##########################################################################
# $Id$
##########################################################################
# $Log: pluto,v $
# Revision 1.18 2009/06/05 13:50:26 mike
# Patch from Geert Janssens -mgt
#
# Revision 1.17 2008/06/30 23:07:51 kirk
# fixed copyright holders for files where I know who they should be
#
# Revision 1.16 2008/03/24 23:31:26 kirk
# added copyright/license notice to each script
#
# Revision 1.15 2006/10/20 17:08:02 bjorn
# Additional filtering, by Marcus Better.
#
# Revision 1.14 2005/12/05 23:40:13 bjorn
#
# Corrected attribution in log.
#
# Revision 1.13 2005/12/02 16:42:37 bjorn
# Additional filtering of STATE changes, by Markus Better.
#
# Revision 1.12 2005/09/26 10:58:04 bjorn
# Additional filtering contributed by Marcus Better
#
##########################################################################
# Note (8/28/2005, BL):
#
# This script was apparently written for FreeS/WAN, which is no longer
# supported (see http://www.freeswan.org). But it also appears to work
# with Openswan (http://www.openswan.org), which is described as a code
# fork of FreeS/WAN.
#
# Also, notice that in this script, many variables are set, but not
# printed. And many logged statements are filtered by this script.
#
# So this script would probably benefit from an update to clean it up
# and ensure full compatibility with the newer Openswan.
##########################################################################
# This is a scanner for logwatch (see www.logwatch.org) that processes
# FreeSWAN's <http://www.freeswan.org/> Pluto log files and attempts to
# make some sense out of them.
#
# Please CC suggestions to mcr@freeswan.org and/or design@lists.freeswan.org
# the vendorID hash maps vendor IDs to products. VendorIDs are hashs of
# internal stuff from each vendor. Grow this table as you encouter new
# products.
#######################################################
## Copyright (c) 2008 Kirk Bauer
## Covered under the included MIT/X-Consortium License:
## http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms. If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions. If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
$vendorID{"p....}..&..i...5..............................."}="KAME/Racoon";
$debug=0;
while(<>) {
# May 4 04:04:33 abigail Pluto[24170]: "abigail-istari" #1479: ISAKMP SA expired (LATEST!)
chop;
($month,$day,$time,$host,$process,$conn,$msg)=split(/ +/,$_,7);
$today="$month $day";
next unless ($process =~ /pluto/i);
$iserror=0;
if ($conn eq "ERROR:") {
$iserror = 1;
($junk,$conn,$msg)=split(/ +/,$msg,3);
}
$loglines{$today}++;
print STDERR "Msg: $msg\n" if $debug>1;
if($msg =~ /([^\#]*)\#(\d*)\:(.*)/) {
$ipaddr = $1;
$stateinfo = $2;
$rest = $3;
} elsif($msg =~ /no Phase 1 state for Delete/) {
$baddelete++;
next;
} elsif($msg =~ /from ([^:]*)\:([^:]*)\: Main Mode message is part of an unknown exchange/) {
$ipaddr = $1;
$ipport = $2;
$badexch{"[$ipaddr]:$ipport"}++;
next;
} else {
print STDERR "Failed to decode: $msg (of $_)\n" if $debug;
next;
}
# print STDERR "conn: $conn IP: $ipaddr STATE: $stateinfo\n" if $debug;
$conn =~ s/\"(.*)\"/$1/;
$conn =~ s/\[\d\]$//;
$conns{$conn}++;
if(!defined($peerIP{"$conn|$ipaddr"})) {
#print STDERR "Adding $ipaddr to $conn\n" if $debug;
$peerIP{$conn}=$peerIP{$conn}.$ipaddr." ";
}
$peerIP{"$conn|$ipaddr"}++;
$stateobjects{$stateinfo}++;
if(!defined($peer{$stateinfo}) && length($ipaddr)>0) {
