Import upstream version 7.5.6
Willi Mann authored 2 years ago
Debian Janitor committed 2 years ago
24 | 24 | # You can override the default temp directory (/tmp) here |
25 | 25 | TmpDir = /var/cache/logwatch |
26 | 26 | |
27 | #Output/Format Options | |
28 | #By default Logwatch will print to stdout in text with no encoding. | |
29 | #To make email Default set Output = mail to save to file set Output = file | |
27 | # Output/Format Options | |
28 | # By default Logwatch will print to stdout in text with no encoding. | |
29 | # To make email Default set Output = mail to save to file set Output = file | |
30 | 30 | Output = stdout |
31 | #To make Html the default formatting Format = html | |
31 | # To make Html the default formatting Format = html | |
32 | 32 | Format = text |
33 | #To make Base64 [aka uuencode] Encode = base64 | |
33 | # To make Base64 [aka uuencode] Encode = base64 | |
34 | # Encode = none is the same as Encode = 8bit. | |
35 | # You can also specify 'Encode = 7bit', but only if all text is ASCII only. | |
34 | 36 | Encode = none |
35 | 37 | |
36 | 38 | # Input Encoding |
71 | 71 | # Includes: postfix/smtpd, etc, postfix/policy-spf |
72 | 72 | #*OnlyService = "postfix/[-\w]*" |
73 | 73 | #$postfix_Syslog_Name = "postfix" |
74 | # Includes: postfix/smtpd, etc, postfix/policy-spf, postgrey, postfwd, policyd-spf | |
75 | *OnlyService = "(?:post(?:fix|grey|fwd)|policyd-spf)(?:/[-\w]*)?" | |
74 | # Includes: postfix/smtpd, etc, postfix/policy-spf, postgrey, postfwd, | |
75 | # policyd-spf, as well as multiple service names, like postfix/relay/smtp | |
76 | *OnlyService = "(?:post(?:fix|grey|fwd)|policyd-spf)(?:[-/\w]*)?" | |
76 | 77 | $postfix_Syslog_Name = "(?:post(?:fix|grey|fwd)|policyd-spf)" |
77 | 78 | |
78 | 79 | # Ignored postfix services |
128 | 128 | .IP "\fB--encode\fR encoding" |
129 | 129 | Encode report using |
130 | 130 | .I encoding |
131 | - none [default], base64. | |
131 | - none [default], base64, 7bit, 8bit [same as 'none']. | |
132 | 132 | .IP "\fB--numeric\fR" |
133 | 133 | Inhibits additional name lookups, displaying IP addresses numerically. |
134 | 134 | .IP "\fB--usage\fR" |
0 | 0 | Summary: Analyzes and Reports on system logs |
1 | 1 | Name: logwatch |
2 | Version: 7.5.5 | |
2 | Version: 7.5.6 | |
3 | 3 | Release: 1 |
4 | 4 | License: MIT |
5 | 5 | Group: Applications/System |
111 | 111 | |
112 | 112 | |
113 | 113 | %changelog |
114 | * Fri Jul 23 2021 Bjorn <bjorn1@users.sourceforge.net> 7.5.6-1 | |
115 | ||
116 | * Sat Jan 23 2021 Jason Pyeron <jpyeron@users.sourceforge.net> 7.5.5-1 | |
117 | ||
114 | 118 | * Wed Jul 22 2020 Bjorn <bjorn1@users.sourceforge.net> 7.5.4-1 |
115 | 119 | |
116 | 120 | * Wed Jan 22 2020 Bjorn <bjorn1@users.sourceforge.net> 7.5.3-1 |
9 | 9 | |
10 | 10 | ######################################################## |
11 | 11 | # Specify version and build-date: |
12 | my $Version = '7.5.5'; | |
13 | my $VDate = '01/22/21'; | |
12 | my $Version = '7.5.6'; | |
13 | my $VDate = '07/23/21'; | |
14 | 14 | |
15 | 15 | ####################################################### |
16 | 16 | # Logwatch was originally written by: |
1134 | 1134 | print "--service <name>: *Name of a service definition to report on.\n"; |
1135 | 1135 | print "--output <output type>: Report Output - stdout [default], mail, file.\n"; #8.0 |
1136 | 1136 | print "--format <formatting>: Report Format - text [default], html.\n"; #8.0 |
1137 | print "--encode <encoding>: Encoding to use - none [default], base64.\n"; #8.0 | |
1137 | print "--encode <encoding>: Encoding to use - none [default], base64, 7bit, 8bit [same as 'none'].\n"; #8.0 | |
1138 | 1138 | print "--mailto <addr>: Mail report to <addr>.\n"; |
1139 | 1139 | print "--archives: Use archived log files too.\n"; |
1140 | 1140 | print "--filename <filename>: Used to specify they filename to save to. --filename <filename> [Forces output to file].\n"; |
1200 | 1200 | #Config{encode} switch |
1201 | 1201 | if ( $Config{'encode'} eq "base64" ) { |
1202 | 1202 | $out_mime .= "Content-transfer-encoding: base64\n"; |
1203 | } elsif ( $Config{'encode'} eq "7bit" ) { | |
1204 | $out_mime .= "Content-Transfer-Encoding: 7bit\n"; | |
1203 | 1205 | } else { |
1204 | 1206 | $out_mime .= "Content-Transfer-Encoding: 8bit\n"; |
1205 | 1207 | } |
2419 | 2419 | # LMTP/SMTP connection |
2420 | 2420 | # NOTE: no longer used. size data now being obtained from Passed/Block line, as size info may not be available here |
2421 | 2421 | #elsif (my ($size) = ($p1 =~ /^[LS]MTP:(?:\[$re_IP\])?:\d+ [^:]+: [<(](?:.*?)[>)] -> \S+ (?:SIZE=(\d+))?.*?Received: / )) { |
2422 | elsif ($p1 =~ /^[LS]MTP:/) { | |
2422 | elsif ($p1 =~ /^[LS]MTP ?:/) { | |
2423 | 2423 | #TD LMTP::10024 /var/spool/amavis/tmp/amavis-20070119T144757-09086: <from@example.com> -> <to@sample.net> SIZE=1000 Received: from mail.sample.net ([127.0.0.1]) by localhost (mail.sample.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <to@sample.net>; Fri, 19 Jan 2007 15:41:45 -0800 (PST) |
2424 | 2424 | #TD SMTP:[127.0.0.1]:10024 /var/spool/amavis/tmp/amavis-20070119T144757-09086: <from@example.com> -> <to@sample.net>,<recip@sample.net> SIZE=2500000 Received: from mail.sample.net ([127.0.0.1]) by localhost (mail.sample.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP for <to@sample.net>; Fri, 19 Jan 2007 15:41:45 -0800 (PST) |
2425 | 2425 | #TD SMTP::10024 /var/lib/amavis/tmp/amavis-27-26927: <from@example.com> -> <to@example.net> Received: from localhost ([127.0.0.1]) by localhost (example.com [127.0.0.1]) (amavisd-new, port 10024) with SMTP for <to@example.net>; Sat, 7 Jun 2008 23:09:34 +0200 (CEST) |
62 | 62 | if ($ThisLine =~ s/^CMD \((.+)\)\s*$/$1/) { |
63 | 63 | $Runs->{$User}->{$ThisLine}++; |
64 | 64 | $ExecutedCommand{$PID} = {command=>$ThisLine, user=>$User}; |
65 | } elsif ($ThisLine =~ /^CMDEND/) { | |
66 | # Ignore - already counted above | |
67 | next; | |
65 | 68 | } elsif ($ThisLine =~ s/^CMD FINISH \((.+)\)\s*$/$1/) { |
66 | 69 | $Runs->{$User}->{$ThisLine}++; |
67 | 70 | } elsif ($ThisLine =~ s/^(END|CMD START) \((.+)\)\s*$/$1/) { |
80 | 80 | ($line =~ /^pool [0-9a-f]+ /) or |
81 | 81 | ($line =~ /^[^ ]* file: /) or |
82 | 82 | ($line =~ /^reuse_lease: lease age \d+ \(secs\) under \d+\% threshold, reply with unaltered, existing lease for/) or |
83 | ($line =~ /GSSAPI Authentication for LDAP will not be used/) or | |
83 | 84 | 0 # noop, but makes diffs easier when appending ignore statements |
84 | 85 | ) { |
85 | 86 | # Ignore these lines |
54 | 54 | next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen"; |
55 | 55 | next if $ExpandedString eq "N/A"; |
56 | 56 | |
57 | # Remove some items that prevent de-duplication | |
58 | $ExpandedString =~ s/(NextScheduled\S+|PID) \d+/$1 XXX/; | |
59 | $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,; | |
57 | # Modify some items that prevent de-duplication | |
58 | if ($Detail < 10) { | |
59 | $ExpandedString =~ s/(NextScheduled\S+|PID) \d+/$1 XXX/; | |
60 | $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,; | |
61 | } | |
60 | 62 | |
61 | 63 | #print STDERR "ExpandedString = $ExpandedString\n"; |
62 | 64 | if ($Application =~ /Userenv/) { |
0 | ||
1 | ######################################################## | |
2 | # Please file all bug reports, patches, and feature | |
3 | # requests under: | |
4 | # https://sourceforge.net/p/logwatch/_list/tickets | |
5 | # Help requests and discusion can be filed under: | |
6 | # https://sourceforge.net/p/logwatch/discussion/ | |
7 | ######################################################## | |
8 | ||
9 | ######################################################## | |
10 | ## Copyright (c) 2020 Orion Poplawski | |
11 | ## Covered under the included MIT/X-Consortium License: | |
12 | ## http://www.opensource.org/licenses/mit-license.php | |
13 | ## All modifications and contributions by other persons to | |
14 | ## this script are assumed to have been donated to the | |
15 | ## Logwatch project and thus assume the above copyright | |
16 | ## and licensing terms. If you want to make contributions | |
17 | ## under your own copyright or a different license this | |
18 | ## must be explicitly stated in the contribution an the | |
19 | ## Logwatch project reserves the right to not accept such | |
20 | ## contributions. If you have made significant | |
21 | ## contributions to this script and want to claim | |
22 | ## copyright please contact logwatch-devel@lists.sourceforge.net. | |
23 | ######################################################### | |
24 | ||
25 | use strict; | |
26 | use warnings; | |
27 | use URI::URL; | |
28 | ||
29 | my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; | |
30 | my $Ignore_messages = $ENV{'ignore_messages'} || '^$'; | |
31 | my $Ignore_profile_program = $ENV{'ignore_profile_program'} || '^$'; | |
32 | my @PowerShell_Summarize_Users = split(',',$ENV{'powershell_summarize_users'}); | |
33 | my $Laptops = $ENV{'laptops'} || '^$'; | |
34 | my %Applications; | |
35 | ||
36 | while (defined(my $ThisLine = <STDIN>)) { | |
37 | # User specified ignore messages, lower cased | |
38 | next if $ThisLine =~ /$Ignore_messages/i; | |
39 | ||
40 | my ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra); | |
41 | #Determine format | |
42 | if ($ThisLine =~ /MSWinEventLog\[/) { # Snare 4 | |
43 | #Parse | |
44 | ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = | |
45 | ($ThisLine =~ /(\S+)\sMSWinEventLog\[(\d+)\]:(\w+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/); | |
46 | } elsif ($ThisLine =~ /MSWinEventLog\t/) { # Snare 3 | |
47 | #Parse | |
48 | ($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = | |
49 | ($ThisLine =~ /MSWinEventLog\t(\d+)\t([^\t]+)\t\d+\t([^\t]+)\t(\d+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t([^\t]+)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)\t?([^\t]*)/); | |
50 | } | |
51 | if (!defined($Hostname)) { | |
52 | print STDERR "Cannot parse $ThisLine"; | |
53 | next; | |
54 | } | |
55 | next if $EventLogType eq "Information" and $ExpandedString !~ "BlueScreen"; | |
56 | next if $ExpandedString eq "N/A"; | |
57 | ||
58 | next if $SourceName =~ /^Microsoft-Windows-Store/; | |
59 | next if $SourceName eq "Microsoft-Windows-SettingSync/Debug"; | |
60 | next if $Application =~ /^Microsoft-Windows-SettingsSync/; | |
61 | next if $Application eq "Windows-ApplicationModel-Store-SDK"; | |
62 | next if $Application eq "Microsoft-Windows-Store"; | |
63 | next if $Application eq "Microsoft-Windows-WMI-Activity"; | |
64 | ||
65 | if ($Application eq "Microsoft-Windows-GroupPolicy") { | |
66 | next if $ExpandedString =~ /Completed Security Extension Processing in \d+ milliseconds\./; | |
67 | next if $ExpandedString =~ /roup Policy failed to discover the Domain Controller details in \d+ milliseconds\./; | |
68 | next if $ExpandedString =~ /Skipped .* Extension based on Group Policy client-side processing rules\./; | |
69 | } elsif ($Application eq "Microsoft-Windows-Security-LessPrivilegedAppContainer") { | |
70 | next if $ExpandedString =~ /^Access to the a resource has been denied for a less privileged app container/; | |
71 | } elsif ($Application eq "Microsoft-Windows-SMBClient") { | |
72 | next if $ExpandedString =~ /^A network connection was disconnected/; | |
73 | next if $ExpandedString =~ /^Failed to establish a network connection/; | |
74 | next if $ExpandedString =~ /^The client lost its session to the server/; | |
75 | next if $ExpandedString =~ /^The connection to the share was lost/; | |
76 | next if $ExpandedString =~ /^The The server name cannot be resolved/; | |
77 | } elsif ($Application eq "Microsoft-Windows-SMBServer") { | |
78 | if (my ($ClientName, $UserName, $ShareName) = ($ExpandedString =~ /The share denied access to the client.*Client Name: (.*) Client Address: .* User Name: (.*) Session ID: .* Share Name: (.*) Share Path:/)) { | |
79 | $ExpandedString = "Access denied to share $ShareName by $UserName from $ClientName"; | |
80 | } | |
81 | } | |
82 | ||
83 | # Modify some items that prevent de-duplication | |
84 | if ($Detail < 10) { | |
85 | $ExpandedString =~ s/(Task-S-)[0-9-]+/$1XXX/g; | |
86 | $ExpandedString =~ s/(guid:|GUID:|Guid:|Guid is|KEY:|known folder|interface|PRINTENUM\\)( ?\{)[0-9A-Fa-f-]+\}/$1${2}XXX}/g; | |
87 | $ExpandedString =~ s/(ClientProcessId =|ElapsedTime\(ms\):|NextScheduled\S+|Process ID:?|PID|Transaction [^:]*Time \(msec\):|Try) \d+/$1 XXX/g; | |
88 | $ExpandedString =~ s/[\d.]+ (milli|)seconds/XXX $1seconds/g; | |
89 | $ExpandedString =~ s,\d{4}/\d\d/\d\d \d\d:\d\d:\d\d(?:\.\d+)?,TIMESTAMP,g; | |
90 | $ExpandedString =~ s,\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d(?:\.\d+)?Z?,TIMESTAMP,g; | |
91 | $ExpandedString =~ s/(Hash|Message ID|Session ID):( ?0x)[0-9A-F]{2,16}/$1:${2}XXXX/g; | |
92 | $ExpandedString =~ s/\d+ms/Xms/g; | |
93 | $ExpandedString =~ s/nstance "\{[^}]+\}"/nstance XXXX/g; | |
94 | $ExpandedString =~ s/(adalCorrelationId|client|ID \(request\)): [0-9a-f-]+/$1: XXXX/g; | |
95 | $ExpandedString =~ s/ddress: ([^:]+):\d+/ddress: $1:XXXXX/g; | |
96 | } | |
97 | ||
98 | #print STDERR "Application = $Application ExpandedString = $ExpandedString\n"; | |
99 | #2021-02-07T23:49:45.083111-08:00 contracting01.ad.nwra.com MSWinEventLog 2 Microsoft-Windows-PowerShell/Operational 97386 Sun Feb 07 23:49:44 2021 4104 Microsoft-Windows-PowerShell appstats User Warning contracting01.ad.nwra.com Execute a Remote Command Creating Scriptblock text (1 of 2): # Copyright © 2017 Chocolatey Software, Inc. # Copyright © 2015 - 2017 RealDimensions Software, LLC # Copyright © 2011 - 2015 RealDimensions Software, LLC & original | |
100 | #($Criticality,$SourceName,$DateTime,$EventID,$Application,$UserName,$SIDType,$EventLogType,$Hostname,$CategoryString,$DataString,$ExpandedString,$Extra) = | |
101 | ||
102 | ||
103 | #my $url = URI::URL->new("http://www.eventid.net/display.asp?eventid=$EventID&source=$Application"); | |
104 | #my $urlstr = $url->abs; | |
105 | #$Applications{$Application}->{"$Hostname: $ExpandedString\n$url"}++; | |
106 | ||
107 | if ($Application eq "Microsoft-Windows-PowerShell") { | |
108 | # Only capture block 1 | |
109 | next if $ExpandedString =~ /^Creating Scriptblock text/ && $ExpandedString !~ /^Creating Scriptblock text \(1 /; | |
110 | if (grep(/^$UserName$/i,@PowerShell_Summarize_Users)) { | |
111 | $Applications{$SourceName}->{$Application}->{"$Hostname: $UserName $CategoryString"}++; | |
112 | } else { | |
113 | $Applications{$SourceName}->{$Application}->{"$Hostname: $UserName $CategoryString " . substr($ExpandedString, 0, 120)}++; | |
114 | } | |
115 | } else { | |
116 | $Applications{$SourceName}->{$Application}->{"$Hostname: $ExpandedString"}++; | |
117 | } | |
118 | } | |
119 | ||
