|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# $Id$
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# $Log: pluto,v $
|
|
Packit |
57988d |
# Revision 1.18 2009/06/05 13:50:26 mike
|
|
Packit |
57988d |
# Patch from Geert Janssens -mgt
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.17 2008/06/30 23:07:51 kirk
|
|
Packit |
57988d |
# fixed copyright holders for files where I know who they should be
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.16 2008/03/24 23:31:26 kirk
|
|
Packit |
57988d |
# added copyright/license notice to each script
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.15 2006/10/20 17:08:02 bjorn
|
|
Packit |
57988d |
# Additional filtering, by Marcus Better.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.14 2005/12/05 23:40:13 bjorn
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Corrected attribution in log.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.13 2005/12/02 16:42:37 bjorn
|
|
Packit |
57988d |
# Additional filtering of STATE changes, by Markus Better.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Revision 1.12 2005/09/26 10:58:04 bjorn
|
|
Packit |
57988d |
# Additional filtering contributed by Marcus Better
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
# Note (8/28/2005, BL):
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# This script was apparently written for FreeS/WAN, which is no longer
|
|
Packit |
57988d |
# supported (see http://www.freeswan.org). But it also appears to work
|
|
Packit |
57988d |
# with Openswan (http://www.openswan.org), which is described as a code
|
|
Packit |
57988d |
# fork of FreeS/WAN.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Also, notice that in this script, many variables are set, but not
|
|
Packit |
57988d |
# printed. And many logged statements are filtered by this script.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# So this script would probably benefit from an update to clean it up
|
|
Packit |
57988d |
# and ensure full compatibility with the newer Openswan.
|
|
Packit |
57988d |
##########################################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# This is a scanner for logwatch (see www.logwatch.org) that processes
|
|
Packit |
57988d |
# FreeSWAN's <http://www.freeswan.org/> Pluto log files and attempts to
|
|
Packit |
57988d |
# make some sense out of them.
|
|
Packit |
57988d |
#
|
|
Packit |
57988d |
# Please CC suggestions to mcr@freeswan.org and/or design@lists.freeswan.org
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# the vendorID hash maps vendor IDs to products. VendorIDs are hashs of
|
|
Packit |
57988d |
# internal stuff from each vendor. Grow this table as you encouter new
|
|
Packit |
57988d |
# products.
|
|
Packit |
57988d |
|
|
Packit |
57988d |
#######################################################
|
|
Packit |
57988d |
## Copyright (c) 2008 Kirk Bauer
|
|
Packit |
57988d |
## Covered under the included MIT/X-Consortium License:
|
|
Packit |
57988d |
## http://www.opensource.org/licenses/mit-license.php
|
|
Packit |
57988d |
## All modifications and contributions by other persons to
|
|
Packit |
57988d |
## this script are assumed to have been donated to the
|
|
Packit |
57988d |
## Logwatch project and thus assume the above copyright
|
|
Packit |
57988d |
## and licensing terms. If you want to make contributions
|
|
Packit |
57988d |
## under your own copyright or a different license this
|
|
Packit |
57988d |
## must be explicitly stated in the contribution an the
|
|
Packit |
57988d |
## Logwatch project reserves the right to not accept such
|
|
Packit |
57988d |
## contributions. If you have made significant
|
|
Packit |
57988d |
## contributions to this script and want to claim
|
|
Packit |
57988d |
## copyright please contact logwatch-devel@lists.sourceforge.net.
|
|
Packit |
57988d |
#########################################################
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$vendorID{"p....}..&..i...5..............................."}="KAME/Racoon";