$peer{$stateinfo}=$ipaddr;
}
# ignore following
next if($rest =~ /ISAKMP SA expired/);
next if($rest =~ /responding to Main Mode/);
next if($rest =~ /responding to Quick Mode/);
next if($rest =~ /IPsec SA expired/);
next if($rest =~ /ignoring informational payload, type IPSEC_INITIAL_CONTACT/);
next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling public value with leading zero/);
next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling shared secret with leading zero/);
next if($rest =~ /shared DH secret has leading zero -- triggers Pluto 1.0 bug/);
next if($rest =~ /(received|ignoring) Delete SA(|\(0x.*\)) payload/);
next if($rest =~ /received and ignored informational message/);
next if($rest =~ /discarding duplicate packet; already STATE_MAIN_../);
next if($rest =~ /discarding duplicate packet; already STATE_QUICK_../);
next if($rest =~ /deleting state \(STATE_MAIN_..\)/);
next if($rest =~ /deleting state \(STATE_QUICK_..\)/);
next if($rest =~ /Quick Mode .. message is unacceptable because it uses a previously used Message ID/);
next if($rest =~ /deleting connection .* instance with peer .*/);
next if($rest =~ /dropping and reinitiating exchange to avoid Pluto 1.0 bug handling DH shared secret with leading zero byte/);
next if($rest =~ /KE has 191 byte DH public value; 192 required/);
next if($rest =~ /retransmitting in response to duplicate packet; already STATE_MAIN_../);
next if($rest =~ /(Main mode p|P)eer ID is /);
next if($rest =~ /transition from state .* to state/);
next if($rest =~ /NAT-Traversal: Result using/);
next if($rest =~ /no crl from issuer/);
next if($rest =~ /I am sending (a certificate request|my cert)/);
next if($rest =~ /no suitable connection for peer/);
next if($rest =~ /sending encrypted notification/);
next if($rest =~ /enabling possible NAT-traversal with method/);
next if($rest =~ /(received|ignoring) Vendor ID payload/);
next if($rest =~ /ignoring unknown Vendor ID payload/);
next if($rest =~ /Dead Peer Detection \(RFC 3706\): enabled/);
next if($rest =~ /DPD: No response from peer - declaring peer dead/);
next if($rest =~ /DPD Error: could not find newest phase 1 state/);
next if($rest =~ /Informational Exchange message is invalid because it has a previously used Message ID/);
next if($rest =~ /discarding packet received during asynchronous work \(DNS or crypto\) in STATE_(MAIN|QUICK)_../);
next if($rest =~ /STATE_(MAIN|QUICK)_[RI][1-3]: sent [MQ][RI][1-3], expecting [MQ][IR][1-3]/);
next if($rest =~ /STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/);
next if($rest =~ /down-client output/);
next if($rest =~ /(restore|update)resolvconf-client output/);
next if($rest =~ /transform .* ignored/);
next if($rest =~ /multiple DH groups were set in aggressive mode\./);
next if($rest =~ /received mode cfg reply/);
next if($rest =~ /modecfg: Sending IP request/);
next if($rest =~ /setting .* address to/);
next if($rest =~ /STATE_XAUTH_I1: XAUTH client - awaiting CFG_set/);
next if($rest =~ /initiating Aggressive Mode/);
next if($rest =~ /Aggressive mode peer ID is/);
next if($rest =~ /protocol\/port in Phase \d ID Payload must be/);
next if($rest =~ /XAUTH: Bad Message: /);
next if($rest =~ /XAUTH: Answering XAUTH challenge with user/);
next if($rest =~ /Received IP4|DNS|subnet /);
next if($rest =~ /sendto on .* to .* failed in delete notify/);
$relevantlog{"$today"}++;
print STDERR "Rest is $rest\n" if $debug>1;
# but process these.
if($rest =~ /initiating Main Mode to replace \#(.*)/) {
$oldinfo = $1;
$statechain{$conn.$stateinfo}="$conn|$oldinfo";
next;
} elsif($rest =~ /initiating Main Mode/) {
$statechain{$conn.$stateinfo}="$conn";
next;
} elsif($rest =~ /initiating Quick Mode (.*) to replace \#(.*)/) {
$oldinfo = $2;
$phase2 = $1;
$statechain{"$conn|$stateinfo"}="$conn|$oldinfo";
$quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
next;
} elsif($rest =~ /initiating Quick Mode (.*)/) {
$phase2 = $1;
$statechain{"$conn|$stateinfo"}="$conn";
$quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
next;
} elsif($rest =~ /ISAKMP SA established/) {
$rekeysuccess{$conn}++;
next;
} elsif($rest =~ /cannot respond to IPsec SA request because no connection is known for (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_notknown{$1}++;
} elsif($rest =~ /crl update is overdue since (.*)/) {
$crlUpdate{$conn}++;
$crlUpdateSince{$conn} = $1;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_I./) {
$rekeyfail{$conn}++;
$rekeyfailQI1{$conn}++;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_R./) {
$rekeyfail{$conn}++;
$rekeyfailQR1{$conn}++;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_I./) {
$rekeyfail{$conn}++;
$rekeyfailI1{$conn}++;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_R./) {
$rekeyfail{$conn}++;
$rekeyfailR1{$conn}++;
next;
} elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_ICMPunreachable{$conn}++;
} elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_ICMPunreachable{$conn}++;
} elsif($rest =~ /XAUTH: Successfully Authenticated/) {
$xauthsuccess{$conn}++;
} elsif($rest =~ /starting keying attempt (.*) of an unlimited number/) {
$lastattempt=$1;
if($maxattempts{$conn} < $lastattempt) {
$maxattempts{$conn} = $lastattempt;
}
next;
} elsif($rest =~ /Vendor ID: (.*)/) {
$vid=$1;
if(defined($vendorID{$vid})) {
$peerID{$conn}=$vendorID{$vid};
} else {
$peerID{$conn}="unknown $vid";
$vendorID{$vid}="unknown $vid at $stateinfo/$ipaddr\n";
}
next;
} elsif($rest =~ /prepare-client output.*/) {
$setupfail{$conn}++;
} elsif(($rest =~ /sent QI2, IPsec SA established/) ||
($rest =~ /IPsec SA established/)) {
$ipsecSAs{$conn}++;
next;
} else {
print STDERR "UNKNOWN: $_"."\n";
}
}
if (keys %loglines) {
print "Overview summary of log files:\n";
foreach $day (keys %loglines) {
print "\t $day had ".$loglines{$day}." entries of which ".$relevantlog{$day}." were relevant\n";
}
}
if (keys %conns) {
print "Summary by peer:\n";
foreach $conn (keys %conns) {
print " Peer $conn caused $conns{$conn} lines of output.\n";
print "\tconnected from:".$peerIP{$conn}."\n";
if(defined($peerID{$conn})) {
print "\tVID: ".$peerID{$conn}."\n";
}
print "\tKeyed: ".($rekeysuccess{$conn}+0)." successes ",($rekeyfail{$conn}+0)." failures (max retries: ".($maxattempts{$conn}+0).")\n";
print "\tIPsec SAs: ".($ipsecSAs{$conn}+0)."\n";
if($setupfail{$conn} > 0) {
print "\tSetup failures: ".$setupfail{$conn}."\n";
}
if($xauthsuccess{$conn} > 0) {
print "\tXAUTH successful connections: ".$xauthsuccess{$conn}."\n";
}
if($crlUpdate{$conn} > 0) {
print "\tOverdue CRL update since: ".$crlUpdateSince{$conn}." (".$crlUpdate{$conn}." times)\n";
}
}
}
if (keys %badexch) {
print "Summary of bad peers\n";
foreach $badpeer (keys %badexch) {
print "\t".$badpeer." caused ".$badexch{$badpeer}." bad exchanges\n";
}
}
# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: