1 2######################################################## 3# Please file all bug reports, patches, and feature 4# requests under: 5# https://sourceforge.net/p/logwatch/_list/tickets 6# Help requests and discusion can be filed under: 7# https://sourceforge.net/p/logwatch/discussion/ 8######################################################## 9 10##################################################### 11## Copyright (c) 2008 Kirk Bauer 12## Covered under the included MIT/X-Consortium License: 13## http://www.opensource.org/licenses/mit-license.php 14## All modifications and contributions by other persons to 15## this script are assumed to have been donated to the 16## Logwatch project and thus assume the above copyright 17## and licensing terms. If you want to make contributions 18## under your own copyright or a different license this 19## must be explicitly stated in the contribution an the 20## Logwatch project reserves the right to not accept such 21## contributions. If you have made significant 22## contributions to this script and want to claim 23## copyright please contact logwatch-devel@lists.sourceforge.net. 24######################################################### 25 26# NOTE: This script is for older (6.X era) Red Hat boxes 27 28$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; 29 30while (defined($ThisLine = <STDIN>)) { 31 if ( ( $ThisLine =~ /(.*) session closed for user .*$/ ) or 32 ( $ThisLine =~ /^Logout user .* host .*$/ ) or 33 ( $ThisLine =~ /^log: Password authentication/ ) or # apparently SSHD messages 34 ( $ThisLine =~ /^log: Closing connection/ ) or # apparently SSHD messages 35 ( $ThisLine =~ /^check pass; user unknown/ ) or 36 ( $ThisLine =~ /^User account has expired/ ) or # This one is caught below (2-line message) 37 ( $ThisLine =~ /^get passwd; pwdb: structure is no longer valid$/) or 38 ( $ThisLine =~ /^fatal: Read error from remote host: Connection reset by peer$/) or 39 ( $ThisLine =~ /^new password not acceptable$/ ) or 40 ( $ThisLine =~ /^FTP session closed$/) or 41 ( $ThisLine =~ /^FTP LOGIN REFUSED/) or 42 ( $ThisLine =~ /^FAILED LOGIN SESSION FROM \S+ FOR , Error in service module/) or 43 ( $ThisLine =~ /^FTP LOGIN FROM/ ) # I will let ftpd handle FTP messages.... 44 ) { 45 # We don't care about these 46 } 47 elsif ( $ThisLine =~ /password for \(.*\) changed by \(.*\)$/ ) { 48 chomp($ThisLine); 49 push @PWChanges, $ThisLine; 50 } 51 elsif ( ($RemoteHost,$User) = ( $ThisLine =~ /^failed login from ([^ ]+) \[.*\], ([^ ]+)$/) or 52 ($RemoteHost,$User) = ( $ThisLine =~ /^Login failure user=(\S+) host=([^ ]+)$/) ) { 53 chomp ($User); 54 push @{$FailedLogins{$RemoteHost}}, $User; 55 } 56 elsif ( $ThisLine =~ s/auth could not identify password for \[([^ ]+)\]$/$1/ ) { 57 chomp ($ThisLine); 58 $CouldNotIDPW{$ThisLine}++; 59 } 60 elsif ( $ThisLine =~ s/^expiry check failed for \'([^ ]+)\'/$1/ ) { 61 # user account expired? 62 chomp($ThisLine); 63 push @Expired, $ThisLine; 64 } 65 elsif ( $ThisLine =~ s/bad username \[(.*)\]$/$1/ ) { 66 chomp($ThisLine); 67 push @BadName, $ThisLine; 68 } 69 elsif ( ($StartName,$StartUID,$EndName,$ServiceName) = 70 ( $ThisLine =~ m/authentication failure.*; ([^ ]*)\(uid=(\d+)\) -> ([^ ]+) for ([^ ]+) service$/ ) ) { 71 $StartName = " " if (!$StartName); 72 $ThisKey = $StartName . "(uid=" . $StartUID . ") -> " . $EndName; 73 $AuthFailures{$ThisKey}{$ServiceName}++; 74 } 75 elsif ( ($Num,$StartName,$StartUID,$EndName,$ServiceName) = 76 ( $ThisLine =~ m/^(\d+) authentication failure.*; ([^ ]*)\(uid=(\d+)\) -> ([^ ]+) for ([^ ]+) service$/ ) ) { 77 $StartName = " " if (!$StartName); 78 $ThisKey = $StartName . "(uid=" . $StartUID . ") -> " . $EndName; 79 $AuthFailures{$ThisKey}{$ServiceName}+=$Num; 80 } 81 elsif ( ($ThisKey,$ServiceName) = ( $ThisLine =~ /([^ ]+) authentication failed for ([^ ]+)$/ ) ) { 82 chomp($ThisKey); chomp($ServiceName); 83 $AuthFailures{$ThisKey}{$ServiceName}++; 84 } 85 elsif ( ($RemoteHost, $User) = ( $ThisLine =~ m/^FAILED LOGIN .* FROM ([^ ]+) FOR (.+), .