|
|
Packit |
57988d |
$debug=0;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
while(<>) {
|
|
Packit |
57988d |
# May 4 04:04:33 abigail Pluto[24170]: "abigail-istari" #1479: ISAKMP SA expired (LATEST!)
|
|
Packit |
57988d |
|
|
Packit |
57988d |
chop;
|
|
Packit |
57988d |
($month,$day,$time,$host,$process,$conn,$msg)=split(/ +/,$_,7);
|
|
Packit |
57988d |
$today="$month $day";
|
|
Packit |
57988d |
|
|
Packit |
57988d |
next unless ($process =~ /pluto/i);
|
|
Packit |
57988d |
$iserror=0;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if ($conn eq "ERROR:") {
|
|
Packit |
57988d |
$iserror = 1;
|
|
Packit |
57988d |
($junk,$conn,$msg)=split(/ +/,$msg,3);
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$loglines{$today}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
print STDERR "Msg: $msg\n" if $debug>1;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if($msg =~ /([^\#]*)\#(\d*)\:(.*)/) {
|
|
Packit |
57988d |
$ipaddr = $1;
|
|
Packit |
57988d |
$stateinfo = $2;
|
|
Packit |
57988d |
$rest = $3;
|
|
Packit |
57988d |
} elsif($msg =~ /no Phase 1 state for Delete/) {
|
|
Packit |
57988d |
$baddelete++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
} elsif($msg =~ /from ([^:]*)\:([^:]*)\: Main Mode message is part of an unknown exchange/) {
|
|
Packit |
57988d |
$ipaddr = $1;
|
|
Packit |
57988d |
$ipport = $2;
|
|
Packit |
57988d |
$badexch{"[$ipaddr]:$ipport"}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
} else {
|
|
Packit |
57988d |
print STDERR "Failed to decode: $msg (of $_)\n" if $debug;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# print STDERR "conn: $conn IP: $ipaddr STATE: $stateinfo\n" if $debug;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$conn =~ s/\"(.*)\"/$1/;
|
|
Packit |
57988d |
$conn =~ s/\[\d\]$//;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$conns{$conn}++;
|
|
Packit |
57988d |
if(!defined($peerIP{"$conn|$ipaddr"})) {
|
|
Packit |
57988d |
#print STDERR "Adding $ipaddr to $conn\n" if $debug;
|
|
Packit |
57988d |
$peerIP{$conn}=$peerIP{$conn}.$ipaddr." ";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
$peerIP{"$conn|$ipaddr"}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$stateobjects{$stateinfo}++;
|
|
Packit |
57988d |
if(!defined($peer{$stateinfo}) && length($ipaddr)>0) {
|
|
Packit |
57988d |
$peer{$stateinfo}=$ipaddr;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# ignore following
|
|
Packit |
57988d |
next if($rest =~ /ISAKMP SA expired/);
|
|
Packit |
57988d |
next if($rest =~ /responding to Main Mode/);
|
|
Packit |
57988d |
next if($rest =~ /responding to Quick Mode/);
|
|
Packit |
57988d |
next if($rest =~ /IPsec SA expired/);
|
|
Packit |
57988d |
next if($rest =~ /ignoring informational payload, type IPSEC_INITIAL_CONTACT/);
|
|
Packit |
57988d |
next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling public value with leading zero/);
|
|
Packit |
57988d |
next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling shared secret with leading zero/);
|
|
Packit |
57988d |
next if($rest =~ /shared DH secret has leading zero -- triggers Pluto 1.0 bug/);
|
|
Packit |
57988d |
next if($rest =~ /(received|ignoring) Delete SA(|\(0x.*\)) payload/);
|
|
Packit |
57988d |
next if($rest =~ /received and ignored informational message/);
|
|
Packit |
57988d |
next if($rest =~ /discarding duplicate packet; already STATE_MAIN_../);
|
|
Packit |
57988d |
next if($rest =~ /discarding duplicate packet; already STATE_QUICK_../);
|
|
Packit |
57988d |
next if($rest =~ /deleting state \(STATE_MAIN_..\)/);
|
|
Packit |
57988d |
next if($rest =~ /deleting state \(STATE_QUICK_..\)/);
|
|
Packit |
57988d |
next if($rest =~ /Quick Mode .. message is unacceptable because it uses a previously used Message ID/);
|
|
Packit |
57988d |
next if($rest =~ /deleting connection .* instance with peer .*/);
|
|
Packit |
57988d |
next if($rest =~ /dropping and reinitiating exchange to avoid Pluto 1.0 bug handling DH shared secret with leading zero byte/);
|
|
Packit |
57988d |
next if($rest =~ /KE has 191 byte DH public value; 192 required/);
|
|
Packit |
57988d |
next if($rest =~ /retransmitting in response to duplicate packet; already STATE_MAIN_../);