120 | if (keys %Applications) { | |
121 | foreach my $SourceName (sort(keys %Applications)) { | |
122 | print "\n$SourceName\n"; | |
123 | foreach my $Application (sort(keys %{$Applications{$SourceName}})) { | |
124 | print "\n $Application\n"; | |
125 | foreach my $Error (sort(keys %{$Applications{$SourceName}->{$Application}})) { | |
126 | print " $Error : $Applications{$SourceName}->{$Application}->{$Error} Times\n"; | |
127 | } | |
128 | } | |
129 | } | |
130 | } | |
131 | ||
132 | exit(0); | |
133 | ||
134 | # vi: shiftwidth=3 tabstop=3 syntax=perl et | |
135 | # Local Variables: | |
136 | # mode: perl | |
137 | # perl-indent-level: 3 | |
138 | # indent-tabs-mode: nil | |
139 | # End: |
69 | 69 | print STDERR "Cannot parse $ThisLine"; |
70 | 70 | next; |
71 | 71 | } |
72 | ||
73 | # Modify some items that prevent de-duplication | |
74 | if ($Detail < 10) { | |
75 | $ExpandedString =~ s/Logon ID:\s+0x[0-9A-F]+/Logon ID: 0xXXX/; | |
76 | $ExpandedString =~ s/(Key Name:)\s+\{[0-9A-F\-]+\}/$1 {XXX}/g; | |
77 | } | |
78 | ||
72 | 79 | my $url = URI::URL->new("https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=$EventID"); |
73 | 80 | if ($EventID == 4673 |
74 | 81 | or $EventID == 4674) { |
58 | 58 | next if ($EventLogType eq "Verbose"); |
59 | 59 | next if ($EventLogType eq "Information" and $Detail < 10); |
60 | 60 | |
61 | # Remove some items that prevent de-duplication | |
61 | # Modify some items that prevent de-duplication | |
62 | 62 | if ($Detail < 10) { |
63 | 63 | $ExpandedString =~ s/\d+ time\(s\)/XX times(s)/; |
64 | 64 | $ExpandedString =~ s/requested by PID\s+\S+\s+//; |
131 | 131 | |
132 | 132 | |
133 | 133 | if (keys %ServicesBans) { |
134 | printf("\nBanned services with Fail2Ban: Bans:Unbans\n"); | |
134 | printf("\nBanned services with Fail2Ban: Bans+ReBans:Unbans\n"); | |
135 | 135 | foreach my $service (sort {$a cmp $b} keys %ServicesBans) { |
136 | 136 | printf(" %-55s [%3d:%-3d]\n", "$service:", |
137 | $ServicesBans{$service}{'(all)'}{'Ban'}, | |
137 | $ServicesBans{$service}{'(all)'}{'Ban'} + | |
138 | $ServicesBans{$service}{'(all)'}{'ReBan'}, | |
138 | 139 | $ServicesBans{$service}{'(all)'}{'Unban'}); |
139 | 140 | delete $ServicesBans{$service}{'(all)'}; |
140 | 141 | my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP); |
205 | 206 | |
206 | 207 | if (keys(%NoticeList) && $Detail>7) { |
207 | 208 | print "\nNotices:\n"; |
208 | foreach my $line (sort {$a cmp $b} keys %OtherList) { | |
209 | print " $line: $OtherList{$line} Time(s)\n"; | |
209 | foreach my $line (sort {$a cmp $b} keys %NoticeList) { | |
210 | print " $line: $NoticeList{$line} Time(s)\n"; | |
210 | 211 | } |
211 | 212 | } |
212 | 213 |
62 | 62 | next if (($Message =~ /^Controller event log: Time established as/) and ($Detail < 10)); |
63 | 63 | next if (($Message =~ /^Controller event log: Unexpected sense: Encl PD .* CDB: 12 00 00 00 (:?04|20) 00, Sense: 5\/24\/00/) and ($IgnoreNonCertifiedDrives)); |
64 | 64 | next if (($Message =~ /^Controller event log: Unexpected sense: PD .* CDB: 12 01 dc 01 1d 00, Sense: (4\/cf|5\/24)\/00/) and ($IgnoreNonCertifiedDrives)); |
65 | next if (($Message =~ /^Unexpected sense. SCSI sense data: Sense key: 5 Sense code: 24 Sense qualifier: 0:/) and ($IgnoreNonCertifiedDrives)); | |
65 | next if (($Message =~ /SCSI sense data:? \(?Sense key: 5 Sense code: 24 Sense qualifier: 0/) and ($IgnoreNonCertifiedDrives)); | |
66 | 66 | next if (($Message =~ /^Disk found is not supplied by an authorized hardware provider/) and ($IgnoreNonCertifiedDrives)); |
67 | 67 | next if (($Message =~ /^The battery charge cycle is complete\./) and ($Detail < 5)); |
