######################################################################### # $Id$ ########################################################################## ######################################################## # This was written and is maintained by: # Laurent DUFOUR , # based on the work of # Kirk Bauer # # Please send all comments, suggestions, bug reports, # etc, to laurent.dufour@havas.com ######################################################## ##################################################### ## Copyright (c) 2008 Laurent DUFOUR ## Covered under the included MIT/X-Consortium License: ## http://www.opensource.org/licenses/mit-license.php ## All modifications and contributions by other persons to ## this script are assumed to have been donated to the ## Logwatch project and thus assume the above copyright ## and licensing terms. If you want to make contributions ## under your own copyright or a different license this ## must be explicitly stated in the contribution an the ## Logwatch project reserves the right to not accept such ## contributions. If you have made significant ## contributions to this script and want to claim ## copyright please contact logwatch-devel@lists.sourceforge.net. ######################################################### use Logwatch ':all'; $Debug = ValueOrDefault($ENV{'LOGWATCH_DEBUG'}, 0); $Detail = ValueOrDefault($ENV{'LOGWATCH_DETAIL_LEVEL'}, 0); # Avoid "Use of uninitialized value" warning messages. sub ValueOrDefault { my ($value, $default) = @_; return ($value ? $value : $default); } if ( $Debug >= 5 ) { print STDERR "\n\nDEBUG: Inside NETOPIA Filter \n\n"; $DebugCounter = 1; } my ($month,$day,$time,$host_ip,$host,$conn,$msg,$message); while (defined($ThisLine = )) { if ( $Debug >= 30 ) { print STDERR "DEBUG($DebugCounter): $ThisLine"; $DebugCounter++; } ($month,$day,$time,$host_ip,$host,$msg)=split(/ +/,$ThisLine,7); if ( ($ThisLine =~ /traffic/ ) or ($ThisLine =~ /Copyright/ ) or ($ThisLine =~ /removed due to simultaneous rekey/ ) or ($ThisLine =~ /Responded to the first peer message/ ) or ($ThisLine =~ /NBR change/ ) or ($ThisLine =~ /accept udp/ ) or ($ThisLine =~ /accept tcp/ ) or ($ThisLine =~ /accept icmp/ ) or ($ThisLine =~ /accept ip/ ) or ($ThisLine =~ /denied udp/ ) or ($ThisLine =~ /denied tcp/ ) or ($ThisLine =~ /denied icmp/ ) or ($ThisLine =~ /denied ip/ ) ) { # don't care about this, will code this later } elsif ( ($src_ip,$dst_ip) = ($ThisLine =~ /IP: Demand call requested by (\d+\.\d+\.\d+\.\d+) to IP destination (\d+\.\d+\.\d+\.\d+)/) ) { $IPDemandCall{$host}{$src_ip," ",$dst_ip}++; } elsif ( ($interface) = ($ThisLine =~ /PPP: NCP up, (.*)/) ) { $PPPNcpUp{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /PPP: IPCP down, (.*)/) ) { $PPPIpCpDown{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /PPP: MSCHAP-v2 we accepted remote, (.*)/) ) { $PPPAccepted{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /PPP: MSCHAP-v2 remote accepted us, (.*)/) ) { $PPPAccepted{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /PPP: CCP negotiated, (.*)/) ) { $PPPCcpNeg{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /PPP: IPCP negotiated, (.*)/) ) { $PPPIpCpNeg{$host}{$interface}++; } elsif ( ($dst_ip,$msg) = ($ThisLine =~ /PPP: Channel (.+) up, Dialout Profile name: (.*)/) ) { $PPPChannelUp{$host}{$dst_ip}++; } elsif ( ($dst_ip,$msg) = ($ThisLine =~ /PPP: Channel (.+) up, Answer Profile name: (.*)/) ) { $PPPChannelUp{$host}{$dst_ip}++; } elsif ( ($interface) = ($ThisLine =~ /PPTP-1 down: (.*)/) ) { $PPTP1Down{$host}{$interface}++; } elsif ( ($interface) = ($ThisLine =~ /PPTP-2 down: (.*)/) ) { $PPTP2Down{$host}{$interface}++; } elsif ( ($dst_ip,$msg) = ($ThisLine =~ /PPTP: IP down, rem: (\d+\.\d+\.\d+\.\d+) (.*)/) ) { $PPTPIpDown{$host}{$dst_ip}++; } elsif ( ($dst_ip,$msg) = ($ThisLine =~ /PPTP: IP up, rem: (\d+\.\d+\.\d+\.\d+), (.*)/) ) { $PPTPIpUp{$host}{$dst_ip}++; } elsif ( ($dst_ip,$msg) = ($ThisLine =~ /System Config saved from host (\d+\.\d+\.\d+\.\d+) (.*)/) ) { $SysCfgSaved{$host}{LookupIP($dst_ip)}++; } elsif ( ($dst_ip,$msg) = ($ThisLine =~ /The system configuration was saved from host (\d+\.\d+\.\d+\.\d+) by (.