Commit dba0a9698d12100ecf30cbfe21413ea1c8e9fc39 - logwatch

+8

-8

HOWTO-Customize-LogWatch less more

6	6	1. Table of Contents
7	7	2. Introduction
8	8	3. Directory Structure
9		A. Configuration Structure
10		B. Executable Structure
	9	A. Configuration Structure
	10	B. Executable Structure
11	11	4. Customizing the Configuration
12	12	5. Customizing the Scripts
13	13	6. Creating New Service Filters
14		A. Logfile Groups
15		B. Service Filter Configuration
16		C. Service Filer Executable
17		D. Shared Script Commands
	14	A. Logfile Groups
	15	B. Service Filter Configuration
	16	C. Service Filer Executable
	17	D. Shared Script Commands
18	18	7. For More Information
19	19
20	20

557	557	- access to the svn repository, for the very latest code.
558	558
559	559	If you do create new services or enhancements that you feel would be useful
560		to other people, please send them to the logwatch-devel mailing list
561		at logwatch.org.
	560	to other people, please send them to the mailing list 'logwatch-devel at
	561	lists.sourceforge.net'.
562	562
563	563	If you send patches, please make sure that you have the latest version
564	564	of the file from svn, and send the patch file in unified format

+2

-14

README less more

65	65	You can also use it from the command line (as documented in the
66	66	man page).
67	67
68		There is some documentation available in Italian here:
69		http://openskills.info/view/boxdetail.php?IDbox=656
70
71	68	------------------------------------------------------------------
72	69
73	70	If you want me to add support for a new set of log entries, please

78	75	------------------------------------------------------------------
79	76
80	77	Mailing lists available!
81
82		Logwatch List:
83		For general discussion and questions about Logwatch.
84		To Subscribe: echo "subscribe" \| mail logwatch-request@kaybee.org
85		Send Mail To: logwatch@kaybee.org
86
87		Logwatch Announcements List:
88		For important announcements about Logwatch.
89		To Subscribe: echo "subscribe" \| mail logwatch-announce-request@kaybee.org
90	78
91	79	Logwatch Development List:
92	80	For discussion about Logwatch development.

108	96	http://www.kaybee.org/kirk/
109	97
110	98	Newest releases can be found at:
111		ftp://ftp.logwatch.org/pub/redhat/RPMS
112		http://www.logwatch.org
	99	https://sourceforge.net/projects/logwatch/files/
	100

+3

-3

conf/logfiles/spamassassin.conf less more

20	20	#########################################################################
21	21
22	22	# What actual file? Defaults to LogPath if not absolute path....
23		LogFile = maillog spamd/spamd.log
	23	LogFile = spamd/spamd.log
24	24
25	25	# If the archives are searched, here is one or more line
26	26	# (optionally containing wildcards) that tell where they are...
27		Archive = maillog[.-]* spamd/spamd.log[.-]*
28		Archive = maillog[.-].gz spamd/spamd.log[.-].gz
	27	Archive = spamd/spamd.log[.-]*
	28	Archive = spamd/spamd.log[.-]*.gz
29	29
30	30	# Keep only the lines in the proper date range...
31	31	*ApplyStdDate

+7

-2

conf/services/fail2ban.conf less more

0	0	###########################################################################
1		# $Id: fail2ban.conf 149 2013-06-18 22:18:12Z mtremaine $
	1	# $Id: fail2ban.conf 205 2014-09-08 19:15:49Z stefjakobs $
2	2	###########################################################################
3	3	# $Log: fail2ban.conf,v $
4	4	# Revision 1.1 2006/05/30 19:04:26 bjorn

21	21	# Which logfile group...
22	22	LogFile = fail2ban
23	23
24
	24	# Only give lines pertaining to the fail2ban service...
	25	# Note: fail2ban logs using "service" names fail2ban, fail2ban.jail,
	26	# fail2ban.filter, and many more. We want to exclude fail2ban-client
	27	# so we accept either fail2ban or fail2ban\..+
	28	*OnlyService = fail2ban(\|\..+)
	29	*RemoveHeaders

+1

-0

conf/services/http.conf less more

43	43	# Ignore requests
44	44	# Note - will not do ANY processing, counts, etc... just skip it and go to
45	45	# the next entry in the log file.
	46	# Note - The match will be case insensitive; e.g. /model/ == /MoDel/
46	47	# Examples:
47	48	# 1. Ignore all URLs starting with /model/ and ending with 1 to 10 digits
48	49	# $HTTP_IGNORE_URLS = ^/model/\d{1,10}$

+1

-0

conf/services/spamassassin.conf less more

4	4
5	5	Title = "SpamAssassin"
6	6	LogFile = spamassassin
	7	LogFile = maillog
7	8	# Pull in sendmail for matching msgid to sender for statistics
8	9	*OnlyService = (spamd\|sendmail)
9	10	*RemoveHeaders

+3

-3

install_logwatch.sh less more

25	25	# File: install_logwatch.sh
26	26	# Author: Mike Tremaine [mgt /at/ stellarcore.net]
27	27	# Maintainer: Mike Tremaine [mgt /at/ stellarcore.net]
28		# $Id: install_logwatch.sh 147 2013-06-18 21:43:31Z mtremaine $
	28	# $Id: install_logwatch.sh 241 2014-09-23 11:50:13Z stefjakobs $
29	29	#
30	30	# $Log: install_logwatch.sh,v $
31	31	# Revision 1.20 2008/05/12 22:53:28 mike

175	175
176	176	#OS Tests for known issues
177	177	if [ $OS = "Darwin" ]; then
178		munge_gzcat = 1
	178	munge_gzcat=1
179	179	fi
180	180
181	181	#Install is borked under IRIX

279	279	else
280	280	#MacOS X aka Darwin no -u [even thought the manpage says]
281	281	if [ $OS = "Darwin" ]; then
282		makewhatis -s "1 5 8" $MANDIR
	282	makewhatis -o "1 5 8" $MANDIR
283	283	else
284	284	#Linux
285	285	makewhatis -u -s "1 5 8" $MANDIR

+3

-3

scripts/logwatch.pl less more

519	519	} else {
520	520	$LogFileData{$ThisLogFile}{$ReadConfigNames[$i]} = $ReadConfigValues[$i];
521	521	}
522		for my $i (0..$#CmdList) {
523		$LogFileData{$ThisLogFile}{+sprintf("%03d-%s", $i, $CmdList[$i])} = $CmdArgList[$i];
524		}
	522	}
	523	for my $i (0..$#CmdList) {
	524	$LogFileData{$ThisLogFile}{+sprintf("%03d-%s", $i, $CmdList[$i])} = $CmdArgList[$i];
525	525	}
526	526	}
527	527	}

+54

-12

scripts/services/amavis less more

48	48	no warnings "uninitialized";
49	49	use re 'taint';
50	50
51		our $Version = '1.51.02';
	51	our $Version = '1.51.03';
52	52	our $progname_prefix = 'amavis';
53	53
54	54	# Specifies the default configuration file for use in standalone mode.

1840	1840	#
1841	1841
1842	1842	sub create_ignore_list() {
1843		push @ignore_list_final, qr/^RUSAGE: /;
1844	1843	push @ignore_list_final, qr/^lookup_ip_acl/;
1845	1844	push @ignore_list_final, qr/^lookup_acl/;
1846	1845	push @ignore_list_final, qr/^lookup_hash/;

2014	2013	push @ignore_list_final, qr/^Load low precedence policybank/;
2015	2014	push @ignore_list_final, qr/^warm restart on /; # XXX could be placed instartup info
2016	2015	push @ignore_list_final, qr/^Signalling a SIGHUP to a running daemon/;
2017		push @ignore_list_final, qr/^Deleting db files nanny.db in /;
	2016	push @ignore_list_final, qr/^Deleting db files /;
2018	2017	push @ignore_list_final, qr/^address modified \(/;
	2018	push @ignore_list_final, qr/^Request: AM\.PDP /;
	2019	push @ignore_list_final, qr/^DSPAM result: /;
	2020	push @ignore_list_final, qr/^bind to \//;
	2021	push @ignore_list_final, qr/^ZMQ enabled: /;
	2022
	2023	push @ignore_list_final, qr/^Inserting header field: X-Amavis-Hold: /;
	2024	push @ignore_list_final, qr/^Decoding of .* failed, leaving it unpacked: /;
2019	2025
2020	2026	# various forms of "Using ..."
2021	2027	# more specific, interesting variants already captured: search "Using"

2026	2032	push @ignore_list_final, qr/creating socket by /;
2027	2033
2028	2034	# unanchored
	2035	push @ignore_list_final, qr/\bRUSAGE\b/;
2029	2036	push @ignore_list_final, qr/: Sending .* to UNIX socket/;
2030	2037	}
2031	2038

2113	2120	or ($p1 =~ /^SpamControl/)
2114	2121	or ($p1 =~ /^Perl/)
2115	2122	or ($p1 =~ /^ESMTP/)
2116		or ($p1 =~ /^(?:$!+$)?(?:FWD\|SEND) from /) # log level 4
2117		or ($p1 =~ /^(?:$!+$)?(?:ESMTP\|FWD\|SEND) via /) # log level 4
	2123	or ($p1 =~ /^(?:$!+$)?(\S+ )?(?:FWD\|SEND) from /) # log level 4
	2124	or ($p1 =~ /^(?:$!+$)?(\S+ )?(?:ESMTP\|FWD\|SEND) via /) # log level 4
2118	2125	or ($p1 =~ /^tempdir being removed/)
2119	2126	or ($p1 =~ /^do_notify_and_quar(?:antine)?: .*ccat/)
2120	2127	or ($p1 =~ /^cached [a-zA-Z0-9]+ /)

2481	2488	$Totals{'truncatedmsg'}++;
2482	2489	}
2483	2490
2484		elsif ( $p1 =~ /: spam level exceeds quarantine cutoff level/ ) {
	2491	elsif ($p1 =~ /: spam level exceeds quarantine cutoff level/ or
	2492	$p1 =~ /: cutoff, blacklisted/) {
2485	2493	#TD do_notify_and_quarantine: spam level exceeds quarantine cutoff level 20
	2494	#TD do_notify_and_quarantine: cutoff, blacklisted
2486	2495	$Totals{'spamdiscarded'}++;
2487	2496	}
2488	2497

2756	2765	#TD SA warn: FuzzyOcr: Skipping ocrad-decolorize, image too small
2757	2766	#$Counts{'sadiags'}{'fuzzyocr'}{'image too small'}++;
2758	2767	next;
	2768	}
	2769	elsif ($msg =~ /dns: \[\.\.\.\]/) {
	2770	#TD SA info: dns: [...] ;; ADDITIONAL SECTION (1 record)
	2771	next;
	2772	}
	2773	# canonicalize some PIDs and IDs
	2774	elsif ($msg =~ s/^pyzor: \[\d+\] error/pyzor: [<PID>] error/) {
	2775	#TD SA info: pyzor: [11550] error: TERMINATED, signal 15 (000f)
	2776	}
	2777	elsif ($msg =~ /dns: no likely matching queries for id \d+/) {
	2778	$msg =~ s/\d+/<ID>/;
	2779	}
	2780	elsif ($msg =~ /dns: no callback for id \d+/) {
	2781	$msg =~ s/\d+.*$/<ID>.../;
2759	2782	}
2760	2783
2761	2784	# report other SA warn's

3013	3036	}
3014	3037
3015	3038	# Timing report
3016		} elsif (my ($total,$report) = ( $p1 =~ /^(?:size: \d+, )?TIMING \[total (\d+) ms\] - (.+)$/)) {
	3039	} elsif (my ($total,$report) = ( $p1 =~ /^(?:size: \d+, )?TIMING \[total (\d+) ms(?:, [^]]+)?\] - (.+)$/)) {
3017	3040	next if ($report =~ /^got data/); # skip amavis release timing
3018
3019	3041	#TD TIMING [total 5808 ms] - SMTP greeting: 5 (0%)0, SMTP LHLO: 1 (0%)0, SMTP pre-MAIL: 2 (0%)0, SMTP pre-DATA-flush: 5 (0%)0, SMTP DATA: 34 (1%)1, check_init: 1 (0%)1
3020	3042	# older format, maia mailguard
3021	3043	#TD TIMING [total 3795 ms] - SMTP EHLO: 1 (0%), SMTP pre-MAIL: 0 (0%), maia_read_system_config: 1 (0%), maia_get_mysql_size_limit: 0 (0%), SA check: 3556 (94%), rundown: 0 (0%)
	3044	# v2.8.1
	3045	# .... size: 3815, TIMING [total 1901 ms, cpu 657 ms] - ...
	3046
3022	3047
3023	3048	# Timing line is incomplete - let's report it
3024	3049	if ($p1 !~ /\d+ $\d+%$\d+$/ and $p1 !~ /\d+ $\d+%$$/) {

3030	3055	my @pairs = split(/[,:] /, $report);
3031	3056	while (my ($key,$value) = @pairs) {
3032	3057	#4 (0%)0
3033		my ($ms) = ($value =~ /^(\d+) /);
	3058	my ($ms) = ($value =~ /^([\d.]+) /);
3034	3059	# maintain a per-test list of timings
3035	3060	push @{$Timings{$key}}, $ms;
3036	3061	shift @pairs; shift @pairs;

3038	3063	push @TimingsTotals, $total;
3039	3064	}
3040	3065
3041		} elsif (($total,$report) = ( $p1 =~ /^TIMING-SA total (\d+) ms - (.+)$/ )) {
	3066	} elsif ((($total,$report) = ( $p1 =~ /^TIMING-SA total (\d+) ms - (.+)$/ )) or
	3067	(($total,$report) = ( $p1 =~ /^TIMING-SA \[total (\d+) ms, cpu \d+ ms\] - (.+)$/ ))) {
	3068	#TIMING-SA [total 3219 ms, cpu 432 ms] - parse: 6 (0.2%), ext
3042	3069	#TD TIMING-SA total 5478 ms - parse: 1.69 (0.0%), extract_message_metadata: 16 (0.3%), get_uri_detail_list: 2 (0.0%), tests_pri_-1000: 25 (0.4%), tests_pri_-950: 0.67 (0.0%), tests_pri_-900: 0.83 (0.0%), tests_pri_-400: 19 (0.3%), check_bayes: 17 (0.3%), tests_pri_0: 5323 (97.2%), check_spf: 12 (0.2%), poll_dns_idle: 0.81 (0.0%), check_dkim_signature: 1.50 (0.0%), check_razo r2: 5022 (91.7%), check_dcc: 192 (3.5%), check_pyzor: 0.02 (0.0%), tests_pri_500: 9 (0.2%), tests_pri_1000: 24 (0.4%), total_awl: 23 (0.4%), check_awl: 10 (0.2%), update_awl: 8 (0.1%), learn: 36 (0.7%), get_report: 1.77 (0.0%)
3043	3070
3044	3071	# Timing line is incomplete - let's report it

3101	3128	}
3102	3129
3103	3130	elsif (($suffix, $decoder) = ( $p1 =~ /^Found decoder for\s+(\.\S)\s+at\s+(.)$/)) {
	3131	#TD Found decoder for .bz2 at /usr/bin/bzip2 -d
	3132	#TD Found decoder for .bz2 at /usr/bin/7za (backup, not used)
3104	3133	next unless ($Opts{'startinfo'});
3105		$StartInfo{'Decoders'}{'External'}{$suffix} = $decoder;
	3134	$StartInfo{'Decoders'}{'External'}{$suffix} = exists $StartInfo{'Decoders'}{'External'}{$suffix} ?
	3135	join '; ', $StartInfo{'Decoders'}{'External'}{$suffix}, $decoder : $decoder;
3106	3136	}
3107	3137
3108	3138	# AV Scanners

3129	3159	next unless ($Opts{'startinfo'});
3130	3160	$StartInfo{'Code'}{"\u\L$loaded"}{$code} = "";
3131	3161
3132		} elsif (my ($module, $vers,) = ( $p1 =~ /^Module (\S+)\s+(.+)$/)) {
	3162	} elsif (my ($module, $vers) = ( $p1 =~ /^Module (\S+)\s+(.+)$/)) {
3133	3163	#TD Module Amavis::Conf 2.086
3134	3164	next unless ($Opts{'startinfo'});
3135	3165	$StartInfo{'Code'}{'Loaded'}{$module} = $vers;
	3166
	3167	} elsif (($module, my $families) = ( $p1 =~ /^socket module (\S+),\s+(.+)$/)) {
	3168	#TD socket module IO::Socket::IP, protocol families available: INET, INET6
	3169	next unless ($Opts{'startinfo'});
	3170	$StartInfo{'Code'}{'Loaded'}{$module} = $families;
3136	3171
3137	3172	} elsif (($code, $location) = ( $p1 =~ /^Found \$(\S+)\s+at\s+(.+)$/)) {
3138	3173	#TD Found $file at /usr/bin/file

3144	3179	#TD No $dspam, not using it
3145	3180	next unless ($Opts{'startinfo'});
3146	3181	$StartInfo{'Code'}{'Not loaded'}{$code} = $location;
	3182
	3183	} elsif (($code, $location) = ( $p1 =~ /^No ext program for\s+([^,]+), (tried: .+)/)) {
	3184	#TD No ext program for .kmz, tried: 7za, 7z
	3185	#TD No ext program for .F, tried: unfreeze, freeze -d, melt, fcat
	3186	next unless ($Opts{'startinfo'});
	3187	$StartInfo{'Code'}{'Not found'}{$code} = $location;
	3188
3147	3189
3148	3190	} elsif ( $p1 =~ /^starting\.\s+(.+) at \S+ (?:amavisd-new-\|Maia Mailguard )([^,]+),/) {
3149	3191	#TD starting. /usr/local/sbin/amavisd at mailhost.example.com amavisd-new-2.5.0 (20070423), Unicode aware, LANG="C"

+12

-2

scripts/services/audit less more

0	0
1	1	##########################################################################
2		# $Id: audit 199 2014-07-14 15:48:15Z opoplawski $
	2	# $Id: audit 224 2014-09-09 10:07:12Z stefjakobs $
3	3	##########################################################################
4	4	# $Log: audit,v $
5	5	# Revision 1.15 2009/02/20 17:59:47 mike

88	88	my $NumberOfDStops = 0;
89	89	my $NumberOfDdStarts = 0;
90	90	my $NumberOfDdStops = 0;
	91	my $NumberOfAllowedMessages = 0;
91	92	my $NumberOfLostMessages = 0;
92	93	my %InvalidContext = ();
93	94	my %BugLog = ();

140	141	$NumberOfDStarts++;
141	142	} elsif ( $ThisLine =~ /The audit daemon is exiting./) {
142	143	$NumberOfDStops++;
143		} elsif ( $ThisLine =~ /audit_lost=[0-9]+ audit_backlog=[0-9]+ audit_rate_limit=[0-9]+ audit_backlog_limit=[0-9]+$/) {
	144	} elsif ( $ThisLine =~ /audit_lost=[0-9]+ (audit_backlog=[0-9]+ )?audit_rate_limit=[0-9]+ audit_backlog_limit=[0-9]+$/) {
144	145	$NumberOfLostMessages++;
145	146	} elsif ( $ThisLine =~ /auditd startup succeeded/) {
146	147	$NumberOfDdStarts++;

165	166	# type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
166	167	# type=1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
167	168	$denials{$1.' '.$3.' ('.$2.' via '.$4 . ')'}++;
	169	} elsif ( $ThisLine =~ /apparmor="ALLOWED" operation="([^"]+)" (info="([^"]+)" )?(error=[+-]?\d+ )?parent=\d+ profile="([^"]+)" (name="([^"]+)" )?pid=\d+ comm="([^"]+)"/ ) {
	170	# type=1400 audit(1369519203.141:259049): apparmor="ALLOWED" operation="exec" parent=3733 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/usr/lib/dovecot/pop3-login" pid=24634 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1c//null-1d//null-d12"
	171	# type=1400 audit(1369627891.522:447576): apparmor="ALLOWED" operation="capable" parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" pid=3733 comm="dovecot" capability=5 capname="kill"
	172	# type=1400 audit(1369823965.682:824587): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 parent=1 profile="/usr/sbin/dovecot//null-1c//null-1d" name="/var/lib/dovecot/.temp.3733.d786c1fcaaa73248" pid=3733 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
	173	$NumberOfAllowedMessages++;
168	174	} else {
169	175	$othercount++;
170	176	$ThisLine =~ s/^\s*//;

277	283	}
278	284	}
279	285
	286	if ($NumberOfAllowedMessages) {
	287	print "\n Number of allowed messages: $NumberOfAllowedMessages\n";
	288	}
	289
280	290	if ($NumberOfLostMessages) {
281	291	print "\n Number of lost messages: $NumberOfLostMessages\n";
282	292	}

+18

-10

scripts/services/dhcpd less more

0	0
1	1	use strict;
2	2	##########################################################################
3		# $Id: dhcpd 150 2013-06-18 22:19:38Z mtremaine $
	3	# $Id: dhcpd 236 2014-09-15 22:10:32Z bjorn1 $
4	4	##########################################################################
5	5
6	6	########################################################

77	77	} elsif (
78	78	($line =~ /^you want, please write a subnet declaration/) or
79	79	($line =~ /^in your dhcpd.conf file for the network segment/) or
80		($line =~ /^to which interface [a-z\d]+ is attached./) or
	80	($line =~ /^to which interface [a-z\d\.]+ is attached./) or
81	81
82	82	($line =~ /^If you did not get this software from ftp.isc.org, please/) or
83	83	($line =~ /^get the latest from ftp.isc.org and install that before/) or

110	110	$data{'Generic error'}{$line}++;
111	111	} elsif ($line =~ /^There's already a DHCP server running./) {
112	112	$data{'Generic error'}{$line}++;
113		} elsif ($line =~ s/^\\ Ignoring requests on ([a-z\d]+). If this is not what\s*$/Ignoring interface $1/) {
114		$data{'Config error'}{$line}++;
115		} elsif ($line =~ s/^No subnet6? declaration for ([a-z\d]+) ([\d\.ia-fA-F:]+).\s*$/No subnet declaration for $1 $2/) {
	113	} elsif ($line =~ s/^\\ Ignoring requests on ([a-z\d\.]+). If this is not what\s*$/Ignoring interface $1/) {
	114	$data{'Config error'}{$line}++;
	115	} elsif ($line =~ s/^No subnet6? declaration for ([a-z\d\.]+) ([\d\.ia-fA-F:]+).\s*$/No subnet declaration for $1 $2/) {
116	116	$data{'Config error'}{$line}++;
117	117	} elsif ($line =~ /^If this DHCP server is authoritative for that subnet,$/) {
118	118	$data{'Config error'}{'missing authoritative directive'}++;

160	160	if ($Detail >= 5) {
161	161	$data{'Addresses Released'}{$line}++;
162	162	}
163		} elsif ($line =~ s/^added reverse map from ([\d]+).([\d]+).([\d]+).([\d]+).in-addr.arpa. to ([a-zA-Z\d._-]+)\s*$/Add reverse $4.$3.$2.$1 -> $5/) {
164		if ($Detail >= 7) {
165		$data{'DNS Mappings'}{$line}++;
166		}
167		} elsif ($line =~ s/^removed reverse map on ([\d]+).([\d]+).([\d]+).([\d]+).in-addr.arpa.\s*$/Remove reverse $4.$3.$2.$1/) {
	163	} elsif ($line =~ s/^[Aa]dded reverse map from ([\d]+)\.([\d]+)\.([\d]+)\.([\d]+)\.in-addr\.arpa\.? to ([a-zA-Z\d._-]+)\s*$/Add reverse $4.$3.$2.$1 -> $5/) {
	164	if ($Detail >= 7) {
	165	$data{'DNS Mappings'}{$line}++;
	166	}
	167	} elsif ($line =~ s/^[Rr]emoved reverse map on ([\d]+)\.([\d]+)\.([\d]+)\.([\d]+)\.in-addr\.arpa\.?\s*$/Remove reverse $4.$3.$2.$1/) {
168	168	if ($Detail >= 7) {
169	169	$data{'DNS Mappings'}{$line}++;
170	170	}
171	171	} elsif ($line =~ s/^Added new forward map from ([a-zA-Z\d\-_.]+) to ([\d.]+)\s*$/Add forward $1 -> $2/) {
172	172	if ($Detail >= 7) {
173	173	$data{'DNS Mappings'}{$line}++;
	174	}
	175	} elsif ($line =~ s/^Removed forward map from ([a-zA-Z\d\-_.]+) to ([\d.]+)\s*$/Remove forward $1 -> $2/) {
	176	if ($Detail >= 7) {
	177	$data{'DNS Mappings'}{$line}++;
	178	}
	179	} elsif ($line =~ /^No hostname for [\d.]+\s*$/) {
	180	if ($Detail >= 7) {
	181	$data{'Warnings'}{$line}++;
174	182	}
175	183	} elsif ($line =~ s/^if ([a-zA-Z\d\-_.]+) IN A rrset doesn't exist delete ([a-zA-Z\d\-_.]+) IN TXT "([a-f\d]+)": success.\s*$/Remove forward TXT from $1 (TXT "$3")/) {
176	184	if ($Detail >= 7) {

+4

-2

scripts/services/dovecot less more

0	0	########################################################
1		# $Id: dovecot 197 2014-05-30 17:31:32Z opoplawski $
	1	# $Id: dovecot 225 2014-09-09 10:12:29Z stefjakobs $
2	2	########################################################
3	3	# $Log: dovecot,v $
4	4	# Revision 1.18 2010/09/18 17:41:00 stefan

255	255	$Disconnected{"no reason"}++;
256	256	} elsif (($Reason) = ($ThisLine =~ /Disconnected: (.*) \[/) ) {
257	257	$Disconnected{$Reason}++;
258		} elsif (($Reason) = ($ThisLine =~ /Disconnected: (.) (bytes\|top)=./) ) {
	258	} elsif (($Reason) = ($ThisLine =~ /Disconnected: (.) (bytes\|top\|in)=./) ) {
259	259	$Disconnected{$Reason}++;
260	260	} elsif (($Reason) = ($ThisLine =~ /Disconnected $(.*)$:/) ) {
261	261	$Disconnected{$Reason}++;
262	262	} elsif ($ThisLine =~ /Disconnected (bytes\|top)=.*/) {
263	263	$Disconnected{"No reason"}++;
	264	} elsif ($ThisLine =~ /Server shutting down./) {
	265	$ConnectionCl{"Server shutting down"}++;
264	266	} elsif (($Reason, $Host) = ($ThisLine =~ /TLS initialization failed/) ) {
265	267	$TLSInitFail++;
266	268	} elsif (($Host) = ($ThisLine =~ /Aborted login:.* rip=(.*),/) ) {

+51

-50

scripts/services/exim less more

0	0	##########################################################################
1		# $Id: exim 158 2013-08-19 09:17:57Z stefjakobs $
2		##########################################################################
3		# $Log: exim,v $
4		# Revision 1.25 2010/09/18 17:31:00 stefan
5		# removing unused variable $tz
6		#
7		# Revision 1.24 2009/06/02 14:50:37 mike
8		# Patch from Fedora (Ivan Varekova) -mgt
9		#
10		# Revision 1.23 2008/06/30 23:07:51 kirk
11		# fixed copyright holders for files where I know who they should be
12		#
13		# Revision 1.22 2008/03/24 23:31:26 kirk
14		# added copyright/license notice to each script
15		#
16		# Revision 1.21 2008/01/16 20:29:18 bjorn
17		# Optimizing by using push, as per Steve Holden.
18		#
19		# Revision 1.20 2007/02/11 01:50:47 bjorn
20		# New handling of problem addresses, DNSBL warnings, and other transaction
21		# and connection errors, by Nigel Metheringham
22		#
23		# Revision 1.19 2006/08/23 21:19:02 bjorn
24		# Process Greylisting, by Jan Pazdziora.
25		#
26		# Revision 1.18 2006/03/02 16:22:23 bjorn
27		# Additional error detection, by Gary Allen Vollink.
28		#
29		# Revision 1.17 2005/11/02 17:03:12 bjorn
30		# Additional patches, from Ruth Ivimey-Cook.
31		#
32		# Revision 1.16 2005/11/02 16:05:18 bjorn
33		# Significant expansion of detecting and reporting error messages, by
34		# Ruth Ivimey-Cook; deleted redundant errors, by Gary Allen Vollink
35		#
36		# Revision 1.15 2005/09/27 19:52:42 bjorn
37		# Handle reverse lookup failures, by Stig Brautaset
38		#
39		# Revision 1.14 2005/05/25 23:09:28 bjorn
40		# Added filters for malware/viruses, and protocol errors, by Gary Allen Vollink.
41		#
	1	# $Id: exim 217 2014-09-09 09:21:20Z stefjakobs $
42	2	##########################################################################
43	3
44	4	########################################################

161	121	$DontAccept{$ThisLine}++;
162	122	}
163	123	elsif ( $ThisLine =~ /do not accept mail / ) {
	124	$DontAccept{$ThisLine}++;
	125	}
	126	elsif ( $ThisLine =~ /rejected connection in .connect. ACL/ ) {
	127	# Likely policy rejections
164	128	$DontAccept{$ThisLine}++;
165	129	}
166	130	elsif ( $ThisLine =~ /believed to be spam/ ) {

420	384	if ($Detail >= $LvlDontAccept) {
421	385	# Print Administrative Prohibitions
422	386	if (%DontAccept) {
423		my (%spam);
	387	my (%spam, %detail);
424	388	my (@errList);
425	389
426	390	# Probable SPAM hosts...

439	403	$cc = "Blocked Email Domain";
440	404	$bb = "$1\@$2";
441	405	}
	406	elsif ( $ThisOne =~ m/rejected connection in .connect. ACL/ ) {
	407	$cc = "Blocked Host";
	408	( $bb ) = ($ThisOne =~ m/\[(\d+\.\d+\.\d+\.\d+)\]/);
	409	}
442	410	elsif ( $ThisOne =~ m/mail not permitted from sender ([\w\*-_.]+)@([\w.-_]+)/ ) {
443	411	$cc = "Blocked Email Address";
444	412	$bb = "$1\@$2";

473	441	}
474	442	elsif ( $ThisOne =~ m/remote host address is the local host/ ) {
475	443	$cc = "Invalid local domain";
476		( $bb ) = ($ThisOne =~ m/\@\[^>]+/);
	444	( $bb ) = ($ThisOne =~ m/\@[^>]+/);
477	445	}
478	446	else {
479	447	# If we picked up a malfunction but didn't collect it here,

482	450	#next;
483	451	print "Didn't Summarize: $ThisOne\n";
484	452	}
485		if (defined( $spam{$cc} )) {
486		$mid = $spam{$cc};
487		}
488		$spam{$cc} = "$mid$aa : $bb,";
	453	if ($cc =~ m/Blocked/ ) {
	454	# hash of blocked things
	455	my $h = {};
	456	if (!defined($detail{$cc})) {
	457	# debug print "add type $cc\n" ;
	458	$detail{$cc} = $h;
	459	}
	460	$h = $detail{$cc};
	461
	462	if (defined($h{$bb})) {
	463	# debug print "add $bb to ".$h{$bb}."\n" ;
	464	$h{$bb} = $h{$bb} + 1;
	465	}
	466	else {
	467	$h{$bb} = 1;
	468	# debug print "start $bb at ".$h{$bb}."\n" ;
	469	}
	470	# marker
	471	$spam{$cc} = "";
	472	}
	473	else {
	474
	475	if (defined( $spam{$cc} )) {
	476	$mid = $spam{$cc};
	477	}
	478	$spam{$cc} = "$mid$aa : $bb,";
	479
	480	}
489	481	}
490	482	foreach $ThisOne (sort(keys %spam)) {
491	483	if ($Detail >= $LvlDontAcceptLines) {
492		print " $ThisOne\n";
493		foreach $aa ( sort( split /,/, $spam{$ThisOne} )) {
494		print " $aa\n";
	484	if ($spam{$cc} eq "") {
	485	print " $ThisOne\n";
	486	my $h = $detail{$ThisOne};
	487	foreach $aa (sort(keys %h) ) {
	488	print " $aa : ".$h{$aa}." times\n";
	489	}
	490	}
	491	else {
	492	print " $ThisOne\n";
	493	foreach $aa ( sort( split /,/, $spam{$ThisOne} )) {
	494	print " $aa\n";
	495	}
495	496	}
496	497	}
497	498	else {

+9

-5

scripts/services/fail2ban less more

0	0	##########################################################################
1		# $Id: fail2ban 150 2013-06-18 22:19:38Z mtremaine $
	1	# $Id: fail2ban 226 2014-09-09 11:07:27Z stefjakobs $
2	2	##########################################################################
3	3	# $Log: fail2ban,v $
4	4	# Revision 1.5 2008/08/18 16:07:46 mike

66	66	($ThisLine =~ /..,... \S\s: DEBUG /) or # syntax of 0.7.? fail2ban
67	67	($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running\|Exiting\|Enabled sections:)/) or
68	68	($ThisLine =~ /INFO\s+Log rotation detected for/) or
69		($ThisLine =~ /INFO\s+Jail.+(?:stopped\|started\|uses poller)/) or
	69	($ThisLine =~ /INFO\s+Jail.+(?:stopped\|started\|uses poller\|uses pyinotify)/) or
70	70	($ThisLine =~ /INFO\s+Changed logging target to/) or
71	71	($ThisLine =~ /INFO\s+Creating new jail/) or
72	72	($ThisLine =~ /..,... \S+\s*: INFO\s+(Set \|Socket\|Exiting\|Gamin\|Created\|Added\|Using)/) or # syntax of 0.7.? fail2ban
73	73	($ThisLine =~ /..,... WARNING: Verbose level is /) or
74		($ThisLine =~ /..,... WARNING: Restoring firewall rules/)
	74	($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or
	75	($ThisLine =~ /WARNING Determined IP using DNS Lookup: [^ ]+ = \['[^']+'\]/) or
	76	($ThisLine =~ /INFO\s+(Stopping all jails\|Exiting Fail2ban)/) or
	77	($ThisLine =~ /INFO\s+Initiated 'pyinotify' backend/) or
	78	($ThisLine =~ /INFO\s+(Added logfile = .*\|Set maxRetry = \d+\|Set findtime = \d+\|Set banTime = \d+)/)
75	79	)
76	80	{
77	81	if ( $Debug >= 6 ) {
78	82	print STDERR "DEBUG($DebugCounter): line ignored\n";
79	83	}
80		} elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/WARNING:?\s\[?(.?)[]:]?\s(Ban\|Unban)[^\.] (\S+)/)) {
	84	} elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING\|NOTICE):?\s\[?(.?)[]:]?\s(Ban\|Unban)[^\.] (\S+)/)) {
81	85	if ( $Debug >= 6 ) {
82	86	print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
83	87	}

90	94	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
91	95	} elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
92	96	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
93		} elsif ( my ($Service,$Host) = ($ThisLine =~ m/WARNING\s\[(.)\]\s(\S+)\salready banned/)) {
	97	} elsif ( my ($Service,$Host) = ($ThisLine =~ m/(?:INFO\|WARNING)\s\[(.)\]\s(\S+)\salready banned/)) {
94	98	$ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
95	99	} elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
96	100	$ServicesBans{$Service}{$Host}{'ReBan'}++;

+3

-1

scripts/services/fetchmail less more

0	0	##########################################################################
1		# $Id: fetchmail 150 2013-06-18 22:19:38Z mtremaine $
	1	# $Id: fetchmail 230 2014-09-09 12:30:37Z stefjakobs $
2	2	##########################################################################
3	3
4	4	########################################################

50	50	$conn_fail{"${1} -- ${2}"}++;
51	51	} elsif($ThisLine =~ s/^(\d+) messages? for (\S+) at (\S+).*.//) {
52	52	$messages_for{"${2} at ${3}"} += $1;
	53	} elsif($ThisLine =~ s/^(\d+) messages? $(\d+) seen$ for (\S+) at (\S+).*.//) {
	54	$messages_for{"${3} at ${4}"} += ($1-$2);
53	55	} else {
54	56	chomp($ThisLine);
55	57	# Report any unmatched entries...

+10

-10

scripts/services/http less more

0	0	##########################################################################
1		# $Id: http 179 2014-01-09 16:29:00Z opoplawski $
	1	# $Id: http 233 2014-09-09 15:52:31Z stefjakobs $
2	2	##########################################################################
3	3
4	4	#####################################################

112	112
113	113	######################
114	114	# file type comparisons are case-insensitive
115		my $image_types = '(\.bmp\|\.cdr\|\.emz\|\.gif\|\.ico\|\.jpeg\|\.jpg\|\.png\|\.svg\|\.sxd\|\.tif\|\.tiff\|\.wbmp\|\.wmf\|\.wmz\|\.xdm)';
	115	my $image_types = '(\.bmp\|\.cdr\|\.emz\|\.gif\|\.ico\|\.jpe?g\|\.png\|\.svg\|\.sxd\|\.tiff?\|\.wbmp\|\.webp\|\.wmf\|\.wmz\|\.xdm)';
116	116	my $content_types = '(';
117	117	$content_types = $content_types.'\/server-status\|\/server-info';
118	118	$content_types = $content_types.'\|\.htm\|\.html\|\.jhtml\|\.phtml\|\.shtml\|\/\.?';

126	126	$content_types = $content_types.'\|\.fla\|\.swf\|\.rdf';
127	127	$content_types = $content_types.'\|\.class\|\.jsp\|\.jar\|\.java';
128	128	$content_types = $content_types.'\|COPYRIGHT\|README\|FAQ\|INSTALL\|\.txt)';
129		my $docs_types = '(\.asc\|\.bib\|\.djvu\|\.doc\|\.dot\|\.dtd\|\.dvi\|\.gnumeric\|\.mcd\|\.mso\|\.pdf\|\.pps\|\.ppt\|\.ps\|\.rtf\|\.sxi\|\.tex\|\.text\|\.tm\|\.xls\|\.xml)';
130		my $archive_types = '(\.ace\|\.bz2\|\.cab\|\.deb\|\.dsc\|\.ed2k\|\.gz\|\.hqx\|\.md5\|\.rar\|\.rpm\|\.sig\|\.sign\|\.tar\|\.tbz2\|\.tgz\|\.vl2\|\.z\|\.zip\|\.hdr)';
131		my $sound_types = '(\.au\|\.aud\|\.mid\|\.mp3\|\.ogg\|\.pls\|\.ram\|\.raw\|\.rm\|\.wav\|\.wma\|\.wmv\|\.xsm)';
132		my $movie_types = '(\.asf\|\.ass\|\.avi\|\.idx\|\.mid\|\.mpg\|\.mpeg\|\.mov\|\.qt\|\.psb\|\.srt\|\.ssa\|\.smi\|\.sub)';
	129	my $docs_types = '(\.asc\|\.bib\|\.djvu\|\.docx?\|\.dot\|\.dtd\|\.dvi\|\.gnumeric\|\.mcd\|\.mso\|\.pdf\|\.pps\|\.pptx?\|\.ps\|\.rtf\|\.sxi\|\.tex\|\.text\|\.tm\|\.xlsx?\|\.xml)';
	130	my $archive_types = '(\.7z\|\.ace\|\.bz2\|\.cab\|\.deb\|\.dsc\|\.ed2k\|\.gz\|\.hqx\|\.md5\|\.rar\|\.rpm\|\.sig\|\.sign\|\.tar\|\.tbz2\|\.tgz\|\.vl2\|\.z\|\.zip\|\.hdr)';
	131	my $sound_types = '(\.aac\|\.au\|\.aud\|\.m4a\|\.mid\|\.mp3\|\.oga\|\.pls\|\.ram\|\.raw\|\.rm\|\.wav\|\.wma\|\.xsm)';
	132	my $movie_types = '(\.asf\|\.ass\|\.avi\|\.idx\|\.flv\|\.m2?ts\|\.mkv\|\.mp4\|\.mpe?g\|\.mov\|\.ogg\|\.ogv\|\.qt\|\.psb\|\.srt\|\.ssa\|\.smi\|\.sub\|\.webm\|\.wmv)';
133	133	my $winexec_types = '(\.bat\|\.com\|\.exe\|\.dll)';
134	134	my $wpad_files = '(wpad\.dat\|wspad\.dat\|proxy\.pac)';
135	135	my $program_src = '(';
136		$program_src = $program_src.'\.bas\|\.c\|\.cpp\|\.diff\|\.f\|\.h\|\.init\|\.m\|\.mo\|\.pas\|\.patch\|\.po\|\.pot\|\.py\|\.sh\|\.spec';
	136	$program_src = $program_src.'\.bas\|\.cs?\|\.cpp\|\.diff\|\.f\|\.h\|\.init\|\.m\|\.mo\|\.pas\|\.patch\|\.po\|\.pot\|\.py\|\.sh\|\.spec';
137	137	$program_src = $program_src.'\|Makefile\|Makefile_c\|Makefile_f77)';
138	138	my $images_types = '(\.bin\|\.cue\|\.img\|\.iso\|\.run)';
139	139	my $logs_types = '(\.log\|_log\|-log\|\.logs\|\.out\|\.wyniki)';
140		my $fonts_types = '(\.aft\|\.ttf)';
	140	my $fonts_types = '(\.aft\|\.otf\|\.ttf\|\.woff)';
141	141	my $config_types = '(\.cfg\|\.conf\|\.config\|\.ini\|\.properties)';
142	142	my $xpcomext_types = '(\.xpt)';
143	143	my $mozext_types = '(\.xul)';

405	405	for (my $i = 0; $i < @exploits; $i++) {
406	406	# print "$i $exploits[$i] $field{lc_url} \n";
407	407	if ( ($field{lc_url} =~ /$exploits[$i]/i) &&
408		!((defined $ignoreURLs) && ($field{url} =~ /$ignoreURLs/)) &&
	408	!((defined $ignoreURLs) && ($field{url} =~ /$ignoreURLs/i)) &&
409	409	!((defined $ignoreIPs) && ($field{client_ip} =~ /$ignoreIPs/)) ) {
410	410	$hacks{$field{client_ip}}{$exploits[$i]}++;
411	411	$total_hack_count += 1;

699	699	sub shouldIgnore {
700	700	my($context)=@_;
701	701
702		if( ((defined $ignoreURLs) && ($field{url} =~ /$ignoreURLs/)) \|\|
	702	if( ((defined $ignoreURLs) && ($field{url} =~ /$ignoreURLs/i)) \|\|
703	703	((defined $ignoreIPs) && ($field{client_ip} =~ /$ignoreIPs/)) ) {
704	704	return 1;
705	705	}

+16

-4

scripts/services/kernel less more

0	0
1	1	##########################################################################
2		# $Id: kernel 183 2014-01-26 13:32:28Z stefjakobs $
	2	# $Id: kernel 229 2014-09-09 12:12:49Z stefjakobs $
3	3	##########################################################################
4	4	# $Log: kernel,v $
5	5	# Revision 1.35 2008/03/24 23:31:26 kirk

103	103	# Standard boot messages
104	104	next if $ThisLine =~ /Giving out device to /;
105	105	$EDACs{$1}++;
106		} elsif ($ThisLine =~ /block (drbd\d+): Online verify found (\d+) \d+k block out of sync/) {
107		$DRBDErrors{$1} = $2;
	106	} elsif ($ThisLine =~ /(block drbd\d+): Online verify found (\d+) \d+k block out of sync/) {
	107	$DRBDErrors{$1}{"$2 block(s) out of sync"} = 1;
	108	} elsif ($ThisLine =~ /(block drbd\d+): \[.*\] sock_sendmsg time expired/) {
	109	$DRBDErrors{$1}{"sock_sendmsg time expired"}++;
	110	} elsif ($ThisLine =~ /(block drbd\d+): Began resync as (SyncSource\|SyncTarget)/) {
	111	$DRBDErrors{$1}{"Began resync as $2"}++;
108	112	} elsif ( ( my $errormsg ) = ( $ThisLine =~ /(.*?error.{0,17})/i ) ) {
109	113	# filter out smb open/read errors cased by insufficient permissions
110	114	my $SkipError = 0;

136	140	$SkipError = 1 if $ThisLine =~ /smb_open: .* open failed, result=-13/;
137	141	$SkipError = 1 if $ThisLine =~ /smb_open: .* open failed, error=-13/;
138	142	$SkipError = 1 if $ThisLine =~ /block drbd\d+: Out of sync: start=\d+/;
	143	$SkipError = 1 if $ThisLine =~ /block drbd\d+: updated( sync)? UUIDs?/i;
	144	$SkipError = 1 if $ThisLine =~ /block drbd\d+: Resync done/;
	145	$SkipError = 1 if $ThisLine =~ /block drbd\d+: cs:(?:Ahead\|Behind) rs_left/;
	146	$SkipError = 1 if $ThisLine =~ /block drbd\d+: \d+ % had equal checksums, eliminated:/;
139	147	$Kernel{$ThisLine}++ if ( (! $SkipError) \|\| ($Detail > 8)) ;
140	148	}
141	149	}

