ s/ddress: ([^:]+):\d+/ddress: $1:XXXXX/g;
96 }
97
98 #print STDERR "Application = $Application ExpandedString = $ExpandedString\n";
99 #2021-02-07T23:49:45.083111-08:00 contracting01.ad.nwra.com MSWinEventLog 2 Microsoft-Windows-PowerShell/Operational 97386 Sun Feb 07 23:49:44 2021 4104 Microsoft-Windows-PowerShell appstats User Warning contracting01.ad.nwra.com Execute a Remote Command Creating Scriptblock text (1 of 2): # Copyright © 2017 Chocolatey Software, Inc. # Copyright © 2015 - 2017 RealDimensions Software, LLC # Copyright © 2011 - 2015 RealDimensions Software, LLC & original
100 #($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) =
101
102
103 #my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application");
104 #my $urlstr = $url->abs;
105 #$Applications{$Application}->{"$Hostname: $ExpandedString\n$url"}++;
106
107 if ($Application eq "Microsoft-Windows-PowerShell") {
108 # Only capture block 1
109 next if $ExpandedString =~ /^Creating Scriptblock text/ && $ExpandedString !~ /^Creating Scriptblock text \(1 /;
110 if (grep(/^$UserName$/i,@PowerShell_Summarize_Users)) {
111 $Applications{$SourceName}->{$Application}->{"$Hostname: $UserName $CategoryString"}++;
112 } else {
113 $Applications{$SourceName}->{$Application}->{"$Hostname: $UserName $CategoryString " . substr($ExpandedString, 0, 120)}++;
114 }
115 } else {
116 $Applications{$SourceName}->{$Application}->{"$Hostname: $ExpandedString"}++;
117 }
118 }
119
120 if (keys %Applications) {
121 foreach my $SourceName (sort(keys %Applications)) {
122 print "\n$SourceName\n";
123 foreach my $Application (sort(keys %{$Applications{$SourceName}})) {
124 print "\n $Application\n";
125 foreach my $Error (sort(keys %{$Applications{$SourceName}->{$Application}})) {
126 print " $Error : $Applications{$SourceName}->{$Application}->{$Error} Times\n";
127 }
128 }
129 }
130 }
131
132 exit(0);
133
134 # vi: shiftwidth=3 tabstop=3 syntax=perl et
135 # Local Variables:
136 # mode: perl
137 # perl-indent-level: 3
138 # indent-tabs-mode: nil
139 # End:
+7
-0
scripts/services/evtsecurity less more
6969 print STDERR "Cannot parse $ThisLine";
7070 next;
7171 }
72
73 # Modify some items that prevent de-duplication
74 if ($Detail < 10) {
75 $ExpandedString =~ s/Logon ID:\s+0x[0-9A-F]+/Logon ID: 0xXXX/;
76 $ExpandedString =~ s/(Key Name:)\s+\{[0-9A-F\-]+\}/$1 {XXX}/g;
77 }
78
7279 my $url = URI::URL->new("https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=$EventID");
7380 if ($EventID == 4673
7481 or $EventID == 4674) {
+1
-1
scripts/services/evtsystem less more
5858 next if ($EventLogType eq "Verbose");
5959 next if ($EventLogType eq "Information" and $Detail < 10);
6060
61 # Remove some items that prevent de-duplication
61 # Modify some items that prevent de-duplication
6262 if ($Detail < 10) {
6363 $ExpandedString =~ s/\d+ time\(s\)/XX times(s)/;
6464 $ExpandedString =~ s/requested by PID\s+\S+\s+//;
+5
-4
scripts/services/fail2ban less more
131131
132132
133133 if (keys %ServicesBans) {
134 printf("\nBanned services with Fail2Ban: Bans:Unbans\n");
134 printf("\nBanned services with Fail2Ban: Bans+ReBans:Unbans\n");
135135 foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
136136 printf(" %-55s [%3d:%-3d]\n", "$service:",
137 $ServicesBans{$service}{'(all)'}{'Ban'},
137 $ServicesBans{$service}{'(all)'}{'Ban'} +
138 $ServicesBans{$service}{'(all)'}{'ReBan'},
138139 $ServicesBans{$service}{'(all)'}{'Unban'});
139140 delete $ServicesBans{$service}{'(all)'};
140141 my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
205206
206207 if (keys(%NoticeList) && $Detail>7) {
207208 print "\nNotices:\n";
208 foreach my $line (sort {$a cmp $b} keys %OtherList) {
209 print " $line: $OtherList{$line} Time(s)\n";