|
|
Packit |
57988d |
next if($rest =~ /(Main mode p|P)eer ID is /);
|
|
Packit |
57988d |
next if($rest =~ /transition from state .* to state/);
|
|
Packit |
57988d |
next if($rest =~ /NAT-Traversal: Result using/);
|
|
Packit |
57988d |
next if($rest =~ /no crl from issuer/);
|
|
Packit |
57988d |
next if($rest =~ /I am sending (a certificate request|my cert)/);
|
|
Packit |
57988d |
next if($rest =~ /no suitable connection for peer/);
|
|
Packit |
57988d |
next if($rest =~ /sending encrypted notification/);
|
|
Packit |
57988d |
next if($rest =~ /enabling possible NAT-traversal with method/);
|
|
Packit |
57988d |
next if($rest =~ /(received|ignoring) Vendor ID payload/);
|
|
Packit |
57988d |
next if($rest =~ /ignoring unknown Vendor ID payload/);
|
|
Packit |
57988d |
next if($rest =~ /Dead Peer Detection \(RFC 3706\): enabled/);
|
|
Packit |
57988d |
next if($rest =~ /DPD: No response from peer - declaring peer dead/);
|
|
Packit |
57988d |
next if($rest =~ /DPD Error: could not find newest phase 1 state/);
|
|
Packit |
57988d |
next if($rest =~ /Informational Exchange message is invalid because it has a previously used Message ID/);
|
|
Packit |
57988d |
next if($rest =~ /discarding packet received during asynchronous work \(DNS or crypto\) in STATE_(MAIN|QUICK)_../);
|
|
Packit |
57988d |
next if($rest =~ /STATE_(MAIN|QUICK)_[RI][1-3]: sent [MQ][RI][1-3], expecting [MQ][IR][1-3]/);
|
|
Packit |
57988d |
next if($rest =~ /STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/);
|
|
Packit |
57988d |
next if($rest =~ /down-client output/);
|
|
Packit |
57988d |
next if($rest =~ /(restore|update)resolvconf-client output/);
|
|
Packit |
57988d |
next if($rest =~ /transform .* ignored/);
|
|
Packit |
57988d |
next if($rest =~ /multiple DH groups were set in aggressive mode\./);
|
|
Packit |
57988d |
next if($rest =~ /received mode cfg reply/);
|
|
Packit |
57988d |
next if($rest =~ /modecfg: Sending IP request/);
|
|
Packit |
57988d |
next if($rest =~ /setting .* address to/);
|
|
Packit |
57988d |
next if($rest =~ /STATE_XAUTH_I1: XAUTH client - awaiting CFG_set/);
|
|
Packit |
57988d |
next if($rest =~ /initiating Aggressive Mode/);
|
|
Packit |
57988d |
next if($rest =~ /Aggressive mode peer ID is/);
|
|
Packit |
57988d |
next if($rest =~ /protocol\/port in Phase \d ID Payload must be/);
|
|
Packit |
57988d |
next if($rest =~ /XAUTH: Bad Message: /);
|
|
Packit |
57988d |
next if($rest =~ /XAUTH: Answering XAUTH challenge with user/);
|
|
Packit |
57988d |
next if($rest =~ /Received IP4|DNS|subnet /);
|
|
Packit |
57988d |
next if($rest =~ /sendto on .* to .* failed in delete notify/);
|
|
Packit |
57988d |
$relevantlog{"$today"}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
print STDERR "Rest is $rest\n" if $debug>1;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# but process these.
|
|
Packit |
57988d |
if($rest =~ /initiating Main Mode to replace \#(.*)/) {
|
|
Packit |
57988d |
$oldinfo = $1;
|
|
Packit |
57988d |
$statechain{$conn.$stateinfo}="$conn|$oldinfo";
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /initiating Main Mode/) {
|
|
Packit |
57988d |
$statechain{$conn.$stateinfo}="$conn";
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /initiating Quick Mode (.*) to replace \#(.*)/) {
|
|
Packit |
57988d |
$oldinfo = $2;
|
|
Packit |
57988d |
$phase2 = $1;
|
|
Packit |
57988d |
$statechain{"$conn|$stateinfo"}="$conn|$oldinfo";
|
|
Packit |
57988d |
$quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /initiating Quick Mode (.*)/) {
|
|
Packit |
57988d |
$phase2 = $1;
|
|
Packit |
57988d |
$statechain{"$conn|$stateinfo"}="$conn";
|
|
Packit |
57988d |
$quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /ISAKMP SA established/) {
|
|
Packit |
57988d |
$rekeysuccess{$conn}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /cannot respond to IPsec SA request because no connection is known for (.*)/) {
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfail_notknown{$1}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /crl update is overdue since (.*)/) {
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$crlUpdate{$conn}++;