*)/) ) { $SysCfgSaved{$host}{LookupIP($dst_ip)}++; } elsif ( ($ThisLine =~ /Compiled/) ) { $Started{$host}++; } elsif ( ($ThisLine =~ /DNS entries have been automatically refreshed./) ) { $DNSRefreshed{$host}++; } elsif ( ($ThisLine =~ /DNS has been refreshed./) ) { $DNSRefreshed{$host}++; } elsif ( ($ThisLine =~ /Syslog host domain name has been changed/) ) { $SyslogHost{$host}++; } elsif ( ($ThisLine =~ /Syslog facility has been changed/) ) { $SyslogFacility{$host}++; } elsif ( ($ThisLine =~ /Syslog security facility has been changed/) ) { $SyslogFacility{$host}++; } elsif ( ($ThisLine =~ /The system clock has been updated through NTP./) ) { $NTPUpdated{$host}++; } elsif ( ($ThisLine =~ /failed to get clock through NTP/) ) { $NTPFailed{$host}++; } elsif ( ($message) = ($ThisLine =~ /RELOAD: (.*)/) ) { $ReloadRequested{$host}{$message}++; } elsif ( ($message) = ($ThisLine =~ /RESTART: (.*)/) ) { $Restarted{$host}{$message}++; } elsif ( ($interface) = ($ThisLine =~ /Admin User "(\S+)" logged in for Web\((\S+)\) management \(port (\d+)\) from (.+):(.+). (.*)/) ) { if ($Debug >= 5) { print STDERR "DEBUG: Found -$1 logged in from $4 using $2\n"; } if ($Detail >= 20) { $Users{$host}{$2}{$4}{$1}++; } else { $Users{$host}{$2}{$4}{"(all)"}++; } } elsif ( $ThisLine =~ m/Admin user (\S+) login attempt for (\S+) management \(port (\d+)\) from (.+):(.+). failed. (.*)/ ) { if ( $Debug >= 5 ) { print STDERR "DEBUG: Found -Failed login- line\n"; } my $name = LookupIP($4); $BadLogins{$host}{"$1/$2 from $name"}++; } elsif ( $ThisLine =~ m/SSH client at (.+) has attempted to make an SCS connection to interface untrust with IP (.+) but failed (.*)/ ) { my $name = LookupIP($2); $Temp = "SSH from $name"; $BadLogins{$host}{$Temp}++; $IllegalUsers{$host}{$Temp}++; } else { # Report any unmatched entries... push @OtherList,$ThisLine; } } if (keys %Started) { print "\nDevice started :\n"; foreach $ThisOne (keys %Started) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$Started{$ThisOne}}) { print "\t Started" .$ThatOne . "\t: " . $Started{$ThisOne}{$ThatOne} . "{ Time(s)\n"; } } } if (keys %IPDemandCall) { print "\nDevice where ip demand call have been requested :\n"; foreach $ThisOne (keys %IPDemandCall) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$IPDemandCall{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $IPDemandCall{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPPNcpUp) ) { print "\nDevice where PPP Ncp UP :\n"; foreach $ThisOne (keys %PPPNcpUp) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPPNcpUp{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPPNcpUp{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPPCcpUp) ) { print "\nDevice where PPP CCP NEGOTIATED :\n"; foreach $ThisOne (keys %PPPCcpNeg) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPPCcpNeg{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPPCcpNeg{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPPIpCpDown) ) { print "\nDevice where PPP IPCP down :\n"; foreach $ThisOne (keys %PPPIpCpDown) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPPIpCpDown{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPPIpCpDown{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPPIpCpNeg) ) { print "\nDevice where PPP IPCP NEGOTIATED :\n"; foreach $ThisOne (keys %PPPIpCpNeg) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPPIpCpNeg{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPPIpCpNeg{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %NTPUpdated) { print "\nDevice where The system clock has been updated through NTP :\n"; foreach $ThisOne (keys %NTPUpdated) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$NTPUpdated{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $NTPUpdated{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %NTPFailed) { print "\nDevice where failed to get clock through NTP :\n"; foreach $ThisOne (keys %NTPFailed) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$NTPFailed{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $NTPFailed{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %DNSRefreshed) { print "\nDevice where DNS have been refreshed :\n"; foreach $ThisOne (keys %DNSRefreshed) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$DNSRefreshed{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $DNSRefreshed{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %DNSRefreshed) { print "\nDevice where DNS have been refreshed :\n"; foreach $ThisOne (keys %DNSRefreshed) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$DNSRefreshed{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $DNSRefreshed{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPPAccepted) ) { print "\nDevice where PPP is accepted :\n"; foreach $ThisOne (keys %PPPAccepted) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPPAccepted{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPPAccepted{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPTP1Down) ) { print "\nDevice where PPTP-1 is down :\n"; foreach $ThisOne (keys %PPTP1Down) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPTP1Down{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPTP1Down{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPTP2Down) ) { print "\nDevice where PPTP-2 is down :\n"; foreach $ThisOne (keys %PPTP2Down) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPTP2Down{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPTP2Down{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %SyslogFacility) { print "\nDevice where Syslog facility has been changed :\n"; foreach $ThisOne (keys %SyslogFacility) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$SyslogFacility{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $SyslogFacility{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %SyslogHost) { print "\nDevice where Syslog host has been changed :\n"; foreach $ThisOne (keys %SyslogHost) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$SyslogHost{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $SyslogHost{$ThisOne}{$ThisOne} . " Time(s)\n"; } } } if (keys %Restarted) { print "\nDevice restarted :\n"; foreach $ThisOne (keys %Restarted) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$Restarted{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $Restarted{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %ReloadRequested) { print "\nDevice reload requested :\n"; foreach $ThisOne (keys %ReloadRequested) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$ReloadRequested{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $ReloadRequested{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %PPPChannelUp) { print "\nVPN Up PPP Channel :\n"; foreach $ThisOne (keys %PPPChannelUp) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPPChannelUp{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPPChannelUp{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %PPTPIpDown) { print "\nVPN Down on :\n"; foreach $ThisOne (keys %PPTPIpDown) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPTPIpDown{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPTPIpDown{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if ( ( $Detail >= 15 ) and (keys %PPTPIpUp) ) { print "\nDevice where PPTP is UP :\n"; foreach $ThisOne (keys %PPTPIpUp) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$PPTPIpUp{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $PPTPIpUp{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %SysCfgSaved) { print "\nDevice where system config have been saved :\n"; foreach $ThisOne (keys %SysCfgSaved) { print " " . $ThisOne . ":\n"; foreach $ThatOne (keys %{$SysCfgSaved{$ThisOne}}) { print "\t " .$ThatOne . "\t: " . $SysCfgSaved{$ThisOne}{$ThatOne} . " Time(s)\n"; } } } if (keys %BadLogins) { print "\nFailed logins from these:\n"; foreach $ThisOne (keys %BadLogins) { print " " . $ThisOne . ":\n"; for (sort keys %{$BadLogins{$ThisOne}}) { print "\t $_: $BadLogins{$ThisOne}{$_} Time(s)\n"; } } } if (keys %IllegalUsers) { print "\nIllegal users from these:\n"; foreach $ThisOne (keys %IllegalUsers) { print " " . $ThisOne . ":\n"; for (sort keys %{$IllegalUsers{$ThisOne}}) { print "\t $_: $IllegalUsers{$ThisOne}{$_} Time(s)\n"; } } } if (keys %Users) { print "\nUsers logging in through :\n"; foreach $ThisOne (keys %Users) { print " " . $ThisOne . ":\n"; foreach $user (sort {$a cmp $b} keys %{$Users{$ThisOne}}) { print " $user:\n"; my $totalSort = TotalCountOrder(%{$Users{$ThisOne}{$user}}, \&SortIP); foreach my $ip (sort $totalSort keys %{$Users{$ThisOne}{$user}}) { my $name = LookupIP($ip); if ($Detail >= 20) { print " $name:\n"; my $sort = CountOrder(%{$Users{$ThisOne}{$user}{$ip}}); foreach my $method (sort $sort keys %{$Users{$ThisOne}{$user}{$ip}}) { my $val = $Users{$ThisOne}{$user}{$ip}{$method}; my $plural = ($val > 1) ? "s" : ""; print " $method: $val time$plural\n"; } } else { my $val = (values %{$Users{$ThisOne}{$user}{$ip}})[0]; my $plural = ($val > 1) ? "s" : ""; print " $name: $val time$plural\n"; } } } } } if ($#OtherList >= 0) { print "\n**Unmatched Entries**\n"; print @OtherList; } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et # Local Variables: # mode: perl # perl-indent-level: 3 # indent-tabs-mode: nil # End: