1 2######################################################## 3# Please file all bug reports, patches, and feature 4# requests under: 5# https://sourceforge.net/p/logwatch/_list/tickets 6# and copy: 7# Laurent DUFOUR <laurent.dufour@havas.com>,<dufour_l@hotmail.com> 8# Help requests and discusion can be filed under: 9# https://sourceforge.net/p/logwatch/discussion/ 10######################################################## 11 12######################################################## 13# This was written and is maintained by: 14# Laurent DUFOUR <laurent.dufour@havas.com>,<dufour_l@hotmail.com> 15# based on the work of 16# Kirk Bauer <kirk@kaybee.org> 17######################################################## 18 19####################################################### 20## Copyright (c) 2008 Laurent DUFOUR 21## Covered under the included MIT/X-Consortium License: 22## http://www.opensource.org/licenses/mit-license.php 23## All modifications and contributions by other persons to 24## this script are assumed to have been donated to the 25## Logwatch project and thus assume the above copyright 26## and licensing terms. If you want to make contributions 27## under your own copyright or a different license this 28## must be explicitly stated in the contribution an the 29## Logwatch project reserves the right to not accept such 30## contributions. If you have made significant 31## contributions to this script and want to claim 32## copyright please contact logwatch-devel@lists.sourceforge.net. 33######################################################### 34 35use Logwatch ':all'; 36 37my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; 38my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; 39 40my %configConvert = ( 41 'human-readable' => 0, 42 'Human-readable' => 1, 43 'truncate-readable' => 2, 44 ); 45 46# Taken from DiskUsage.pm inside Filesys-DiskUsage-0.02 47# 48# Jose Castro, C<< <cog@cpan.org> 49# Please report any bugs or feature requests to 50# C<bug-disk-usage@rt.cpan.org>, or through the web interface at 51# L<http://rt.cpan.org>. I will be notified, and then you'll 52# automatically be notified of progress on your bug as I make changes. 53# 54# Copyright 2004 Jose Castro, All Rights Reserved. 55# 56#This program is free software; you can redistribute it and/or modify it 57#under the same terms as Perl itself. 58# 59# 60# convert size to human readable format 61sub _convert { 62 defined (my $size = shift) || return undef; 63 my $config = {@_}; 64# $config->{human} || return $size; 65 my $block = $config->{'Human-readable'} ? 1000 : 1024; 66 my @args = qw/B K M G/; 67 while (@args && $size > $block) { 68 shift @args; 69 $size /= $block; 70 } 71 72 if ($config->{'truncate-readable'} > 0) { 73 $size = sprintf("%.$config->{'truncate-readable'}f",$size); 74 } 75 76 return "$size$args[0]"; 77} 78 79 80 81if ( $Debug >= 5 ) { 82 print STDERR "\n\nDEBUG: Inside SONICWALL Filter \n\n"; 83 $DebugCounter = 1; 84} 85 86 87my ($month,$day,$time,$host_ip,$host,$conn,$msg,$message); 88 89while (defined($ThisLine = <STDIN>)) { 90 if ( $Debug >= 30 ) { 91 print STDERR "DEBUG($DebugCounter): $ThisLine"; 92 $DebugCounter++; 93 } 94 95($month,$day,$time,$host_ip,$host_id,$host_sn,$msg)=split(/ +/,$ThisLine,7); 96 97if ($ThisLine =~ /sn=/ ) { #mean that we ave to deal with a sonicwall log file line 98 99 if ( ($ThisLine =~ /traffic/ ) or 100 ($ThisLine =~ /Copyright/ ) or 101 ($ThisLine =~ /removed due to simultaneous rekey/ ) or 102 ($ThisLine =~ /Administrator logged out/ ) or 103 ($ThisLine =~ /Connection (Closed|Opened)/ ) or 104 ($ThisLine =~ /(TCP|UDP) connection dropped/ ) 105 ) { 106 # don't care about this, will code this later 107 } 108 109 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="UDP packet dropped" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? (.*)?/) ) { 110 $UDP_dropped{$host_ip}{LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ 111 } 112 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="TCP packet dropped" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? (.*)?/) ) { 113 $TCP_dropped{$host_ip}{LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ 114 } 115 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="ICMP packet dropped" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? (.*)?/) ) { 116 $ICMP_dropped{$host_ip}{LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ 117 } 118 119 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$ip_proto,$xfer_port_type,$op_type,$http_result) = ($ThisLine =~ /n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? proto=(udp|tcp)\/(http|80) op=(HEAD|Other) result=(\d+)/) ) { 120 121 if ($op_type eq "HEAD") { 122 $URL_HEAD{$host_ip}{$url}++; 123 } 124 else { 125 $URL_OTHER{$host_ip}{$url}++; 126 } 127} 128 129 130 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$ip_proto,$xfer_port_type,$op_type,$xfer_way,$xfer_byte,$http_result,$url,$args) = ($ThisLine =~ /n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? proto=(udp|tcp|icmp)\/(http|80) op=(GET|POST) (rcvd|sent)=(\d+) result=(\d+) dstname=(.*) arg=(.*)(.*)/) ) { 131 132 133 if ($op_type eq "GET") { 134 $URL_GET{$host_ip}{$url}++; 135 } 136 else { 137 $URL_POST{$host_ip}{$url}++; 138 } 139 140 if ($xfer_way eq "sent") { 141 142 $ProtoPacketSent{$host_ip}{$ip_proto}++; 143 $TotalProtoByteSent{$host_ip}{$ip_proto}=$TotalProtoByteSent{$host_ip}{$ip_proto}+$xfer_byte; 144 145 if (($ip_proto eq "tcp") or ($ip_proto eq "udp")) { 146 $ByteSent{$host_ip}{$ip_proto,"/",$xfer_port_type}=$ByteSent{$ip_proto}{$ip_proto,"/",$xfer_port_type}+$xfer_byte; 147 $PortPacketSent{$host_ip}{$ip_proto,"/",$xfer_port_type}++; 148 } 149 } 150 else { 151 $ProtoPacketReceived{$host_ip}{$ip_proto}++; 152 $TotalProtoByteReceived{$host_ip}{$ip_proto}=$TotalProtoByteReceived{$host_ip}{$ip_proto}+$xfer_byte; 153 154 if (($ip_proto eq "tcp") or ($ip_proto eq "udp")) { 155 $ByteReceived{$host_ip}{$ip_proto,"/",$xfer_port_type}=$ByteReceived{$ip_proto}{$ip_proto,"/",$xfer_port_type}+$xfer_byte; 156 $PortPacketReceived{$host_ip}{$ip_proto,"/",$xfer_port_type}++; 157 } 158 } 159} 160 161 162 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$ip_proto,$xfer_port_type,$op_type,$xfer_byte_sent,$xfer_byte_rcvd,$http_result,$url,$args) = ($ThisLine =~ /n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? proto=(udp|tcp|icmp)\/(http|80) op=(GET|POST) sent=(\d+) rcvd=(\d+) result=(\d+) dstname=(.*) (arg=(.*))?/) ) { 163 164 165 if ($op_type eq "GET") { 166 $URL_GET{$host_ip}{$url}++; 167 } 168 else { 169 $URL_POST{$host_ip}{$url}++; 170 } 171 172 $ProtoPacketSent{$host_ip}{$ip_proto}++; 173 $TotalProtoByteSent{$host_ip}{$ip_proto}=$TotalProtoByteSent{$host_ip}{$ip_proto}+$xfer_byte_sent; 174 175 if (($ip_proto eq "tcp") or ($ip_proto eq "udp")) { 176 $ByteSent{$host_ip}{$ip_proto,"/",$xfer_port_type}=$ByteSent{$ip_proto}{$ip_proto,"/",$xfer_port_type}+$xfer_byte_sent; 177 $PortPacketSent{$host_ip}{$ip_proto,"/",$xfer_port_type}++; 178 } 179 180 $ProtoPacketReceived{$host_ip}{$ip_proto}++; 181 $TotalProtoByteReceived{$host_ip}{$ip_proto}=$TotalProtoByteReceived{$host_ip}{$ip_proto}+$xfer_byte_rcvd; 182 183 if (($ip_proto eq "tcp") or ($ip_proto eq "udp")) { 184 $ByteReceived{$host_ip}{$ip_proto,"/",$xfer_port_type}=$ByteReceived{$ip_proto}{$ip_proto,"/",$xfer_port_type}+$xfer_byte_rcvd; 185 $PortPacketReceived{$host_ip}{$ip_proto,"/",$xfer_port_type}++; 186 } 187} 188 189 190 191 192 193 194 195 196 197 elsif ( ($number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$ip_proto,$xfer_port_type,$xfer_way,$xfer_byte) = ($ThisLine =~ /n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? proto=(udp|tcp|icmp)\/(.*) (rcvd|sent)=(\d+)(.*)/) ) { 198 199 if ($xfer_way eq "sent") { 200 201 $ProtoPacketSent{$host_ip}{$ip_proto}++; 202 $TotalProtoByteSent{$host_ip}{$ip_proto}=$TotalProtoByteSent{$host_ip}{$ip_proto}+$xfer_byte; 203 204 if (($ip_proto eq "tcp") or ($ip_proto eq "udp")) { 205 $ByteSent{$host_ip}{$ip_proto,"/",$xfer_port_type}=$ByteSent{$ip_proto}{$ip_proto,"/",$xfer_port_type}+$xfer_byte; 206 $PortPacketSent{$host_ip}{$ip_proto,"/",$xfer_port_type}++; 207 } 208 } 209 else { 210 $ProtoPacketReceived{$host_ip}{$ip_proto}++; 211 $TotalProtoByteReceived{$host_ip}{$ip_proto}=$TotalProtoByteReceived{$host_ip}{$ip_proto}+$xfer_byte; 212 213 if (($ip_proto eq "tcp") or ($ip_proto eq "udp")) { 214 $ByteReceived{$host_ip}{$ip_proto,"/",$xfer_port_type}=$ByteReceived{$ip_proto}{$ip_proto,"/",$xfer_port_type}+$xfer_byte; 215 $PortPacketReceived{$host_ip}{$ip_proto,"/",$xfer_port_type}++; 216 } 217 } 218} 219#time="2005-03-23 09:03:27" fw=62.2.84.91 pri=5 c=128 m=37 msg="UDP packet dropped" n=3759 src=64.74.133.26:11379:WAN dst=62.2.84.91:33436:WAN^M 220#Mar 23 12:45:32 10.15.30.1 id=firewall sn=004010144097 time="2005-03-23 11:08:20" fw=62.2.84.91 pri=6 c=1024 m=98 n=61505 src=195.143.213.210:4992:WAN dst=62.2.84.92:1802:DMZ proto=tcp/1802 rcvd=106 ^M 221 222 223 elsif ( ($dst_ip,$msg) = ($ThisLine =~ /System Config saved from host (\d+\.\d+\.\d+\.\d+) (.*)/) ) { 224 $SysCfgSaved{$host_ip}{LookupIP($dst_ip)}++; 225 } 226 elsif ( ($dst_ip,$msg) = ($ThisLine =~ /The system configuration was saved from host (\d+\.\d+\.\d+\.\d+) by (.*)/) ) { 227 $SysCfgSaved{$host_ip}{LookupIP($dst_ip)}++; 228 } 229 elsif ( ($ThisLine =~ /Compiled/) ) { 230 $Started{$host_ip}++; 231 } 232 elsif ( ($ThisLine =~ /DNS entries have been automatically refreshed./) ) { 233 $DNSRefreshed{$host_ip}++; 234 } 235 elsif ( ($ThisLine =~ /DNS has been refreshed./) ) { 236 $DNSRefreshed{$host_ip}++; 237 } 238 elsif ( ($ThisLine =~ /Log successfully sent via email/) ) { 239 $SyslogHost{$host_ip}{$host_ip}++; 240 } 241 elsif ( ($ThisLine =~ /Syslog facility has been changed/) ) { 242 $SyslogFacility{$host_ip}++; 243 } 244 elsif ( ($ThisLine =~ /Syslog security facility has been changed/) ) { 245 $SyslogFacility{$host_ip}++; 246 } 247 elsif ( ($ThisLine =~ /The system clock has been updated through NTP./) ) { 248 $NTPUpdated{$host_ip}++; 249 } 250 elsif ( ($ThisLine =~ /failed to get clock through NTP/) ) { 251 $NTPFailed{$host_ip}++; 252 } 253 elsif ( ($ThisLine =~ /Access Rule added/) ) { 254 $AccessRuleAdded{$host_ip}++; 255 } 256 elsif ( ($message) = ($ThisLine =~ /RELOAD: (.*)/) ) { 257 $ReloadRequested{$host_ip}{$message}++; 258 } 259 elsif ( ($message) = ($ThisLine =~ /RESTART: (.*)/) ) { 260 $Restarted{$host_ip}{$message}++; 261 } 262 elsif ( $ThisLine =~ m/msg="Probable TCP NULL scan " n=(\d+) src=(\d+\.\d+\.\d+\.\d+) (.*)/ ) { 263 if ( $Debug >= 5 ) { 264 print STDERR "DEBUG: Found -TCP NULL scan- line\n"; 265 } 266 my $name = LookupIP($2); 267 $Temp = "TCP NULL scan from $name"; 268 $TCP_NULL_scan{$host_ip}{$Temp}++; 269 } 270 elsif ( ($interface) = ($ThisLine =~ /msg="Successful administrator login" n=(\d+) src=(\d+\.\d+\.\d+\.\d+) (.*)/) ) { 271 if ($Debug >= 5) { 272 print STDERR "DEBUG: Found -$1 logged in from $4 using $2\n"; 273 } 274 if ($Detail >= 20) { 275 $Users{$host_ip}{"from ",$2}{"using port 80"}{$1}++; 276 } else { 277 $Users{$host_ip}{"from ",$2}{"using port 80"}{"(all)"}++; 278 } 279 } 280 elsif ( ($interface) = ($ThisLine =~ /msg="(WAN zone administrator login allowed|Web management request allowed)" n=(\d+) usr=(\w+) src=(\d+\.\d+\.\d+\.\d+)(.*)?/) ) { 281 if ($Debug >= 5) { 282 print STDERR "DEBUG: Found -$1 logged in from $5 using $3\n"; 283 } 284 if ($Detail >= 20) { 285 $Users{$host_ip}{"from ",$3}{"using port 80"}{$1}++; 286 } else { 287 $Users{$host_ip}{"from ",$3}{"using port 80"}{"(all)"}++; 288 } 289 } 290 291 292 293 elsif ( $ThisLine =~ m/msg="Administrator login failed - incorrect password" n=(\d+) src=(\d+\.\d+\.\d+\.\d+) (.*)/ ) { 294 if ( $Debug >= 5 ) { 295 print STDERR "DEBUG: Found -Failed login- line\n"; 296 } 297 my $name = LookupIP($2); 298 $Temp = "HTTP from $name"; 299 $BadAdminLogins{$host_ip}{"Administrator login failed - incorrect password from $name"}++; 300 $IllegalUsers{$host_ip}{$Temp}++; 301 } 302 elsif ( $ThisLine =~ m/msg="Unknown user attempted to log in" n=(\d+) src=(\d+\.\d+\.\d+\.\d+) dst=(\d+\.\d+\.\d+\.\d+) user=(.*)/ ) { 303 if ( $Debug >= 5 ) { 304 print STDERR "DEBUG: Found -Failed login- line\n"; 305 } 306 my $name = LookupIP($2); 307 $Temp = "HTTP from $name"; 308 $BadLogins{$host_ip}{"$4 user attempted to log in from $name"}++; 309 $IllegalUsers{$host_ip}{$Temp}++; 310 } 311 elsif ( $ThisLine =~ m/SSH client at (.+) has attempted to make an SCS connection to interface untrust with IP (.+) but failed (.*)/ ) { 312 my $name = LookupIP($2); 313 $Temp = "SSH from $name"; 314 $BadLogins{$host_ip}{$Temp}++; 315 $IllegalUsers{$host_ip}{$Temp}++; 316 } 317 318 elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(Ping of death dropped|Smurf Amplification attack dropped)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?/) ) { 319 $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ 320 } 321 elsif ( ($Msg,$number,$src_ip,$port_src,$interface_src,$src_name,$dst_ip,$port_dst,$interface_dst,$dst_name,$pad) = ($ThisLine =~ /msg="(.*)" n=(\d+) src=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)? dst=(\d+\.\d+\.\d+\.\d+):(\d+):(WAN|LAN|DMZ):?(.*)?(S+)?(.*)?/) ) { 322 $Msg{$host_ip}{$Msg," for ",LookupIP($src_ip)," to ",LookupIP($dst_ip)}++ 323 } 324 325 326 327else { 328 # Report any unmatched entries... 329 push @OtherList,$ThisLine; 330 } 331} 332} #end of mean we have a sonic wall logfile line 333 334if (keys %Started) { 335 print "\nDevice started :\n"; 336 foreach $ThisOne (keys %Started) { 337 print " " . $ThisOne . ":\n"; 338 foreach $ThatOne (keys %{$Started{$ThisOne}}) { 339 print "\t Started" .$ThatOne . "\t: " . $Started{$ThisOne}{$ThatOne} . "{ Time(s)\n"; 340 } 341 } 342} 343 344if (keys %UDP_dropped) { 345 print "\nDevice where ip UDP packets have been dropped :\n"; 346 foreach $ThisOne (keys %UDP_dropped) { 347 print " " . $ThisOne . ":\n"; 348 foreach $ThatOne (keys %{$UDP_dropped{$ThisOne}}) { 349 print "\t " .$ThatOne . "\t: " . $UDP_dropped{$ThisOne}{$ThatOne} . " Time(s)\n"; 350 } 351 } 352} 353 354if (keys %TCP_dropped) { 355 print "\nDevice where ip TCP packets have been dropped :\n"; 356 foreach $ThisOne (keys %TCP_dropped) { 357 print " " . $ThisOne . ":\n"; 358 foreach $ThatOne (keys %{$TCP_dropped{$ThisOne}}) { 359 print "\t " .$ThatOne . "\t: " . $TCP_dropped{$ThisOne}{$ThatOne} . " Time(s)\n"; 360 } 361 } 362} 363 364if (keys %ICMP_dropped) { 365 print "\nDevice where ip ICMP packets have been dropped :\n"; 366 foreach $ThisOne (keys %ICMP_dropped) { 367 print " " . $ThisOne . ":\n"; 368 foreach $ThatOne (keys %{$ICMP_dropped{$ThisOne}}) { 369 print "\t " .$ThatOne . "\t: " . $ICMP_dropped{$ThisOne}{$ThatOne} . " Time(s)\n"; 370 } 371 } 372} 373 374if (keys %Msg) { 375 print "\nDevice others message :\n"; 376 foreach $ThisOne (keys %Msg) { 377 print " " . $ThisOne . ":\n"; 378 foreach $ThatOne (keys %{$Msg{$ThisOne}}) { 379 print "\t " .$ThatOne . "\t: " . $Msg{$ThisOne}{$ThatOne} . " Time(s)\n"; 380 } 381 } 382} 383 384if ( ( $Detail >= 5 ) and (keys %URL_GET) ) { 385 print "\nDevice URL GET :\n"; 386 foreach $ThisOne (keys %URL_GET) { 387 print " " . $ThisOne . ":\n"; 388 foreach $ThatOne (keys %{$URL_GET{$ThisOne}}) { 389 print "\t " .$ThatOne . "\t: " . $URL_GET{$ThisOne}{$ThatOne} . " times(s)\n"; 390 } 391 } 392} 393 394if ( ( $Detail >= 5 ) and (keys %URL_POST) ) { 395 print "\nDevice URL POST :\n"; 396 foreach $ThisOne (keys %URL_POST) { 397 print " " . $ThisOne . ":\n"; 398 foreach $ThatOne (keys %{$URL_POST{$ThisOne}}) { 399 print "\t " .$ThatOne . "\t: " . $URL_POST{$ThisOne}{$ThatOne} . " times(s)\n"; 400 } 401 } 402} 403 404if ( ( $Detail >= 5 ) and (keys %URL_HEAD) ) { 405 print "\nDevice URL HEAD :\n"; 406 foreach $ThisOne (keys %URL_HEAD) { 407 print " " . $ThisOne . ":\n"; 408 foreach $ThatOne (keys %{$URL_HEAD{$ThisOne}}) { 409 print "\t " .$ThatOne . "\t: " . $URL_HEAD{$ThisOne}{$ThatOne} . " times(s)\n"; 410 } 411 } 412} 413 414if ( ( $Detail >= 5 ) and (keys %URL_OTHER) ) { 415 print "\nDevice URL OTHER :\n"; 416 foreach $ThisOne (keys %URL_OTHER) { 417 print " " . $ThisOne . ":\n"; 418 foreach $ThatOne (keys %{$URL_OTHER{$ThisOne}}) { 419 print "\t " .$ThatOne . "\t: " . $URL_OTHER{$ThisOne}{$ThatOne} . " times(s)\n"; 420 } 421 } 422} 423 424if ( ( $Detail >= 5 ) and (keys %ProtoPacketReceived) ) { 425 print "\nDevice Total packets received by protocols :\n"; 426 foreach $ThisOne (keys %ProtoPacketReceived) { 427 print " " . $ThisOne . ":\n"; 428 foreach $ThatOne (keys %{$ProtoPacketReceived{$ThisOne}}) { 429 print "\t " .$ThatOne . "\t: " . $ProtoPacketReceived{$ThisOne}{$ThatOne} . " packet(s)\n"; 430 } 431 } 432} 433 434if ( ( $Detail >= 5 ) and (keys %PortPacketReceived) ) { 435 print "\nDevice Total packets received by ports :\n"; 436 foreach $ThisOne (keys %PortPacketReceived) { 437 print " " . $ThisOne . ":\n"; 438 foreach $ThatOne (keys %{$PortPacketReceived{$ThisOne}}) { 439 print "\t " .$ThatOne . "\t: " . $PortPacketReceived{$ThisOne}{$ThatOne} . " packet(s)\n"; 440 } 441 } 442} 443 444if ( ( $Detail >= 5 ) and (keys %TotalProtoByteReceived) ) { 445 print "\nDevice Total Bytes received by protocols :\n"; 446 foreach $ThisOne (keys %TotalProtoByteReceived) { 447 print " " . $ThisOne . ":\n"; 448 foreach $ThatOne (keys %{$TotalProtoByteReceived{$ThisOne}}) { 449 print "\t " .$ThatOne . "\t: " . _convert($TotalProtoByteReceived{$ThisOne}{$ThatOne}, %configConvert ) . " Byte(s)\n"; 450 } 451 } 452} 453 454if ( ( $Detail >= 5 ) and (keys %ByteReceived) ) { 455 print "\nDevice Total Bytes received by ports :\n"; 456 foreach $ThisOne (keys %ByteReceived) { 457 print " " . $ThisOne . ":\n"; 458 foreach $ThatOne (keys %{$ByteReceived{$ThisOne}}) { 459 print "\t " .$ThatOne . "\t: " . _convert($ByteReceived{$ThisOne}{$ThatOne}, %configConvert ) . " Byte(s)\n"; 460 } 461 } 462} 463 464 465if ( ( $Detail >= 5 ) and (keys %ProtoPacketSent) ) { 466 print "\nDevice Total packets sent by protocols :\n"; 467 foreach $ThisOne (keys %ProtoPacketSent) { 468 print " " . $ThisOne . ":\n"; 469 foreach $ThatOne (keys %{$ProtoPacketSent{$ThisOne}}) { 470 print "\t " .$ThatOne . "\t: " . $ProtoPacketSent{$ThisOne}{$ThatOne} . " packet(s)\n"; 471 } 472 } 473} 474 475if ( ( $Detail >= 5 ) and (keys %PortPacketSent) ) { 476 print "\nDevice Total packets sent by ports :\n"; 477 foreach $ThisOne (keys %PortPacketSent) { 478 print " " . $ThisOne . ":\n"; 479 foreach $ThatOne (keys %{$PortPacketSent{$ThisOne}}) { 480 print "\t " .$ThatOne . "\t: " . $PortPacketSent{$ThisOne}{$ThatOne} . " packet(s)\n"; 481 } 482 } 483} 484 485if ( ( $Detail >= 5 ) and (keys %TotalProtoByteSent) ) { 486 print "\nDevice Total Bytes sent by protocols :\n"; 487 foreach $ThisOne (keys %TotalProtoByteSent) { 488 print " " . $ThisOne . ":\n"; 489 foreach $ThatOne (keys %{$TotalProtoByteSent{$ThisOne}}) { 490 print "\t " .$ThatOne . "\t: " . _convert($TotalProtoByteSent{$ThisOne}{$ThatOne}, %configConvert ) . " Byte(s)\n"; 491 } 492 } 493} 494 495if ( ( $Detail >= 5 ) and (keys %ByteSent) ) { 496 print "\nDevice Total Bytes sent by ports :\n"; 497 foreach $ThisOne (keys %ByteSent) { 498 print " " . $ThisOne . ":\n"; 499 foreach $ThatOne (keys %{$ByteSent{$ThisOne}}) { 500 print "\t " .$ThatOne . "\t: " . _convert($ByteSent{$ThisOne}{$ThatOne}, %configConvert ) . " Byte(s)\n"; 501 } 502 } 503} 504 505 506 507if (keys %NTPUpdated) { 508 print "\nDevice where The system clock has been updated through NTP :\n"; 509 foreach $ThisOne (keys %NTPUpdated) { 510 print " " . $ThisOne . ":\n"; 511 foreach $ThatOne (keys %{$NTPUpdated{$ThisOne}}) { 512 print "\t " .$ThatOne . "\t: " . $NTPUpdated{$ThisOne}{$ThatOne} . " Time(s)\n"; 513 } 514 } 515} 516 517if (keys %NTPFailed) { 518 print "\nDevice where failed to get clock through NTP :\n"; 519 foreach $ThisOne (keys %NTPFailed) { 520 print " " . $ThisOne . ":\n"; 521 foreach $ThatOne (keys %{$NTPFailed{$ThisOne}}) { 522 print "\t " .$ThatOne . "\t: " . $NTPFailed{$ThisOne}{$ThatOne} . " Time(s)\n"; 523 } 524 } 525} 526 527if (keys %DNSRefreshed) { 528 print "\nDevice where DNS have been refreshed :\n"; 529 foreach $ThisOne (keys %DNSRefreshed) { 530 print " " . $ThisOne . ":\n"; 531 foreach $ThatOne (keys %{$DNSRefreshed{$ThisOne}}) { 532 print "\t " .$ThatOne . "\t: " . $DNSRefreshed{$ThisOne}{$ThatOne} . " Time(s)\n"; 533 } 534 } 535} 536 537if (keys %SyslogFacility) { 538 print "\nDevice where Syslog facility has been changed :\n"; 539 foreach $ThisOne (keys %SyslogFacility) { 540 print " " . $ThisOne . ":\n"; 541 foreach $ThatOne (keys %{$SyslogFacility{$ThisOne}}) { 542 print "\t " .$ThatOne . "\t: " . $SyslogFacility{$ThisOne}{$ThatOne} . " Time(s)\n"; 543 } 544 } 545} 546 547if (keys %SyslogHost) { 548 print "\nDevice where Syslog have been mail successfully :\n"; 549 foreach $ThisOne (keys %SyslogHost) { 550 print " " . $ThisOne . ":\n"; 551 foreach $ThatOne (keys %{$SyslogHost{$ThisOne}}) { 552 print "\t " .$ThatOne . "\t: " . $SyslogHost{$ThisOne}{$ThisOne} . " Time(s)\n"; 553 } 554 } 555} 556 557 558if (keys %Restarted) { 559 print "\nDevice restarted :\n"; 560 foreach $ThisOne (keys %Restarted) { 561 print " " . $ThisOne . ":\n"; 562 foreach $ThatOne (keys %{$Restarted{$ThisOne}}) { 563 print "\t " .$ThatOne . "\t: " . $Restarted{$ThisOne}{$ThatOne} . " Time(s)\n"; 564 } 565 } 566} 567 568if (keys %AccessRuleAdded) { 569 print "\nDevice where rules have been added :\n"; 570 foreach $ThisOne (keys %AccessRuleAdded) { 571 print " " . $ThisOne . ":\n"; 572 foreach $ThatOne (keys %{$AccessRuleAdded{$ThisOne}}) { 573 print "\t " .$ThatOne . "\t: " . $AccessRuleAdded{$ThisOne}{$ThatOne} . " Time(s)\n"; 574 } 575 } 576} 577 578if (keys %ReloadRequested) { 579 print "\nDevice reload requested :\n"; 580 foreach $ThisOne (keys %ReloadRequested) { 581 print " " . $ThisOne . ":\n"; 582 foreach $ThatOne (keys %{$ReloadRequested{$ThisOne}}) { 583 print "\t " .$ThatOne . "\t: " . $ReloadRequested{$ThisOne}{$ThatOne} . " Time(s)\n"; 584 } 585 } 586} 587 588if (keys %SysCfgSaved) { 589 print "\nDevice where system config have been saved :\n"; 590 foreach $ThisOne (keys %SysCfgSaved) { 591 print " " . $ThisOne . ":\n"; 592 foreach $ThatOne (keys %{$SysCfgSaved{$ThisOne}}) { 593 print "\t " .$ThatOne . "\t: " . $SysCfgSaved{$ThisOne}{$ThatOne} . " Time(s)\n"; 594 } 595 } 596} 597 598 599 600if (keys %BadLogins) { 601 print "\nFailed logins from these:\n"; 602 foreach $ThisOne (keys %BadLogins) { 603 print " " . $ThisOne . ":\n"; 604 for (sort keys %{$BadLogins{$ThisOne}}) { 605 print "\t $_: $BadLogins{$ThisOne}{$_} Time(s)\n"; 606 } 607 } 608} 609 610if (keys %TCP_NULL_scan) { 611 print "\nDevice whcih had been ports scanned :\n"; 612 foreach $ThisOne (keys %TCP_NULL_scan) { 613 print " " . $ThisOne . ":\n"; 614 for (sort keys %{$TCP_NULL_scan{$ThisOne}}) { 615 print "\t $_: $TCP_NULL_scan{$ThisOne}{$_} Time(s)\n"; 616 } 617 } 618} 619 620if (keys %BadAdminLogins) { 621 print "\nFailed administrator logins from these:\n"; 622 foreach $ThisOne (keys %BadAdminLogins) { 623 print " " . $ThisOne . ":\n"; 624 for (sort keys %{$BadAdminLogins{$ThisOne}}) { 625 print "\t $_: $BadAdminLogins{$ThisOne}{$_} Time(s)\n"; 626 } 627 } 628} 629 630if (keys %IllegalUsers) { 631 print "\nIllegal users from these:\n"; 632 foreach $ThisOne (keys %IllegalUsers) { 633 print " " . $ThisOne . ":\n"; 634 for (sort keys %{$IllegalUsers{$ThisOne}}) { 635 print "\t $_: $IllegalUsers{$ThisOne}{$_} Time(s)\n"; 636 637 } 638 } 639} 640 641 642if (keys %Users) { 643 print "\nUsers logging in through :\n"; 644foreach $ThisOne (keys %Users) { 645 print " " . $ThisOne . ":\n"; 646 647foreach $user (sort {$a cmp $b} keys %{$Users{$ThisOne}}) { 648 print " $user:\n"; 649 my $totalSort = TotalCountOrder(%{$Users{$ThisOne}{$user}}, \&SortIP); 650 foreach my $ip (sort $totalSort keys %{$Users{$ThisOne}{$user}}) { 651 my $name = LookupIP($ip); 652 if ($Detail >= 20) { 653 print " $name:\n"; 654 my $sort = CountOrder(%{$Users{$ThisOne}{$user}{$ip}}); 655 foreach my $method (sort $sort keys %{$Users{$ThisOne}{$user}{$ip}}) { 656 my $val = $Users{$ThisOne}{$user}{$ip}{$method}; 657 my $plural = ($val > 1) ? "s" : ""; 658 print " $method: $val time$plural\n"; 659 } 660 } else { 661 my $val = (values %{$Users{$ThisOne}{$user}{$ip}})[0]; 662 my $plural = ($val > 1) ? "s" : ""; 663 print " $name: $val time$plural\n"; 664 } 665 } 666} 667} 668} 669 670 671if ($#OtherList >= 0) { 672 print "\n**Unmatched Entries**\n"; 673 print @OtherList; 674} 675 676exit(0); 677 678# vi: shiftwidth=3 tabstop=3 syntax=perl et 679# Local Variables: 680# mode: perl 681# perl-indent-level: 3 682# indent-tabs-mode: nil 683# End: 684