|
|
Packit |
57988d |
$crlUpdateSince{$conn} = $1;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_I./) {
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfailQI1{$conn}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_R./) {
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfailQR1{$conn}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_I./) {
|
|
Packit |
57988d |
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfailI1{$conn}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_R./) {
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfailR1{$conn}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfail_ICMPunreachable{$conn}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
|
|
Packit |
57988d |
$rekeyfail{$conn}++;
|
|
Packit |
57988d |
$rekeyfail_ICMPunreachable{$conn}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /XAUTH: Successfully Authenticated/) {
|
|
Packit |
57988d |
$xauthsuccess{$conn}++;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /starting keying attempt (.*) of an unlimited number/) {
|
|
Packit |
57988d |
$lastattempt=$1;
|
|
Packit |
57988d |
if($maxattempts{$conn} < $lastattempt) {
|
|
Packit |
57988d |
$maxattempts{$conn} = $lastattempt;
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} elsif($rest =~ /Vendor ID: (.*)/) {
|
|
Packit |
57988d |
$vid=$1;
|
|
Packit |
57988d |
if(defined($vendorID{$vid})) {
|
|
Packit |
57988d |
$peerID{$conn}=$vendorID{$vid};
|
|
Packit |
57988d |
} else {
|
|
Packit |
57988d |
$peerID{$conn}="unknown $vid";
|
|
Packit |
57988d |
$vendorID{$vid}="unknown $vid at $stateinfo/$ipaddr\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
} elsif($rest =~ /prepare-client output.*/) {
|
|
Packit |
57988d |
$setupfail{$conn}++;
|
|
Packit |
57988d |
} elsif(($rest =~ /sent QI2, IPsec SA established/) ||
|
|
Packit |
57988d |
($rest =~ /IPsec SA established/)) {
|
|
Packit |
57988d |
$ipsecSAs{$conn}++;
|
|
Packit |
57988d |
next;
|
|
Packit |
57988d |
|
|
Packit |
57988d |
} else {
|
|
Packit |
57988d |
print STDERR "UNKNOWN: $_"."\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %loglines) {
|
|
Packit |
57988d |
print "Overview summary of log files:\n";
|
|
Packit |
57988d |
foreach $day (keys %loglines) {
|
|
Packit |
57988d |
print "\t $day had ".$loglines{$day}." entries of which ".$relevantlog{$day}." were relevant\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %conns) {
|
|
Packit |
57988d |
print "Summary by peer:\n";
|
|
Packit |
57988d |
foreach $conn (keys %conns) {
|
|
Packit |
57988d |
print " Peer $conn caused $conns{$conn} lines of output.\n";
|
|
Packit |
57988d |
print "\tconnected from:".$peerIP{$conn}."\n";
|
|
Packit |
57988d |
if(defined($peerID{$conn})) {
|
|
Packit |
57988d |
print "\tVID: ".$peerID{$conn}."\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
print "\tKeyed: ".($rekeysuccess{$conn}+0)." successes ",($rekeyfail{$conn}+0)." failures (max retries: ".($maxattempts{$conn}+0).")\n";
|
|
Packit |
57988d |
print "\tIPsec SAs: ".($ipsecSAs{$conn}+0)."\n";
|
|
Packit |
57988d |
if($setupfail{$conn} > 0) {
|
|
Packit |
57988d |
print "\tSetup failures: ".$setupfail{$conn}."\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if($xauthsuccess{$conn} > 0) {
|
|
Packit |
57988d |
print "\tXAUTH successful connections: ".$xauthsuccess{$conn}."\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
if($crlUpdate{$conn} > 0) {
|
|
Packit |
57988d |
print "\tOverdue CRL update since: ".$crlUpdateSince{$conn}." (".$crlUpdate{$conn}." times)\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
if (keys %badexch) {
|
|
Packit |
57988d |
print "Summary of bad peers\n";
|
|
Packit |
57988d |
foreach $badpeer (keys %badexch) {
|
|
Packit |
57988d |
print "\t".$badpeer." caused ".$badexch{$badpeer}." bad exchanges\n";
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
}
|
|
Packit |
57988d |
|
|
Packit |
57988d |
# vi: shiftwidth=3 tabstop=3 syntax=perl et
|
|
Packit |
57988d |
# Local Variables:
|
|
Packit |
57988d |
# mode: perl
|
|
Packit |
57988d |
# perl-indent-level: 3
|
|
Packit |
57988d |
# indent-tabs-mode: nil
|
|
Packit |
57988d |
# End:
|