160	168	if (keys %DRBDErrors) {
161	169	print "\nWARNING: DRBD Errors Present\n";
162	170	foreach my $Thisone ( sort {$a cmp $b} keys %DRBDErrors ) {
163		print " $Thisone : $DRBDErrors{$Thisone} block(s) out of sync\n";
	171	foreach my $Msg (sort {$a cmp $b} keys %{$DRBDErrors{$Thisone}}) {
	172	print " $Thisone: $Msg";
	173	print " : $DRBDErrors{$Thisone}{$Msg} Time(s)" if $DRBDErrors{$Thisone}{$Msg} > 1;
	174	print "\n";
	175	}
164	176	}
165	177	}
166	178

+8

-2

scripts/services/mdadm less more

40	40	}
41	41	close(MDADM);
42	42
43		foreach my $dev (@devices) {
	43	DEV: foreach my $dev (@devices) {
44	44	my %mdhash;
45	45
46		open(MDADM,"mdadm --misc --detail $dev \|");
	46	open(MDADM,"mdadm --misc --detail $dev 2>&1 \|");
47	47	while (<MDADM>) {
	48	if ($_ =~ /cannot open .*: No such file or directory/) {
	49	print $_;
	50	close(MDADM);
	51	next DEV;
	52	}
	53
48	54	$mdhash{'level'} = $1 if ($_ =~ /Raid Level ?: ?(.*)$/);
49	55	$mdhash{'active'} = $1 if ($_ =~ /Active Devices ?: ?(.*)$/);
50	56	$mdhash{'working'} = $1 if ($_ =~ /Working Devices ?: ?(.*)$/);

+29

-116

scripts/services/named less more

0	0	##########################################################################
1		# $Id: named 198 2014-06-24 21:27:49Z opoplawski $
	1	# $Id: named 234 2014-09-09 16:08:00Z stefjakobs $
2	2	##########################################################################
3		# $Log: named,v $
4		# Revision 1.62 2011/01/06 22:53:00 stefan
5		# add: deferred zone transfers
6		# fix: TTL differs in rdataset
7		#
8		# Revision 1.61 2010/09/18 17:35:00 stefan
9		# add: bad zone transfer request
10		#
11		# Revision 1.60 2010/05/10 00:25:00 stefan
12		# fix: clients-per-query,
13		# add: more lines to ignore, refused notify, client query denied, retry
14		# limit exceeded, too many open file, no SOA, checkhints
15		#
16		# Revision 1.59.1 2010/05/04 22:25:00 stefan
17		# More refresh: and RCODE handling
18		#
19		# Revision 1.58 2009/06/02 14:55:45 mike
20		# Fedora patch from Ivan Varekova -mgt
21		#
22		# Revision 1.57 2008/03/24 23:31:26 kirk
23		# added copyright/license notice to each script
24		#
25		# Revision 1.56 2007/09/02 01:22:30 mrc
26		# - Zone notify update from Orion Poplawski
27		#
28		# Revision 1.55 2007/08/22 19:13:00 bjorn
29		# Additional filtering, including configuration and control channel errors,
30		# by Ivana Varekova.
31		#
32		# Revision 1.54 2007/08/02 05:13:49 mrc
33		# - Catch unmatched update forwarding denied, automatic empty zone, and
34		# unexpected rcode [Thanks: Orion Poplawski]
35		# - Catch unmatched shutdown failure messages
36		#
37		# Revision 1.53 2007/07/08 18:44:51 mrc
38		# Catch unmatched zone update refusals, including viewname in output [Thanks: Åge Strand]
39		#
40		# Revision 1.52 2007/04/28 20:58:39 bjorn
41		# More generic RCODE handling - prints summary of unexpected DNS RCODEs.
42		#
43		# Revision 1.51 2007/04/15 20:03:25 bjorn
44		# Filtering updating zones with views, based on submittal by
45		# Jesper K. Pedersen.
46		#
47		# Revision 1.50 2007/02/16 03:36:25 bjorn
48		# Filtering some D-BUS statements, by Ivana Varekova.
49		#
50		# Revision 1.49 2007/01/29 18:28:38 bjorn
51		# Better formatting of output, by Markus Lude.
52		#
53		# Revision 1.48 2006/11/12 21:14:02 bjorn
54		# Filtering 'transfer started' message, by Russell Coker / Tom London.
55		#
56		# Revision 1.47 2006/10/20 21:02:00 bjorn
57		# Typo fixed by Alex S.
58		#
59		# Revision 1.46 2006/10/20 16:44:38 bjorn
60		# Changed regexp to handle IPV6, by Willi Mann.
61		#
62		# Revision 1.45 2006/09/15 15:40:58 bjorn
63		# Additional filtering by Ivana Varekova.
64		#
65		# Revision 1.44 2006/03/20 20:42:57 bjorn
66		# Additional filtering, by Ivana Varekova.
67		#
68		# Revision 1.43 2005/11/30 05:01:44 bjorn
69		# Don't search for info: string (for Debian), by Willi Mann.
70		#
71		# Revision 1.42 2005/11/24 16:48:30 bjorn
72		# Handles additional statements, by Ivana Varekova.
73		#
74		# Revision 1.41 2005/09/29 15:02:52 bjorn
75		# Filtering 'succeeded' by Ivana Varekova.
76		#
77		# Revision 1.40 2005/04/15 21:44:35 bjorn
78		# testing from anonymous
79		#
80		# Revision 1.39 2005/04/15 21:36:59 bjorn
81		# typo fixed in 'named' release during 2004
82		#
83		# Revision 1.38 2005/04/13 17:24:13 kirk
84		# Test change
85		#
86		# Revision 1.37 2005/02/24 17:08:04 kirk
87		# Applying consolidated patches from Mike Tremaine
88		#
89		# Revision 1.9 2005/02/21 19:09:52 mgt
90		# Bump to 5.2.8 removed some cvs logs -mgt
91		#
92		# Revision 1.8 2005/02/16 00:43:28 mgt
93		# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt
94		#
95		# Revision 1.7 2005/02/13 17:15:40 mgt
96		# perl -w corrections for uninit stuff -mgt
97		#
98		# Revision 1.6 2004/10/11 18:14:47 mgt
99		# update from Laurent -mgt
100		#
101		# Revision 1.41 2004/09/29 10:33:29 laurent Dufour <laurent.dufour@havas.com>
102		# Removed some ^ in regex to prevent message not being in start on line to be matched
103		# Added some check for error in named zone config file
104		# Added some check for message not being matched
105		#
106		# Revision 1.4 2004/07/29 19:33:29 mgt
107		# Chmod and removed perl call -mgt
108		#
109		# Revision 1.3 2004/07/10 01:54:35 mgt
110		# sync with kirk -mgt
111		#
112		#########################################################################
113	3
114	4	#####################################################
115	5	## Copyright (c) 2008 Kirk Bauer

180	70	($ThisLine =~ /Response from unexpected source/) or
181	71	($ThisLine =~ /No root nameservers for class IN/) or
182	72	($ThisLine =~ /recvfrom: No route to host/) or
183		($ThisLine =~ /(C\|c)onnection refused/) or
184		($ThisLine =~ /lame server resolving/) or
185	73	($ThisLine =~ /transfer of/) or
186	74	($ThisLine =~ /using \d+ CPU/) or
187	75	($ThisLine =~ /loading configuration/) or

255	143	($ThisLine =~ /corporation. Support and training for BIND \d+ are/) or
256	144	($ThisLine =~ /available at https:\/\/www.isc.org\/support/) or
257	145	($ThisLine =~ /----------------------------------------------------/) or
	146	($ThisLine =~ /next key event: /) or
	147	($ThisLine =~ /reconfiguring zone keys/) or
	148	($ThisLine =~ /using built-in DLV key/) or
	149	($ThisLine =~ /reading built-in trusted keys from file/) or
	150	($ThisLine =~ /all zones loaded/) or
258	151	# ignore this line because the following line describes the error
259	152	($ThisLine =~ /unexpected error/)
260	153	) {

297	190	$ZoneExpired{$Zone}++;
298	191	} elsif ( ($Zone) = ( $ThisLine =~ /zone (.+)\: loaded serial/ ) ) {
299	192	$ZoneLoaded{$Zone}++;
	193	} elsif ( (undef,$Addr,$Server) = ( $ThisLine =~ /(C\|c)onnection refused\)? resolving '(.+)': (.+)/ ) ) {
	194	$ConnectionRefused{$Addr}{$Server}++;
300	195	} elsif ( (undef,$Addr,undef,$Server) = ( $ThisLine =~ /ame server (on\|resolving) '(.+)' $in .+$:\s+(\[.+\]\.\d+)?\s*'?(.+)'?:?/ ) ) {
301		$LameServer{"$Addr ($Server)"}++;
	196	$LameServer{$Addr}{$Server}++;
302	197	} elsif ( ($Zone) = ( $ThisLine =~ /Zone \"(.+)\" was removed/ ) ) {
303	198	$ZoneRemoved{$Zone}++;
304	199	} elsif ( ($Zone) = ( $ThisLine =~ /received notify for zone '(.*)'/ ) ) {

392	287	$NoSOA{$Client}++;
393	288	} elsif (($Hint) = ($ThisLine =~ /checkhints: (.*)/) ) {
394	289	$Hints{$Hint}++;
	290	} elsif ($ThisLine =~ /^samba_dlz:/) {
	291	if ( ($Rhost, $Error) = ($ThisLine =~ /disallowing update of signer=.* name=(.) type=. error=(.*)/ )) {
	292	$UpdateDenied{"$Rhost ($Error)"}++;
	293	}
	294	# ignore rest of samba4 dlz entries for now
395	295	} else {
396	296	# Report any unmatched entries...
397	297	# remove PID from named messages

542	442	}
543	443	}
544	444
	445	if ( ( $Detail >= 10 ) and (keys %ConnectionRefused) ) {
	446	print "\nConnection refused resolving:\n";
	447	foreach $Addr (sort keys %ConnectionRefused) {
	448	print " $Addr:\n";
	449	foreach $Server (sort SortIP keys %{$ConnectionRefused{$Addr}}) {
	450	print " $Server: $ConnectionRefused{$Addr}{$Server} Time(s)\n";
	451	}
	452	}
	453	}
	454
545	455	if ( ( $Detail >= 10 ) and (keys %LameServer) ) {
546	456	print "\nThese addresses had lame server references:\n";
547		foreach $ThisOne (keys %LameServer) {
548		print " $ThisOne: $LameServer{$ThisOne} Time(s)\n";
	457	foreach $Addr (sort keys %LameServer) {
	458	print " $Addr:\n";
	459	foreach $Server (sort SortIP keys %{$LameServer{$Addr}}) {
	460	print " $Server: $LameServer{$Addr}{$Server} Time(s)\n";
	461	}
549	462	}
550	463	}
551	464

+4

-3

scripts/services/pam_unix less more

0	0	use strict;
1	1	##########################################################################
2		# $Id: pam_unix 164 2013-08-19 10:22:38Z stefjakobs $
	2	# $Id: pam_unix 215 2014-09-08 20:45:36Z stefjakobs $
3	3	##########################################################################
4	4	# $Log: pam_unix,v $
5	5	# Revision 1.36 2011/01/05 22:01:00 stefan

170	170	} elsif ($line =~ s/^session opened for user (.+) by LOGIN$uid=\d+$/$1/) {
171	171	$data{$service}{'Sessions Opened'}{$line}++;
172	172	} elsif ($line =~ /session closed for user/) {
173		# ignore this line
	173	} elsif ($line =~ /^service$sshd$ ignoring max retries/) {
	174	# ignore these lines
174	175	} elsif ($line =~ s/^authentication failure; .rhost=(\S)\s+user=(\S*)$/$2 ($1)/) {
175	176	$data{$service}{'Authentication Failures'}{$line}++;
176	177	} elsif ($line =~ s/^authentication failure; .rhost=(\S)\s*$/unknown ($1)/) {

181	182	$data{$service}{'Authentication Failures'}{$line}++;
182	183	} elsif ($line =~ s/^(\d+) more authentication failures?; .rhost=(\S)\s+user=(\S*)$/$3 ($2)/) {
183	184	$data{$service}{'Authentication Failures'}{$line} += $1;
184		} elsif ($line =~ s/^(\d+) more authentication failures?; .rhost=(\S)$/unknown ($2)/) {
	185	} elsif ($line =~ s/^(\d+) more authentication failures?; .rhost=(\S)\s*$/unknown ($2)/) {
185	186	$data{$service}{'Authentication Failures'}{$line} += $1;
186	187	} elsif ($line =~ /check pass; user unknown/) {
187	188	$data{$service}{'Invalid Users'}{'Unknown Account'}++;

+15

-2

scripts/services/postfix less more

54	54	no warnings "uninitialized";
55	55	use re 'taint';
56	56
57		our $Version = '1.40.00';
	57	our $Version = '1.40.03';
58	58	our $progname_prefix = 'postfix';
59	59
60	60	# Specifies the default configuration file for use in standalone mode.

3585	3585	}
3586	3586
3587	3587	# Client TLS messages
3588		elsif ( ($status,$host,$type) = ($p1 =~ /^(?:(Verified\|Trusted\|Untrusted) )?TLS connection established to ([^ ]): (.)$/o)) {
	3588	elsif ( ($status,$host,$type) = ($p1 =~ /^(?:(Verified\|Trusted\|Untrusted\|Anonymous) )?TLS connection established to ([^ ]): (.)$/o)) {
3589	3589	#TD TLS connection established to example.com: TLSv1 with cipher AES256-SHA (256/256 bits)
3590	3590	# Postfix 2.5+: peer verification status: Untrusted, Trusted or Verified when
3591	3591	# server's trust chain is valid and peername is matched

3930	3930	push @ignore_list, qr/^report recipient to all milters /;
3931	3931	push @ignore_list, qr/_action = defer_if_permit$/;
3932	3932	push @ignore_list, qr/^reject_invalid_hostname: /;
	3933	push @ignore_list, qr/^cfg_get_/;
	3934	push @ignore_list, qr/^sacl_check: /;
3933	3935
3934	3936	# non-anchored
3935	3937	#push @ignore_list, qr/: Greylisted for /;

4737	4739	#TDsd warning: Read failed in network_biopair_interop with errno=0: num_read=0, want_read=11
4738	4740	#TDs warning: Read failed in network_biopair_interop with errno=0: num_read=0, want_read=11
4739	4741	$warning =~ s/^(Read failed in network_biopair_interop) with .*$/$1/;
	4742
	4743	=cut
	4744	$warning =~ s/^(TLS library problem: )\d+:(error:.*)$/$1$2/;
	4745	$warning =~ s/^(network_biopair_interop: error reading) \d+ bytes(.*)$/$1$2/;
	4746
	4747	1 TLS library problem: 10212:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher...
	4748	1 TLS library problem: 10217:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher...
	4749	1 network_biopair_interop: error reading 1102 bytes from the network: Connection reset by peer
	4750	1 network_biopair_interop: error reading 1120 bytes from the network: Connection reset by peer
	4751	=cut
	4752
4740	4753
4741	4754	$Totals{'warningsother'}++; return unless ($Collecting{'warningsother'});
4742	4755	$Counts{'warningsother'}{$warning}++;

+4

-4

scripts/services/secure less more

0	0	#########################################################################
1		# $Id: secure 189 2014-02-07 13:56:36Z stefjakobs $
	1	# $Id: secure 231 2014-09-09 12:59:24Z stefjakobs $
2	2	##########################################################################
3	3	# $Log: secure,v $
4	4	# Revision 1.86 2009/11/14 16:26:41 kirk

350	350	} elsif ( ($Service,undef,$Name,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: warning: ([^ ]+), line \d+: host name\/name mismatch: ([^ ]+) != ([^ ]+)$/) ) {
351	351	$NameVerifyFail{$Service}{"$Name != $IP"}++;
352	352	} elsif ( ($Display, $User) = ($ThisLine =~ /^xscreensaver\[\d+\]: FAILED LOGIN \d ON DISPLAY \"([^ ]+)\", FOR \"([^ ]+)\"$/) ) {
353		$FailedSaver{$User}{$Display}++;
	353	$FailedSaver->{$User}->{$Display}++;
354	354	} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: No route to host$/$1/ ) {
355	355	$NoIP->{$ThisLine}++;
356	356	} elsif ( $ThisLine =~ s/^([^ ]+)\[\d+\]: warning: can\'t get client address: Network is unreachable$/$1/ ) {

687	687	print "\nFailed screensaver disable:\n";
688	688	foreach $User (sort {$a cmp $b} keys %{$FailedSaver}) {
689	689	print " User $User on displays:\n";
690		foreach $Display (sort {$a cmp $b} keys %{$FailedSaver{$User}}) {
691		print " $Display : $FailedSaver{$User}{$Display} Time(s)\n";
	690	foreach $Display (sort {$a cmp $b} keys %{$FailedSaver->{$User}}) {
	691	print " $Display : " . $FailedSaver->{$User}->{$Display} . " Time(s)\n";
692	692	}
693	693	}
694	694	}

+7

-7

scripts/services/sendmail less more

0	0
1	1	##########################################################################
2		# $Id: sendmail 150 2013-06-18 22:19:38Z mtremaine $
	2	# $Id: sendmail 220 2014-09-09 09:35:36Z stefjakobs $
3	3	##########################################################################
4	4	# $Log: sendmail,v $
5	5	# Revision 1.97 2008/03/24 23:31:26 kirk

904	904	} elsif ($ThisLine=~ /^headers too large .* from (.*) during message collect$/) {
905	905	$LargeHdrs{$1}++;
906	906	# file=srvrsmtp.c, LogLevel>5, LOG_INFO
907		} elsif ($ThisLine=~ /(\S*) ?\[([0-9\.]+)\](?: $may be forged$)?: (\S+) (\S+) \[rejected\]/i) {
908		chomp($Host=$2." ". (defined($1) ? "(".$1.")" : "(unresolved)") );
909		$Luser=$4;
910		$RejCmd=uc $3;
	907	} elsif ($ThisLine=~ /(\S*) ?\[(IPv6:)?([0-9A-F\.:]+)\](?: $may be forged$)?: (\S+) (\S+) \[rejected\]/i) {
	908	chomp($Host=$3." ". (defined($1) ? "(".$1.")" : "(unresolved)") );
	909	$Luser=$5;
	910	$RejCmd=uc $4;
911	911	$Abuse{$Host}{$Luser}{$RejCmd}++;
912	912	# file=srvrsmtp.c, LogLevel>5, LOG_INFO
913		} elsif ( $ThisLine =~ /\[([0-9\.]+)]: ETRN (\S+)/ ) {
914		chomp($ETRN=$2." from ".$1);
	913	} elsif ( $ThisLine =~ /\[(IPv6:)?([0-9A-F\.:]+)]: ETRN (\S+)/i ) {
	914	chomp($ETRN=$3." from ".$2);
915	915	$ETRNs{$ETRN}++;
916	916	# file=conf.c, LogLevel>8, LOG_NOTICE
917	917	} elsif ( $ThisLine =~ /rejecting connections on daemon [^ ]+: load average: ([0-9]+)/ ) {

+43

-38

scripts/services/smartd less more

0	0
1	1	##########################################################################
2		# $Id: smartd 182 2014-01-26 12:46:02Z stefjakobs $
3		##########################################################################
4		# $Log: smartd,v $
5		# Revision 1.26 2009/06/02 15:01:34 mike
6		# Fedora patch from Ivan Varekova -mgt
7		#
8		# Revision 1.25 2008/12/09 18:24:24 mike
9		# Patch from Stefan Jakobs for new smartd with SATA support -mgt
10		#
11		# Revision 1.24 2008/06/30 20:47:20 kirk
12		# fixed copyright holders for files where I know who they should be
13		#
14		# Revision 1.23 2008/03/24 23:31:27 kirk
15		# added copyright/license notice to each script
16		#
17		# Revision 1.22 2008/01/16 20:22:38 bjorn
18		# Makes reporting of SCSI and IDE uniform, by Tom Shield.
19		#
	2	# $Id: smartd 239 2014-09-16 20:14:12Z opoplawski $
20	3	##########################################################################
21	4
22	5	#######################################################

60	43	my %UnavailableDev = ();
61	44	my %SataDisk = ();
62	45	my %CheckFailed = ();
	46	my %Monitoring = ();
	47	my %DeviceInfo = ();
63	48
64	49	my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} \|\| 0;
65	50	my $IgnoreUnmatched = $ENV{'smartd_ignore_unmatched'} \|\| 0;

68	53	chomp($ThisLine);
69	54	if ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), No such device(?: or address)?, open failed/ )) {
70	55	# ignore
71		} elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), is SMART capable. Adding to "monitor" list./ )) {
	56	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), open failed: No such device(?: or address)?/ )) {
72	57	# ignore
73	58	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), found in smartd database./ )) {
74	59	# ignore

98	83	# ignore
99	84	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^# [0-9]+ Offline Fatal or unknown error/ )) {
100	85	# ignore
101		} elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), not capable of SMART self-check/ )) {
	86	} elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), not capable of SMART (Health Status \|self-)check/ )) {
102	87	# ignore
103	88	} elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), is in STANDBY mode, skipping checks/ )) {
104	89	# ignore

115	100	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^ *$/ )) {
116	101	# ignore empty lines
117	102	} elsif ( ($ThisLine =~ /^smartd version/)
118		\|\| ($ThisLine =~ /^Home page/)
119		\|\| ($ThisLine =~ /^smartd .*Copyright $C$ [0-9-]+ by Bruce Allen/)
120		\|\| ($ThisLine =~ /configuration file/i)
121		\|\| ($ThisLine =~ /\[trip Temperature is \d+ Celsius\]/)
122		\|\| ($ThisLine =~ /^Monitoring/)
123		\|\| ($ThisLine =~ /smartd received signal 15: Terminated/)
124		\|\| ($ThisLine =~ /smartd is exiting $exit status 0$/)
125		\|\| ($ThisLine =~ /smartd has fork/)
126		\|\| ($ThisLine =~ /smartd (startup\|shutdown) succeeded/)
127		\|\| ($ThisLine =~ /Unable to register device (.*) $no Directive -d removable$. Exiting/)
128		\|\| ($ThisLine =~ /Device (.*), SATA disks accessed via libata are not currently supported by smartmontools./)
129		\|\| ($ThisLine =~ /Device: (.), IE $SMART$ not enabled, skip device Try '.' to turn on SMART features/)
130		\|\| ($ThisLine =~ /Device: (.*), Bad IEC (SMART) mode page, err=-5, skip device/)
131		\|\| ($ThisLine =~ /Drive: DEVICESCAN, implied '-a' Directive on line [\d]+ of file/)
132		\|\| ($ThisLine =~ /packet devices \[this device CD\/DVD\] not SMART capable/)
133		\|\| ($ThisLine =~ /System clock time adjusted to the past/) )
	103	\|\| ($ThisLine =~ /^smartd [0-9.]+ [0-9-]+ r[0-9]+ \[.*\]/)
	104	\|\| ($ThisLine =~ /^Home page/)
	105	\|\| ($ThisLine =~ /Copyright $C$ [0-9-]+(?: by\|,) Bruce Allen/)
	106	\|\| ($ThisLine =~ /configuration file/i)
	107	\|\| ($ThisLine =~ /\[trip Temperature is \d+ Celsius\]/)
	108	\|\| ($ThisLine =~ /^Monitoring/)
	109	\|\| ($ThisLine =~ /smartd received signal 15: Terminated/)
	110	\|\| ($ThisLine =~ /smartd is exiting $exit status 0$/)
	111	\|\| ($ThisLine =~ /smartd has fork/)
	112	\|\| ($ThisLine =~ /smartd (startup\|shutdown) succeeded/)
	113	\|\| ($ThisLine =~ /Unable to register device (.*) $no Directive -d removable$. Exiting/)
	114	\|\| ($ThisLine =~ /Device (.*), SATA disks accessed via libata are not currently supported by smartmontools./)
	115	\|\| ($ThisLine =~ /Device: (.*), IE $SMART$ not enabled, skip device/)
	116	\|\| ($ThisLine =~ /^Try '.*' to turn on SMART features/)
	117	\|\| ($ThisLine =~ /Device: (.*), Bad IEC (SMART) mode page, err=-5, skip device/)
	118	\|\| ($ThisLine =~ /Drive: DEVICESCAN, implied '-a' Directive on line [\d]+ of file/)
	119	\|\| ($ThisLine =~ /packet devices \[this device CD\/DVD\] not SMART capable/)
	120	\|\| ($ThisLine =~ /System clock time adjusted to the past/) )
134	121	{
135	122	# ignore
136	123
	124	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), is SMART capable. Adding to "monitor" list./ )) {
	125	$Monitoring{$Device} = 1;
	126	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), ([^,]+, S\/N:[^,]+,.* FW:.*)/ )) {
	127	$DeviceInfo{$Device} = $Msg;
	128	} elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), (\[[^,]+, lu id: .*)/ )) {
	129	$DeviceInfo{$Device} = $Msg;
137	130	# } elsif ( ($Device,$Msg) = ($ThisLine =~ /^Device: ([^,]+), (.*)$/)) {
138	131	# $ParamChanges{$Device}{$Msg}++;
139	132	} elsif ( ($Device) = ($ThisLine =~ /^Device: ([^,]+), not found in smartd database./ )) {
140	133	$NotInDatabase{$Device}++;
141		} elsif ( my ($Device,$AttribType,$Code,$Name,undef,undef,undef,$RawVal) = ($ThisLine =~ /^Device: ([^,]+), SMART ([A-Za-z]+) Attribute: ([0-9]+) (Temperature_Celsius) changed from ([0-9]+) (\[Raw [0-9]+\]) to ([0-9]+) \[Raw ([0-9]+)\]/)) {
	134	} elsif ( my ($Device,$AttribType,$Code,$Name,undef,undef,undef,$RawVal) = ($ThisLine =~ /^Device: ([^,]+), SMART ([A-Za-z]+) Attribute: ([0-9]+) (Temperature_Celsius) changed from ([0-9]+) (\[Raw [0-9]+(?: $[0-9]+\s[0-9]+\s[0-9]+\s[0-9]+(?:\s[0-9])?$)?\]) to ([0-9]+) \[Raw ([0-9]+)(?: $[0-9]+\s[0-9]+\s[0-9]+\s[0-9]+(?:\s[0-9])?$)?\]/)) {
142	135	push @{$TempChanges{$Device}}, $RawVal;
143	136	# smartd reports temperature changes this way only for SCSI disks
144	137	} elsif ( my ($Device,$AttribType,$Code,$Name,undef,undef,$NewVal) = ($ThisLine =~ /^Device: ([^,]+), SMART ([A-Za-z]+) Attribute: ([0-9]+) ([A-Za-z_]+) changed from ([0-9]+) (\[Raw [0-9]+\] )?to ([0-9]+)/)) {

215	208	}
216	209
217	210	if (keys %CantMonitor) {
218		foreach my $Device (sort keys %ParamChanges) {
	211	foreach my $Device (sort keys %CantMonitor) {
219	212	print "\n$Device :\n";
220	213	foreach my $Line (sort keys %{$CantMonitor{$Device}}) {
221	214	print " $Line - " . $CantMonitor{$Device}{$Line} . " Time(s)\n";

359	352	print "\n";
360	353	}
361	354
	355	if (keys %Monitoring and $Detail > 7) {
	356	print "\nMonitoring:\n";
	357	foreach my $Device (sort keys %Monitoring) {
	358	print "\t$Device";
	359	if (defined($DeviceInfo{$Device})) {
	360	print ": $DeviceInfo{$Device}\n";
	361	} else {
	362	print "\n";
	363	}
	364	}
	365	}
	366
362	367	if ((%OtherList) and (not $IgnoreUnmatched)){
363	368	print "\nUnmatched Entries\n";
364	369	foreach my $line (sort keys %OtherList) {

+6

-2

scripts/services/sshd less more

0	0	##########################################################################
1		# $Id: sshd 174 2013-11-08 17:01:58Z opoplawski $
	1	# $Id: sshd 240 2014-09-22 12:55:12Z stefjakobs $
2	2	##########################################################################
3	3	# $Log: sshd,v $
4	4	# Revision 1.79 2011/01/05 10:49:03 stefan

261	261	($ThisLine =~ m/^Disconnecting: server_input_channel_req: unknown channel -?\d+/) or
262	262	($ThisLine =~ m/^connect from \d+\.\d+\.\d+\.\d+/) or
263	263	($ThisLine =~ m/^fatal: Timeout before authentication/ ) or
	264	($ThisLine =~ m/^fatal: no hostkey alg/) or
264	265	($ThisLine =~ m/Connection from .* port /) or
265	266	($ThisLine =~ m/Postponed (keyboard-interactive\|publickey) for [^ ]+ from [^ ]+/) or
266	267	($ThisLine =~ m/Read from socket failed/) or

287	288	($ThisLine =~ /pam_winbind$sshd:account$: user .* OK/) or
288	289	($ThisLine =~ /pam_systemd$sshd:session$: Moving/) or
289	290	($ThisLine =~ /PAM \d+ more authentication failures?;/) or
	291	($ThisLine =~ /^PAM service$sshd$ ignoring max retries;/) or
290	292	($ThisLine =~ /^Failed keyboard-interactive for <invalid username> from/ ) or
291	293	($ThisLine =~ /^Keyboard-interactive $PAM$ userauth failed/ ) or
292	294	($ThisLine =~ /^debug1: /) or

321	323	($ThisLine =~ m/^fatal: Read from socket failed: No route to host/) or
322	324	($ThisLine =~ m/^fatal: Write failed: Network is unreachable/ ) or
323	325	($ThisLine =~ m/^fatal: Write failed: Broken pipe/) or
	326	($ThisLine =~ m/^fatal: Write failed: Connection reset by peer/) or
324	327	($ThisLine =~ m/^channel \d+: open failed: (?:connect failed: Channel open failed\.\|administratively prohibited: open failed)/) or
325	328	($ThisLine =~ m/^session_input_channel_req: no session \d+ req window-change/) or
326	329	($ThisLine =~ m/^error: chan_shutdown_read failed for .+/)

380	383	} elsif ( my ($Reason) = ($ThisLine =~ /^Authentication refused: (.*)$/ ) ) {
381	384	$RefusedAuthentication{$Reason}++;
382	385	} elsif ( my ($Host,$Reason) = ($ThisLine =~ /^Received disconnect from ([^ ]): (.)$/)) {
383		$DisconnectReceived{$Reason}{$Host}++;
	386	# Reason 11 (SSH_DISCONNECT_BY_APPLICATION) is expected, and logged at severity level INFO
	387	if ($Reason != 11) {$DisconnectReceived{$Reason}{$Host}++;}
384	388	} elsif ( my ($Host) = ($ThisLine =~ /^ROOT LOGIN REFUSED FROM ([^ ]*)$/)) {
385	389	$RootLogin{$Host}++;
386	390	} elsif ( my ($Error) = ($ThisLine =~ /^Cannot release PAM authentication\[\d\]: (.*)$/)) {

+59

-55

scripts/services/stunnel less more

	0	#!/usr/bin/perl
0	1
1	2	##########################################################################
2		# $Id: stunnel 167 2013-08-19 10:28:43Z stefjakobs $
	3	# $Id: stunnel 238 2014-09-16 08:00:55Z stefjakobs $
3	4	##########################################################################
4	5
5	6	#######################################################

23	24
24	25	my $Debug = $ENV{'LOGWATCH_DEBUG'} \|\| 0;
25	26	my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} \|\| 0;
26		my $allowedServicesInput = $ENV{'stunnel_allowed_services'} \|\| "";
27	27
28	28	my $DebugCounter = 0;
	29	my $Top = $ENV{'stunnel_print_top'} \|\| 20;
29	30
30	31	if ( $Debug >= 5 ) {
31	32	print STDERR "\n\nDEBUG: Inside stunnel Filter \n\n";

35	36	my @OtherList = ();
36	37	my %OtherList = ();
37	38	my %connections = ();
38		my %connectionsAllowed = ();
39		my %log_connections = ();
40	39	my %versioninfo = ();
	40	my %errors = ();
	41	my %notices = ();
41	42	my $sockdata = 0;
42	43	my $ssldata = 0;
43
44		$allowedServicesInput =~ s/[\t ],[\t ]/,/g;
45		my %allowedServices = ();
46		@allowedServices{split(/,/, $allowedServicesInput)} = ();
47
48		if ($Debug >= 5) {
49		print "Allowed services are set to: \n";
50		foreach my $allowedService (sort keys %allowedServices) {
51		print $allowedService, "\n";
52		}
53		print "\n\n\n";
54		}
55	44
56	45	sub other {
57	46	my $msg = shift;

65	54
66	55	my $ThisLine;
67	56	while (defined($ThisLine = <STDIN>)) {
	57	$ThisLine =~ s/LOG\d\[\d{1,5}:\d{15}\]: (.*)/$1/;
68	58	if ( $Debug >= 5 ) {
69	59	print STDERR "DEBUG($DebugCounter): $ThisLine";
70	60	$DebugCounter++;
71	61	}
72	62	chomp($ThisLine);
73		my ($logid) = ($ThisLine =~ /^LOG\d\[(\d+:\d+)\]:/);
74		# remove leading log level and ID, eg 'LOG5[2411:3084352400]: '
75		$ThisLine =~ s/^LOG\d\[\d+:\d+\]: //;
76
77		if ( ($ThisLine =~ m/^SSL_read: Connection reset by peer/)
78		) {
79		# ignore
80		} elsif ($ThisLine =~ m/^(.+) connected from (\d+\.\d+\.\d+\.\d+)/) {
	63	my $origline = $ThisLine;
	64	if ($ThisLine =~ m/^(.+) connected from (\d+\.\d+\.\d+\.\d+)/) {
81	65	my $service = $1;
82	66	my $ip = $2;
83		if (exists($allowedServices{$service})) {
84		++$connectionsAllowed{$service};
85		} else {
86		++$connections{$service}{$ip};
	67	if (! exists($connections{$service}{$ip})) {
	68	$connections{$service}{$ip} = 0;
87	69	}
88		} elsif ($ThisLine =~ m/^stunnel accepted connection from (\d+\.\d+\.\d+\.\d+):\d+/) {
89		$log_connections{$logid}{client} = $1;
90		} elsif ($ThisLine =~ m/^stunnel connected remote server from (\d+\.\d+\.\d+\.\d+):\d+/) {
91		$log_connections{$logid}{source} = $1;
92		} elsif ($ThisLine =~ m/^connect_blocking: connected (\d+\.\d+\.\d+\.\d+:\d+)/) {
93		$log_connections{$logid}{service} = $1;
	70	++$connections{$service}{$ip};
94	71	} elsif ($ThisLine =~ m/^Connection (reset\|closed): (\d+) bytes sent to SSL, (\d+) bytes sent to socket/) {
95	72	$ssldata += $2;
96	73	$sockdata += $3;
97	74	} elsif ($ThisLine =~ m/^Connection (reset\|closed)/) {
98	75	# ignore
99		} elsif ($ThisLine =~ m/^Threading:[\w]+ SSL:[\w]+/) {
	76	} elsif ($ThisLine =~ m/^connect_blocking: connected/) {
100	77	# ignore
101		} elsif ($ThisLine =~ m/^stunnel [\d\.]+ on [\w\-]+([\w\+\s]+)?with OpenSSL [\w\.\-]+ \d+ \w+ \d+/) {
	78	} elsif ($ThisLine =~ m/^Log file reopened$/) {
	79	# ignore
	80	} elsif ($ThisLine =~ m/^SSL socket closed on SSL_read with \d+ byte$s$ in buffer$/) {
	81	# ignore
	82	} elsif ($ThisLine =~ m/^stunnel [\d\.]+ on [\w\-]+ [\w\+]+ with OpenSSL [\w\.]+ \d+ \w+ \d+/) {
102	83	$versioninfo{$ThisLine} = 1;
	84	} elsif ($ThisLine =~ m/^Service (\S+) accepted connection from ([0-9a-fA-F.:]+):\d{1,5}/) {
	85	$connections{$1}{$2}++;
	86	} elsif ($ThisLine =~ m/^Service (\S+) connected remote server from ([0-9a-fA-F.:]+):\d{1,5}/) {
	87	$connections{"remote: $1"}{$2}++;
	88	} elsif ($ThisLine =~ m/^Error detected on (SSL\|socket) $(read\|write)$ file descriptor: (.*) $\d+$/) {
	89	$errors{"$1 $2 file descriptor: $3"}++;
	90	} elsif ($ThisLine =~ m/^transfer: s_poll_wait: TIMEOUTclose exceeded: closing$/) {
	91	$notices{"TIMEOUTclose exceeded: closing connection"}++;
	92	} elsif ($ThisLine =~ m/^(SSL_(?:accept\|read\|shutdown): .\|getpeerbyname: .)(?: $\d+$)?$/) {
	93	$notices{$1}++;
103	94	} else {
104	95	# Report any unmatched entries...
105	96	other($ThisLine);
106	97	}
107	98	}
108	99
109		if (keys %log_connections) {
110		foreach my $entry (keys %log_connections) {
111		my $ip = $log_connections{$entry}{client};
112		my $service = $log_connections{$entry}{service};
113		$service = "Unknown" if not $service;
114		$connections{$service}{$ip}++;
	100	if (keys %errors) {
	101	print "\nErrors:\n";
	102	foreach my $e (sort keys %errors) {
	103	printf " %-50s %6d time(s)\n", $e, $errors{$e};
	104	}
	105	}
	106
	107	if (keys %notices) {
	108	print "\nNotices:\n";
	109	foreach my $n (sort keys %notices) {
	110	printf " %-50s %6d time(s)\n", $n, $notices{$n};
115	111	}
116	112	}
117	113
118	114	if (keys %connections) {
119		print "Number of connections per service per ip:\n\n";
	115	print "\nconnections:\n";
120	116	foreach my $service (sort keys %connections) {
121		printf " To %s\n", $service;
	117	print " $service\n";
122	118	my $ips = $connections{$service};
123		foreach my $ip (sort keys %$ips) {
124		printf " %15s : %5d time(s)\n", $ip, $ips->{$ip};
	119	my $i = 0;
	120	foreach my $ip (sort {$connections{$service}{$b} <=> $connections{$service}{$a}} keys %{$connections{$service}}) {
	121	if ($i >= $Top) {
	122	printf " %-48s\n", "... only top $Top printed ...";
	123	last;
	124	} else {
	125	printf " %-48s %6d time(s)\n", $ip, $connections{$service}{$ip};
	126	$i++;
	127	}
125	128	}
126	129	}
127	130	}
128	131
129		if (keys %connectionsAllowed) {
130		print "\nNumber of connections per allowed service:\n";
131		foreach my $service (sort keys %connectionsAllowed) {
132		printf " %18s : %5d time(s)\n", $service, $connectionsAllowed{$service};
	132	if ($sockdata > 0) {
	133	if ($sockdata > 1024*1024) {
	134	printf "\n%-48s %10.2f MB\n", "amount of socket data transferred:", $sockdata / 1024 / 1024;
	135	} else {
	136	printf "\n%-48s %10.2f KB\n", "amount of socket data transferred:", $sockdata / 1024;
133	137	}
134	138	}
135	139
136		if ($sockdata > 0) {
137		printf "\namount of socket data transferred: %.2f KB\n", $sockdata / 1024;
138		}
139
140	140	if ($ssldata > 0) {
141		printf "\namount of SSL data transferred: %.2f KB\n", $ssldata / 1024;
	141	if ($ssldata > 1024*1024) {
	142	printf "\n%-48s %10.2f MB\n", "amount of SSL data transferred:", $ssldata / 1024 / 1024;
	143	} else {
	144	printf "\n%-48s %10.2f KB\n", "amount of SSL data transferred:", $ssldata / 1024;
	145	}
142	146	}
143	147
144	148	if (keys %versioninfo) {

+5

-80

scripts/services/xntpd less more

0	0
1	1	##########################################################################
2		# $Id: xntpd 150 2013-06-18 22:19:38Z mtremaine $
3		##########################################################################
4		# $Log: xntpd,v $
5		# Revision 1.23 2010/05/05 12:30:51 stefan
6		# added: Operation not permitted, fixed: typo in Errors
7		#
8		# Revision 1.22 2008/06/30 23:07:51 kirk
9		# fixed copyright holders for files where I know who they should be
10		#
11		# Revision 1.21 2008/05/14 18:22:21 mike
12		# Interfaces numbers can be greater then 9 -mgt
13		#
14		# Revision 1.20 2008/05/13 16:04:48 mike
15		# Patch from David Baldwin -mgt
16		#
17		# Revision 1.19 2008/05/04 15:26:08 mike
18		# Patch from Fedora tree -mgt
19		#
20		# Revision 1.18 2008/03/24 23:31:27 kirk
21		# added copyright/license notice to each script
22		#
23		# Revision 1.17 2007/05/24 03:59:42 kirk
24		# http://bugs.gentoo.org/show_bug.cgi?id=141649
25		#
26		# Revision 1.16 2007/04/16 03:11:11 bjorn
27		# Modified filtering for Listening entries to accommodate interface numbers.
28		#
29		# Revision 1.15 2007/04/16 02:34:27 bjorn
30		# Filtering Listening...Disabled statements.
31		#
32		# Revision 1.14 2007/02/17 19:36:11 bjorn
33		# Reverting back to version 1.12 - ignore changes to 1.13.
34		#
35		# Revision 1.13 2007/02/17 16:28:44 bjorn
36		# Deleted superfluous lines - probably from malformed diff.
37		#
38		# Revision 1.12 2007/02/16 03:57:50 bjorn
39		# Additional filtering, by Ivana Varekova.
40		#
41		# Revision 1.11 2005/11/01 15:01:40 bjorn
42		# Adjustment to synchronized messages in Solaris, by David Baldwin
43		#
44		# Revision 1.10 2005/10/19 05:45:12 bjorn
45		# Filtering redundant failed message, by David Baldwin
46		#
47		# Revision 1.9 2005/10/19 05:35:30 bjorn
48		# Code cleanup, better handling of Unmatched, and additional filtering, by
49		# David Baldwin
50		#
51		# Revision 1.8 2005/10/02 15:00:34 bjorn
52		# Corrections to last commit
53		#
54		# Revision 1.7 2005/10/01 18:30:12 bjorn
55		# Added filtering for listening and synchronized statements, by Gilles Detillieux
56		#
57		# Revision 1.6 2005/09/28 17:39:04 mike
58		# Patch from David Baldwin, plus a few other tweaks -mgt
59		#
60		# Revision 1.5 2005/07/05 22:16:23 mike
61		# Small patch from Paul Chambers -mgt
62		#
63		# Revision 1.4 2005/05/23 17:35:55 bjorn
64		# Patch for an older ntpd (4.1.1a-9), by Michael Evans
65		#
66		# Revision 1.3 2005/05/04 15:52:51 bjorn
67		# Removed shell path to perl in first line
68		#
69		# Revision 1.2 2005/02/24 17:08:05 kirk
70		# Applying consolidated patches from Mike Tremaine
71		#
72		# Revision 1.2 2005/02/16 00:43:28 mgt
73		# Added #vi tag to everything, updated ignore.conf with comments, added emerge and netopia to the tree from Laurent -mgt
74		#
75		# Revision 1.1 2005/02/13 01:25:13 mgt
76		# Inital code check in from David Baldwin -mgt
77		#
	2	# $Id: xntpd 228 2014-09-09 11:27:00Z stefjakobs $
78	3	##########################################################################
79	4
80	5	########################################################

153	78	($ThisLine =~ /Listening on interface .* Disabled/) or
154	79	($ThisLine =~ /Listen and drop on /) or
155	80	($ThisLine =~ /Listening on routing socket on/) or
156		($ThisLine =~ /ntp_io: estimated max descriptors: \d, initial socket boundary: \d/) or
157		($ThisLine =~ /peers refreshed$/) or
158		($ThisLine =~ /restrict: error in address/) or
159		($ThisLine =~ /syntax error in .+ line \d+, column \d+$/)
	81	($ThisLine =~ /ntp_io: estimated max descriptors: \d, initial socket boundary: \d/) or
	82	($ThisLine =~ /peers refreshed$/) or
	83	($ThisLine =~ /restrict: error in address/) or
	84	($ThisLine =~ /syntax error in .+ line \d+, column \d+$/)
160	85	) {
161	86	# Ignore these
162	87	} elsif ($ThisLine =~ m/ntpd [\d\-\.\w@]+ ... ... .. ..:..:.. /) {