68 | 68 | next if (($Message =~ /^The controller battery Learn cycle will start in (?:\d+) days\./) and ($Detail < 5)); |
49 | 49 | $service =~ s/^... .. ..:..:.. .+ pam_unix\((.+):.+\): .*$/$1/; |
50 | 50 | # fedora with pam_sss |
51 | 51 | } elsif ( $line =~ s/^... .. ..:..:.. .+ pam_sss\(.+:.+\): // ) { |
52 | if ($line =~ /received for user/) { | |
53 | # ignore this line - paired with authentication failure | |
54 | next; | |
55 | } | |
52 | 56 | $service =~ s/^... .. ..:..:.. .+ pam_sss\((.+):.+\): .*$/$1/; |
53 | 57 | # for debian sarge - "normal" lines |
54 | 58 | } elsif ($line =~ s/^... .. ..:..:.. .+ [^ :]+: \(pam_unix\) //) { |
73 | 77 | $data{"all"}{'Password Expiring'}{"$1 in $2 days"}++; |
74 | 78 | next; |
75 | 79 | } |
76 | #lowercase the service | |
80 | # lowercase the service | |
77 | 81 | $service = lc($service); |
82 | ||
83 | # Generic messages | |
84 | if (my ($user) = ($line =~ /^Access denied for user ([^:]+):/)) { | |
85 | $data{$service}{'Access denied'}{$user}++; | |
86 | next; | |
87 | } elsif ($line =~ s/^authentication success; logname=(\S*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) { | |
88 | ($Detail >= 5) && $data{$service}{'Authentication Success'}{$line}++; | |
89 | next; | |
90 | } | |
91 | ||
92 | # Service specific messages | |
78 | 93 | if ( grep $_ eq $service, qw/ssh sshd login ftp vsftpd proftpd rsh remote rlogin rexec systemd-user/) { |
79 | 94 | if ($line =~ s/^session opened for user (.+) by \(uid=\d+\)/$1/) { |
80 | 95 | ($Detail >= 5) && $data{$service}{'Sessions Opened'}{$line}++; |
105 | 120 | $data{$service}{'Expired Accounts'}{$line}++; |
106 | 121 | } elsif ($line =~ s/bad username \[(.*)\]/$1/) { |
107 | 122 | $data{$service}{'Invalid Users'}{"Bad User: $line"}++; |
108 | } elsif ($line =~ s/^authentication success; logname=(\S*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) { | |
109 | ($Detail >= 5) && $data{$service}{'Authentication Success'}{$line}++; | |
110 | 123 | } else { |
111 | 124 | $data{$service}{'Unknown Entries'}{$line}++; |
112 | 125 | } |
140 | 153 | if ($line =~ s/^password changed for (.+)/$1/) { |
141 | 154 | ($Detail >= 5) && $data{$service}{'Password changed'}{$line}++; |
142 | 155 | } |
143 | } elsif (grep $_ eq $service, qw/gdm gdm-password gdm-welcome gdm-launch-environment kdm kcheckpass xdm imap dovecot cups/) { | |
156 | } elsif (grep $_ eq $service, qw/gdm gdm-password gdm-smartcard gdm-welcome gdm-launch-environment kdm kcheckpass xdm imap dovecot cups/) { | |
144 | 157 | if ($line =~ s/^session opened for user (.+) by (?:\(unknown\)|\w+)?\(uid=\d+\)/$1/) { |
145 | 158 | ($Detail >= 5) && $data{$service}{'Sessions Opened'}{$line}++; |
146 | 159 | } elsif ($line =~ s/^authentication failure;.* user=(.+)$/$1/) { |
151 | 164 | $data{$service}{'Invalid Users'}{'Unknown Account'}++; |
152 | 165 | } elsif ($line =~ /session closed for user/) { |
153 | 166 | # ignore this line |
154 | } elsif ($line =~ s/^authentication success; logname=(\S*) uid=(\d+) .*user=(\S*)$/$1($2) -> $3/) { | |
155 | ($Detail >= 5) && $data{$service}{'Authentication Success'}{$line}++; | |
156 | } elsif ($line =~ /received for user.*Permission denied/) { | |
157 | # ignore this line - paired with authentication failure | |
158 | 167 | } else { |
159 | 168 | $data{$service}{'Unknown Entries'}{$line}++; |
160 | 169 | } |
690 | 690 | } |
691 | 691 | |
692 | 692 | if (keys %KrbAutFail) { |
693 | print "\n\Failed pam_krb5 authentication:\n"; | |
693 | print "\n Failed pam_krb5 authentication:\n"; | |
694 | 694 | foreach my $User (sort keys %KrbAutFail) { |
695 | 695 | print " $User: " . timesplural($KrbAutFail{$User}); |
696 | 696 | } |
697 | 697 | } |
698 | 698 | |
699 | 699 | if (keys %KrbAutErr) { |
700 | print "\n\pam_krb5 authentication errors:\n"; | |
700 | print "\n pam_krb5 authentication errors:\n"; | |
701 | 701 | foreach my $Error (sort keys %KrbAutErr) { |
702 | 702 | print " $Error: " . timesplural($KrbAutErr{$Error}); |
703 | 703 | } |
73 | 73 | # Ignore |
74 | 74 | } elsif ($ThisLine =~ /(.+): conversation failed/) { |
75 | 75 | $ConFailed{$1}++; |
76 | } elsif ( ($user, $error, $tty, $dir, $euser, $egroup, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : (.*; )?TTY=(\S+) ; PWD=(.*?) ; USER=(\S+) ;(?: GROUP=(\S+) ;)? COMMAND=(\S+)( ?.*)/) { | |
76 | } elsif ( ($user, $error, $tty, $dir, $euser, $egroup, $cmd, $args) = $ThisLine =~ m/^\s*(\S+) : ([^=]+; )?(?:TTY=(\S+) ; )?PWD=(.*?) ; USER=(\S+) ;(?: GROUP=(\S+) ;)? COMMAND=(\S+)( ?.*)/) { | |
77 | 77 | next if (defined($IgnoreCmds{$user}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{$euser}})); |
78 | 78 | next if (defined($IgnoreCmds{'any'}{$euser}) && $cmd =~ join("|",@{$IgnoreCmds{'any'}{$euser}})); |
79 | 79 | next if (defined($IgnoreCmds{$user}{'any'}) && $cmd =~ join("|",@{$IgnoreCmds{$user}{'any'}})); |
44 | 44 | my %OtherList; |
45 | 45 | |
46 | 46 | # Failure will generate multiple messages like: |
47 | # EL7: | |
47 | 48 | # Feb 5 16:37:50 hostname systemd: ansible-pull.service: main process exited, code=exited, status=2/INVALIDARGUMENT |
48 | 49 | # Feb 5 16:37:50 hostname systemd: Failed to start Run ansible-pull on boot. |
49 | 50 | # Feb 5 16:37:50 hostname systemd: Unit ansible-pull.service entered failed state. |
50 | 51 | # Feb 5 16:37:50 hostname systemd: ansible-pull.service failed. |
52 | # EL8: | |
53 | # Feb 5 16:37:50 hostname systemd[1]: ansible-pull.service: Main process exited, code=exited, status=2/INVALIDARGUMENT | |
54 | # Feb 5 16:37:50 hostname systemd[1]: ansible-pull.service: Failed with result 'exit-code'. | |
51 | 55 | |
52 | 56 | while (defined(my $ThisLine = <STDIN>)) { |
53 | 57 | chomp($ThisLine); |
54 | 58 | if ($ThisLine =~ /^(Activat|Deactivat|Mount|Unmount|Reload|Start|Stopp)ing / or |
55 | 59 | $ThisLine =~ /^Finished / or |
56 | # These events will be caught with the Unit X entered failed state message | |
60 | # These events will be caught with the Failed with or failed message | |
57 | 61 | $ThisLine =~ /^Failed to start / or |
58 | $ThisLine =~ /: Failed with result / or | |
59 | 62 | $ThisLine =~ /Failed at step / or |
60 | $ThisLine =~ / failed\.$/ or | |
61 | 63 | $ThisLine =~ /([Cc]ontrol|[Mm]ain|[Mm]ount) process exited, code=(exited|killed|dumped),? status=/ or |
64 | $ThisLine =~ /^Timed out starting/ or | |
65 | $ThisLine =~ /^Unit.* entered failed state\.$/ or | |
62 | 66 | # Informational |
63 | 67 | $ThisLine =~ /^Closed .*[\. ][Ss]ockets?\.$/ or |
64 | 68 | $ThisLine =~ /^Closed .* [Ss]cheduler\.$/ or |
65 | 69 | $ThisLine =~ /^Closed .* [Ww]atch\.$/ or |
66 | 70 | $ThisLine =~ /^Closed (?:Multimedia|Sound) System\.$/ or |
71 | $ThisLine =~ /^Closed PipeWire/ or | |
72 | $ThisLine =~ /^Closed REST API socket for / or | |
67 | 73 | $ThisLine =~ /^Closed udev / or |
68 | 74 | $ThisLine =~ /: Consumed .* CPU time\.$/ or |
69 | 75 | # crond will never restart process when it is restarted |
70 | 76 | $ThisLine =~ /^crond\.service: Found left-over process \d+ \(.*\) in control group while starting unit\. Ignoring\.$/ or |
71 | 77 | $ThisLine =~ /^Received SIGINT\./ or |
72 | $ThisLine =~ /^Deactivated / or | |
73 | 78 | $ThisLine =~ /^Detected (architecture|virtualization) / or |
79 | # Spurious warning - should be fixed in later systemd (EL8.4) | |
80 | $ThisLine =~ /^Failed to connect to API bus: Connection refused/ or | |
81 | # Extransous scope messages with LanSweeper - revisit with EL8.4 | |
82 | $ThisLine =~ /: Failed to add PIDs to scope's control group: No such process/ or | |
83 | $ThisLine =~ /scope: Failed with result 'resources'/ or | |
74 | 84 | $ThisLine =~ /^Found device / or |
85 | $ThisLine =~ /Found dependency on / or | |
75 | 86 | $ThisLine =~ /Got automount request for \/proc\// or |
87 | $ThisLine =~ /^Hostname set to / or | |
76 | 88 | $ThisLine =~ /^Inserted module / or |
77 | 89 | $ThisLine =~ /^Listening on / or |
78 | 90 | $ThisLine =~ /^Mounted / or |
79 | 91 | $ThisLine =~ /^Queued start job for default target / or |
92 | $ThisLine =~ /^Queuing reload/ or | |
80 | 93 | $ThisLine =~ /^Relabelled / or |
81 | 94 | $ThisLine =~ /^Reloading\.$/ or # Happens on each boot at switch root |
82 | 95 | $ThisLine =~ /^RTC configured in / or |
156 | 169 | $ConfigError{$reason}{$service}++; |
157 | 170 | } elsif (my ($service,$reason) = ($ThisLine =~ /^\[?([^\]:]+(?::\d+)?)[\]:]? (Unknown .* in section '.*')/)) { |
158 | 171 | $ConfigError{$reason}{$service}++; |
159 | } elsif (my ($service) = ($ThisLine =~ /^Unit (.*) entered failed state\.$/)) { | |
160 | $Failed{$service}++; | |
161 | } elsif (my ($service) = ($ThisLine =~ /^(.*): Failed to execute command/)) { | |
162 | $Failed{$service}++; | |
163 | } elsif (my ($service) = ($ThisLine =~ /^(.*): Unit entered failed state\.$/)) { | |
172 | } elsif (my ($service) = ($ThisLine =~ /(\S+): Failed (:?to execute command|with result)/)) { | |
173 | $Failed{$service}++; | |
174 | } elsif (my ($service) = ($ThisLine =~ /(\S+) failed\.$/)) { | |
164 | 175 | $Failed{$service}++; |
165 | 176 | } elsif (my ($service) = ($ThisLine =~ /^(.*) failed with error code \d+\.$/)) { |
166 | 177 | $Failed{$service}++; |
177 | 188 | } elsif (my ($target) = ($ThisLine =~ /^Reached target (.*)\.$/)) { |
178 | 189 | $Target{$target}++; |
179 | 190 | $LastTarget = $target; |
180 | } elsif (my ($session, $user) = ($ThisLine =~ /^Started Session (\d+) of user (.*)\.$/)) { | |
191 | } elsif (my ($session, $user) = ($ThisLine =~ /^Started Session ([[:xdigit:]]+) of user (.*)\.$/)) { | |
181 | 192 | $UserSession{$user}->{$session}++; |
182 | 193 | } elsif (my ($service) = ($ThisLine =~ /^Activated (.*)\.$/)) { |
183 | 194 | $Activated{$service}++; |
186 | 197 | } elsif (my ($service) = ($ThisLine =~ /^Reloaded (.*)\.$/)) { |
187 | 198 | $Reloaded{$service}++; |
188 | 199 | } elsif (my ($service) = ($ThisLine =~ /^Deactivated (.*)\.$/)) { |
200 | $Deactivated{$service}++; | |
201 | } elsif (my ($service) = ($ThisLine =~ /(.*): Deactivated /)) { | |
189 | 202 | $Deactivated{$service}++; |
190 | 203 | } elsif ($ThisLine eq "Reexecuting.") { |
191 | 204 | $Reexecuted++ if $Detail; |
327 | 340 | } |
328 | 341 | print "\n"; |
329 | 342 | } else { |
330 | print scalar(keys %{$UserSession{$user}}) . ": Time(s)\n"; | |
343 | print scalar(keys %{$UserSession{$user}}) . ": Time(s)"; | |
331 | 344 | } |
332 | 345 | print "\n"; |
333 | 346 | } |
56 | 56 | |
57 | 57 | sub DirUsage { |
58 | 58 | my $Dir = $_[0]; |
59 | if ( !-d $Dir ) { | |
60 | print "Directory $Dir not found\n"; | |
61 | return | |
62 | }; | |
59 | 63 | if ($OSname eq "Linux") { |
60 | 64 | system("du -s --block-size=1048576 -h $Dir | sort -n -r -k 1"); |
61 | 65 | } elsif ($OSname eq "Darwin") { |
51 | 51 | exit 0; |
52 | 52 | } |
53 | 53 | |
54 | my $pathto_zpool = $ENV{'pathto_zpool'} || 'zpool'; | |
55 | my $pathto_zfs = $ENV{'pathto_zfs'} || 'zfs'; | |
54 | my $pathto_zpool = $ENV{'pathto_zpool'} || '/sbin/zpool'; | |
55 | my $pathto_zfs = $ENV{'pathto_zfs'} || '/sbin/zfs'; | |
56 | 56 | my $summary_only = $ENV{'summary_only'} || ($detail < 5); |
57 | 57 | my $detail_only = $ENV{'detail_only'} || 0; |
58 | 58 |