209 foreach my $line (sort {$a cmp $b} keys %NoticeList) {
210 print " $line: $NoticeList{$line} Time(s)\n";
210211 }
211212 }
212213
+1
-1
scripts/services/omsa less more
6262 next if (($Message =~ /^Controller event log: Time established as/) and ($Detail < 10));
6363 next if (($Message =~ /^Controller event log: Unexpected sense: Encl PD .* CDB: 12 00 00 00 (:?04|20) 00, Sense: 5\/24\/00/) and ($IgnoreNonCertifiedDrives));
6464 next if (($Message =~ /^Controller event log: Unexpected sense: PD .* CDB: 12 01 dc 01 1d 00, Sense: (4\/cf|5\/24)\/00/) and ($IgnoreNonCertifiedDrives));
65 next if (($Message =~ /^Unexpected sense. SCSI sense data: Sense key: 5 Sense code: 24 Sense qualifier: 0:/) and ($IgnoreNonCertifiedDrives));
65 next if (($Message =~ /SCSI sense data:? \(?Sense key: 5 Sense code: 24 Sense qualifier: 0/) and ($IgnoreNonCertifiedDrives));
6666 next if (($Message =~ /^Disk found is not supplied by an authorized hardware provider/) and ($IgnoreNonCertifiedDrives));
6767 next if (($Message =~ /^The battery charge cycle is complete\./) and ($Detail < 5));
6868 next if (($Message =~ /^The controller battery Learn cycle will start in (?:\d+) days\./) and ($Detail < 5));
+17
-8
scripts/services/pam_unix less more
4949 $service =~ s/^... .. ..:..:.. .+ pam_unix\((.+):.+\): .*$/$1/;
5050 # fedora with pam_sss
5151 } elsif ( $line =~ s/^... .. ..:..:.. .+ pam_sss\(.+:.+\): // ) {
52 if ($line =~ /received for user/) {
53 # ignore this line - paired with authentication failure
54 next;
55 }
5256 $service =~ s/^... .. ..:..:.. .+ pam_sss\((.+):.+\): .*$/$1/;
5357 # for debian sarge - "normal" lines
5458 } elsif ($line =~ s/^... .. ..:..:.. .+ [^ :]+: \(pam_unix\) //) {
7377 $data{"all"}{'Password Expiring'}{"$1 in $2 days"}++;
7478 next;
7579 }
76 #lowercase the service
80 # lowercase the service
7781 $service = lc($service);
82
83 # Generic messages
84 if (my ($user) = ($line =~ /^Access denied for user ([^:]+):/)) {
85 $data{$service}{'Access denied'}{$user}++;
86 next;
87 } elsif ($line =~ s/^authentication success; logname=(\S*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) {
88 ($Detail >= 5) && $data{$service}{'Authentication Success'}{$line}++;
89 next;
90 }
91
92 # Service specific messages
7893 if ( grep $_ eq $service, qw/ssh sshd login ftp vsftpd proftpd rsh remote rlogin rexec systemd-user/) {
7994 if ($line =~ s/^session opened for user (.+) by \(uid=\d+\)/$1/) {
8095 ($Detail >= 5) && $data{$service}{'Sessions Opened'}{$line}++;
105120 $data{$service}{'Expired Accounts'}{$line}++;
106121 } elsif ($line =~ s/bad username \[(.*)\]/$1/) {
107122 $data{$service}{'Invalid Users'}{"Bad User: $line"}++;
108 } elsif ($line =~ s/^authentication success; logname=(\S*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) {
109 ($Detail >= 5) && $data{$service}{'Authentication Success'}{$line}++;
110123 } else {
111124 $data{$service}{'Unknown Entries'}{$line}++;
112125 }
140153 if ($line =~ s/^password changed for (.+)/$1/) {
141154 ($Detail >= 5) && $data{$service}{'Password changed'}{$line}++;
142155 }
143 } elsif (grep $_ eq $service, qw/gdm gdm-password gdm-welcome gdm-launch-environment kdm kcheckpass xdm imap dovecot cups/) {
156 } elsif (grep $_ eq $service, qw/gdm gdm-password gdm-smartcard gdm-welcome gdm-launch-environment kdm kcheckpass xdm imap dovecot cups/) {
144157 if ($line =~ s/^session opened for user (.+) by (?:\(unknown\)|\w+)?\(uid=\d+\)/$1/) {
145158 ($Detail >= 5) && $data{$service}{'Sessions Opened'}{$line}++;
146159 } elsif ($line =~ s/^authentication failure;.* user=(.+)$/$1/) {
151164 $data{$service}{'Invalid Users'}{'Unknown Account'}++;
152165 } elsif ($line =~ /session closed for user/) {
153166 # ignore this line
154 } elsif ($line =~ s/^authentication success; logname=(\S*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) {
155 ($Detail >= 5) && $data{$service}{'Authentication Success'}{$line}++;
156 } elsif ($line =~ /received for user.*Permission denied/) {
157 # ignore this line - paired with authentication failure
158167 } else {
159168 $data{$service}{'Unknown Entries'}{$line}++;
160169 }
+2
-2
scripts/services/sshd less more
690690 }
691691
692692 if (keys %KrbAutFail) {
693 print "\n\Failed pam_krb5 authentication:\n";
693 print "\n Failed pam_krb5 authentication:\n";
694694 foreach my $User (sort keys %KrbAutFail) {
695695 print " $User: " . timesplural($KrbAutFail{$User});
696696 }
697697 }
698698
699699 if (keys %KrbAutErr) {
700 print "\n\pam_krb5 authentication errors:\n";
700 print "\n pam_krb5 authentication errors:\n";
701701 foreach my $Error (sort keys %KrbAutErr) {
702702 print " $Error: " . timesplural($KrbAutErr{$Error});
703703 }
+1
-1
scripts/services/sudo less more
7373 # Ignore
7474 } elsif ($ThisLine =~ /(.+): conversation failed/) {
7575 $ConFailed{$1}++;
76 } elsif ( ($user, $error, $tty, $dir, $euser, $egroup, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ;(?: GROUP=(\S+) ;)? COMMAND=(\S+)( ?.*)/) {
76 } elsif ( ($user, $error, $tty, $dir, $euser, $egroup, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : ([^=]+; )?(?:TTY=(\S+) ; )?PWD=(.*?) ; USER=(\S+) ;(?: GROUP=(\S+) ;)? COMMAND=(\S+)( ?.*)/) {
7777 next if (defined($IgnoreCmds{$user}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{$euser}}));
7878 next if (defined($IgnoreCmds{'any'}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{'any'}{$euser}}));
7979 next if (defined($IgnoreCmds{$user}{'any'}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{'any'}}));
+24
-11
scripts/services/systemd less more
4444 my %OtherList;
4545
4646 # Failure will generate multiple messages like:
47 # EL7:
4748 # Feb 5 16:37:50 hostname systemd: ansible-pull.service: main process exited, code=exited, status=2/INVALIDARGUMENT
4849 # Feb 5 16:37:50 hostname systemd: Failed to start Run ansible-pull on boot.
4950 # Feb 5 16:37:50 hostname systemd: Unit ansible-pull.service entered failed state.
5051 # Feb 5 16:37:50 hostname systemd: ansible-pull.service failed.
52 # EL8:
53 # Feb 5 16:37:50 hostname systemd[1]: ansible-pull.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
54 # Feb 5 16:37:50 hostname systemd[1]: ansible-pull.service: Failed with result 'exit-code'.
5155
5256 while (defined(my $ThisLine = <STDIN>)) {
5357 chomp($ThisLine);
5458 if ($ThisLine =~ /^(Activat|Deactivat|Mount|Unmount|Reload|Start|Stopp)ing / or
5559 $ThisLine =~ /^Finished / or
56 # These events will be caught with the Unit X entered failed state message
60 # These events will be caught with the Failed with or failed message
5761 $ThisLine =~ /^Failed to start / or
58 $ThisLine =~ /: Failed with result / or
5962 $ThisLine =~ /Failed at step / or
60 $ThisLine =~ / failed\.$/ or
6163 $ThisLine =~ /([Cc]ontrol|[Mm]ain|[Mm]ount) process exited, code=(exited|killed|dumped),? status=/ or
64 $ThisLine =~ /^Timed out starting/ or
65 $ThisLine =~ /^Unit.* entered failed state\.$/ or
6266 # Informational
6367 $ThisLine =~ /^Closed .*[\. ][Ss]ockets?\.$/ or
6468 $ThisLine =~ /^Closed .* [Ss]cheduler\.$/ or
6569 $ThisLine =~ /^Closed .* [Ww]atch\.$/ or
6670 $ThisLine =~ /^Closed (?:Multimedia|Sound) System\.$/ or
71 $ThisLine =~ /^Closed PipeWire/ or
72 $ThisLine =~ /^Closed REST API socket for / or
6773 $ThisLine =~ /^Closed udev / or
6874 $ThisLine =~ /: Consumed .* CPU time\.$/ or
6975 # crond will never restart process when it is restarted
7076 $ThisLine =~ /^crond\.service: Found left-over process \d+ \(.*\) in control group while starting unit\. Ignoring\.$/ or
7177 $ThisLine =~ /^Received SIGINT\./ or
72 $ThisLine =~ /^Deactivated / or
7378 $ThisLine =~ /^Detected (architecture|virtualization) / or
79 # Spurious warning - should be fixed in later systemd (EL8.4)
80 $ThisLine =~ /^Failed to connect to API bus: Connection refused/ or
81 # Extransous scope messages with LanSweeper - revisit with EL8.4
82 $ThisLine =~ /: Failed to add PIDs to scope's control group: No such process/ or
83 $ThisLine =~ /scope: Failed with result 'resources'/ or
7484 $ThisLine =~ /^Found device / or
85 $ThisLine =~ /Found dependency on / or
7586 $ThisLine =~ /Got automount request for \/proc\// or
87 $ThisLine =~ /^Hostname set to / or
7688 $ThisLine =~ /^Inserted module / or
7789 $ThisLine =~ /^Listening on / or
7890 $ThisLine =~ /^Mounted / or
7991 $ThisLine =~ /^Queued start job for default target / or
92 $ThisLine =~ /^Queuing reload/ or
8093 $ThisLine =~ /^Relabelled / or
8194 $ThisLine =~ /^Reloading\.$/ or # Happens on each boot at switch root
8295 $ThisLine =~ /^RTC configured in / or
156169 $ConfigError{$reason}{$service}++;
157170 } elsif (my ($service,$reason) = ($ThisLine =~ /^\[?([^\]:]+(?::\d+)?)[\]:]? (Unknown .* in section '.*')/)) {
158171 $ConfigError{$reason}{$service}++;
159 } elsif (my ($service) = ($ThisLine =~ /^Unit (.*) entered failed state\.$/)) {
160 $Failed{$service}++;
161 } elsif (my ($service) = ($ThisLine =~ /^(.*): Failed to execute command/)) {
162 $Failed{$service}++;
163 } elsif (my ($service) = ($ThisLine =~ /^(.*): Unit entered failed state\.$/)) {
172 } elsif (my ($service) = ($ThisLine =~ /(\S+): Failed (:?to execute command|with result)/)) {
173 $Failed{$service}++;
174 } elsif (my ($service) = ($ThisLine =~ /(\S+) failed\.$/)) {
164175 $Failed{$service}++;
165176 } elsif (my ($service) = ($ThisLine =~ /^(.*) failed with error code \d+\.$/)) {
166177 $Failed{$service}++;
177188 } elsif (my ($target) = ($ThisLine =~ /^Reached target (.*)\.$/)) {
178189 $Target{$target}++;
179190 $LastTarget = $target;
180 } elsif (my ($session, $user) = ($ThisLine =~ /^Started Session (\d+) of user (.*)\.$/)) {
191 } elsif (my ($session, $user) = ($ThisLine =~ /^Started Session ([[:xdigit:]]+) of user (.*)\.$/)) {
181192 $UserSession{$user}->{$session}++;
182193 } elsif (my ($service) = ($ThisLine =~ /^Activated (.*)\.$/)) {
183194 $Activated{$service}++;
186197 } elsif (my ($service) = ($ThisLine =~ /^Reloaded (.*)\.$/)) {
187198 $Reloaded{$service}++;
188199 } elsif (my ($service) = ($ThisLine =~ /^Deactivated (.*)\.$/)) {
200 $Deactivated{$service}++;
201 } elsif (my ($service) = ($ThisLine =~ /(.*): Deactivated /)) {
189202 $Deactivated{$service}++;
190203 } elsif ($ThisLine eq "Reexecuting.") {
191204 $Reexecuted++ if $Detail;
327340 }
328341 print "\n";
329342 } else {
330 print scalar(keys %{$UserSession{$user}}) . ": Time(s)\n";
343 print scalar(keys %{$UserSession{$user}}) . ": Time(s)";
331344 }
332345 print "\n";
333346 }
+4
-0
scripts/services/zz-disk_space less more
5656
5757 sub DirUsage {
5858 my $Dir = $_[0];
59 if ( !-d $Dir ) {
60 print "Directory $Dir not found\n";
61 return
62 };
5963 if ($OSname eq "Linux") {
6064 system("du -s --block-size=1048576 -h $Dir | sort -n -r -k 1");
6165 } elsif ($OSname eq "Darwin") {
+2
-2
scripts/services/zz-zfs less more
5151 exit 0;
5252 }
5353
54 my $pathto_zpool = $ENV{'pathto_zpool'} || 'zpool';
55 my $pathto_zfs = $ENV{'pathto_zfs'} || 'zfs';
54 my $pathto_zpool = $ENV{'pathto_zpool'} || '/sbin/zpool';
55 my $pathto_zfs = $ENV{'pathto_zfs'} || '/sbin/zfs';
5656 my $summary_only = $ENV{'summary_only'} || ($detail < 5);
5757 my $detail_only = $ENV{'detail_only'} || 0;
5858