*$/ ) ) { 86 push @{$FailedLogins{$RemoteHost}}, $User; 87 } 88 elsif ( $ThisLine =~ s/^ROOT LOGIN ON ([^ ]+)/$1/ ) { 89 chomp ($ThisLine); 90 $RootLogins{$ThisLine}++; 91 } 92 elsif ( ($User,$From) = ( $ThisLine =~ /^LOGIN ON [^ ]+ BY ([^ ]+) FROM ([^ ]+)$/ ) or 93 ($User,$From) = ( $ThisLine =~ /^Login user=([^ ]+) host=([^ ]+)$/ ) ) { 94 chomp ($From); 95 ${$RemoteLogins{$User}}{$From}++; 96 } 97 elsif ( $ThisLine =~ s/^LOGIN ON [^ ]+ BY ([^ ]+$)/$1/ ) { 98 chomp ($ThisLine); 99 $LocalLogins{$ThisLine}++; 100 } 101 elsif ( ($ServiceName,$StartName,$StartUID,$EndName) = 102 ( $ThisLine =~ m/([^ ]+)\[[0-9]+\]:\s+authentication\s+failure;\s*logname=([^ ]+)\s+uid=([^ ]+).*user=([^ ]+)/ ) ) { 103 $StartName = " " if (!$StartName); 104 $ThisKey = $StartName . "(uid=" . $StartUID . ") -> " . $EndName; 105 $AuthFailures{$ThisKey}{$ServiceName}++; 106 } 107 elsif ( ($Service, $User, $Orig) = ( $ThisLine =~ /^\((.*)\) session opened for user ([^ ]+) by (.*\(uid=.*\))/ ) ) { 108 if (( $Service eq "su" ) and ($Orig =~ /[^ ]+\(uid=.*\)$/)) { 109 $Temp = " " . $Orig . " -> " . $User; 110 $SUList{$Temp}++; 111 } 112 else { 113 ${$OpenedSessions{$Service}}{$User}++; 114 } 115 } 116 else { 117 # Report any unmatched entries... 118 chomp($ThisLine); 119 $OtherList{$ThisLine}++; 120 } 121} 122 123if (keys %SUList) { 124 print "\nSU Sessions:\n"; 125 foreach $SU (keys %SUList) { 126 print " " . $SU . " - " . $SUList{$SU} . " Time(s)\n"; 127 } 128} 129 130if (($Detail >= 10) and (keys %CouldNotIDPW)) { 131 print "\nCould not identify password for:\n"; 132 foreach $User (keys %CouldNotIDPW) { 133 print " " . $User . " - " . $CouldNotIDPW{$User} . " Time(s)\n"; 134 } 135} 136 137if (@PWChanges) { 138 print "\nPassword Changes:\n"; 139 foreach $Change (@PWChanges) { 140 print " " . $Change . "\n"; 141 } 142} 143 144if (($Detail >= 5) and (@BadName)) { 145 print "\nBad Usernames Received:\n"; 146 foreach $User (@BadName) { 147 print " " . $User . "\n"; 148 } 149} 150 151if (@Expired) { 152 print "\nExpired User Accounts:\n"; 153 foreach $User (@Expired) { 154 print " " . $User . "\n"; 155 } 156} 157 158if (keys %OpenedSessions) { 159 print "\nOpened Sessions:\n"; 160 foreach $Service (keys %OpenedSessions) { 161 print " Service: " . $Service . "\n"; 162 foreach $User (keys %{$OpenedSessions{$Service}}) { 163 print " User " . $User . " - " . ${$OpenedSessions{$Service}}{$User} . " Time(s)\n"; 164 } 165 } 166} 167 168if (keys %RemoteLogins) { 169 print "\nRemote Logins:\n"; 170 foreach $User (keys %RemoteLogins) { 171 print " User " . $User . ":\n"; 172 foreach $Remote (keys %{$RemoteLogins{$User}} ) { 173 print " Remote Host " . $Remote . " - " . ${$RemoteLogins{$User}}{$Remote} . " Time(s)\n"; 174 } 175 } 176} 177 178if (keys %LocalLogins) { 179 print "\nLocal Logins:\n"; 180 foreach $User (keys %LocalLogins) { 181 print " " . $User . " - " . $LocalLogins{$User} . " Time(s)\n"; 182 } 183} 184 185if (keys %RootLogins) { 186 print "\nRoot Logins:\n"; 187 foreach $tty (keys %RootLogins) { 188 print " " . $tty . ": " . $RootLogins{$tty} . " time(s)\n"; 189 } 190} 191 192if (($Detail >= 5) and (keys %AuthFailures)) { 193 print "\nAuthentication Failures:\n"; 194 foreach $Users (keys %AuthFailures) { 195 print " " . $Users . "\n"; 196 foreach $Service (keys %{$AuthFailures{$Users}}) { 197 print " Service: " . $Service . ": " . ${$AuthFailures{$Users}}{$Service} . " time(s)\n"; 198 } 199 } 200} 201 202if (($Detail >= 5) and (keys %FailedLogins)) { 203 print "\nLogin Failures:\n"; 204 foreach $RemoteHost (keys %FailedLogins) { 205 print " " . $RemoteHost . ": "; 206 foreach $User ( @{$FailedLogins{$RemoteHost}} ) { 207 print $User . ", "; 208 } 209 print "\n"; 210 } 211} 212 213if (keys %OtherList) { 214 print "\n**Unmatched Entries**\n"; 215 foreach $line (sort {$a cmp $b} keys %OtherList) { 216 print "$line: $OtherList{$line} Time(s)\n"; 217 } 218} 219 220exit(0); 221 222# vi: shiftwidth=3 tabstop=3 syntax=perl et 223# Local Variables: 224# mode: perl 225# perl-indent-level: 3 226# indent-tabs-mode: nil 227# End: 228 229