#!/bin/perl # # jt_showlog.pl - syslog summary progam # ## updated Wed Nov 22 16:02:55 EST 2006 ## ## John Tysko (tysko -at- ace.cs.ohiou.edu) ## ## summarize system logs for solaris 10 (and others) ## ## this is a good guide, but you really should customize it. ## ## start with your system setup. You really need to log everything in orcer ## to analyze it. For hints on how I do it, see SYSTEM SETUP NOTES: ## ## Customize this script. Although it will run just fine as it is with ## general output, it will work better if you have it setup the way ## you like it. One major part is the section on grouping the output ## summaries into labs, offices, etc. The second is the section ## here that configures a couple of basic operations. ## ## add a default domain name to all found machines names if no domain ## or partial domain is present. This normalizes the input data ## so that mymach is the same as mymach.my.domain. ## not necessarily needed as long as you dont mind possible ## duplicate loooking output. $Def_Domain_name = "cs.ohiou.edu"; # options (you must specify options individually, as it -q -v, not -qv) # -d = print details of some statistics, such as full types of errors in addition to counts # -D = print details of records, such as disk drive types, buss populations,etc # -DD = print nosy info, such as number of times users log in, weird error counts, etc # full /device/.... names, ip numbers, host names from records., number of times # users fail to login, host names and file names specific to one record # Note some detailed error msg summaries print only on this level as they are comprised # mainly if machine ip/names, user names, etc # -DDD = you really don't want to see this much, but is good for debugging # summarizes some of non-displayed output # removes some constraints on some header sizes so they are not truncated. # -FW = fixed width columns on -d,D,DD,DDD type output - default is variable width # -q = do not show lines with all zeroes # except for "other" groups. (assumed by -Q) # -Q = (DEFAULT) leave out "other" groups when zero, # if all entries in catagory are zero, not show show # the catagory. (What I usually run with) # -p = show lines with all zeroes # -P = show catagories with all zeroes anyway (assumed by -P) # -V = same as -v # -v = verbose - show each machine as separate line # ignores pre-defined groups, # still subject to -q # GOOD FOR 1st RUN ON LOG FILE or for finding unknown machines # -G = group all records in to the other catagory. # GOOD FOR SUMMARY RUN ON LOG FILE looking for problems. # -T = times - breakout by hour of certain stats # as in logins by hour, connects by hour, etc # Nice to see how busy a lab is. # -W = Warn about all unrecognized records. Otherwise just a summary table is printed. # Nice to see of you suddenly find unexpected/unknown programs in the output # -w = same as -W # -stats = show counts of records by machine, count by log entry source # (summary of what is in syslog) # -s = output table of ips vs number of bad logins. # -skipfile = FILENAME # The file FILENAME name contais programs to be skipped when # processing log files. Usefull for skipping local programs that log entries # not processed by this program, or just skipping thru services that you do not # want to bother with. File format is 1 program per line, specifying # program name as it appears in the log file. If the program name is followed # by a colon or right bracket, these must be included also, as in: # Port # lprm[ # su: # -sys SYSTEM = only load decode modules for system type SYSTEM. # current choices are: # ALL (default) # sparc (assume solaris) # osx (apple) # -all = sets parms -D -W -stats -s -T # * - log file to process (only 1 file though - I should fix that) # Defaults to /var/log/syslog if no file specified # You can always cat your log files together to get combined output, but be sure # to do them in the correct date ascending order or some statistics may get confused # # A SIG INT (control-c) terminates input processing and goes to output stage. ## ## SYSTEM SETUP NOTES: ## ## This is how to enable logging to get the maximum output from the program. ## You don't have to do any of these, but if you don't, magic won't happen and ## you wont see much in the output. ## ## 0. Assume a line in /etc/syslog.conf as ## *.info;auth.debug;kern.debug;mail.debug;daemon.notice/var/log/syslogd ## daemon.notice because solaris inetd logs some connections at that level.. ## mail.debug to see details of connections -otherwise report is very sparse ## plugin: name=audit_syslog.so; p_flags=all ## 3. inetd logs all, either by adding -t flag in /etc/rc start files ## OR with ENABLE_CONNECTION_LOGGING=YES in /etc/default/inetd ## OR in Sol10 with /usr/sbin/inetadm -M tcp_trace=true ## *AND* /usr/sbin/inetadm -M tcp_wrappers=true ## 4. use our own ssh modified to display connect from msg upon ## connection (not really necessary, but shows scanning) ## 5. /etc/mail/access db rejects connections w/ 550 Anti-spam block on ## 6. special mimedefang errors - put the text of the error after 3 dots, as in ## return('TEMPFAIL', "Connection rejected for noname host ip $ip ... ip used as name"); ## in error msgs in mimedefang.filter to get them recorded in the output at -d level.. ## Also, the md_graphdefange_log command allows you to track exection of secions of the ## filter program... this is also tracked here ## 7. Assum rctl error logging enabled on systems for various things (sol10) ## with something like: rctladm -e syslog task.max-lwps etc ## 8. rpcbind assumes you turn on wrappers and logging via /usr/sbin/svccfg ## select svc:network/rpc/bind ## setprop config/enable_tcpwrappers = true ## setprop config/verbose_logging = true ## 9. ident deamon - to get all data should be configured with ## result:syslog-level = warning ## 10. snmp daemons - solaris, add "-a -s" to execute line, as in: ## prog="/usr/sfw/sbin/snmpd -a -s" in /etc/rc3.d/S82initsma ## 11. setup up to log things. add to ftpaccess file (can be large output) ## log syslog ## log commands real,guest,anonymous ## log security real,guest,anonymous ## log transfers real,guest,anonymous inbound,outbound ## ## 12. adding lpr.debug levels to syslog will show a lot, but you want to ## add the names from /usr/lib/lp/model and /etc/lp/model that you ## use to the skip names definition ## 13. The tester program for ident is assumed to be tidentd (as it ## appears in the log file) if you dont have it, dont worry about it ### ### Apple-s OS X ### assume all of above as applies to BSD type systems, particularly syslog.conf ## ## A1 - Printer logging assumes HP printers, with logging directed at ## the loghost, not via a second machine. ## ## B1 - Radius server is assumed. ## ## and then customize the reports as per machines groupings you want ## where it says CUSTOMIZE HERE ## ## get times of report from /var/log/syslogd ## we assume that start/end times of this file are ## probably close enough for all reports. ## converted to perl Feb 17 2005 ## ## init vars here for various things ## $start_date="???"; $end_date="???"; $sendmail_bad_mail_to_files = 0; ## cant mail directory to files $OUTPUT_MACHINE_FIELD_SIZE = 12; #size of machine name field - on left of output ############ # computed values based on above ############ ## spacing for headers of first field. $m_head_spc = substr(" ",0,$OUTPUT_MACHINE_FIELD_SIZE); $m_head_one = substr("machine ",0,$OUTPUT_MACHINE_FIELD_SIZE); $m_head_two = substr("/group ",0,$OUTPUT_MACHINE_FIELD_SIZE); ############################################## ## ## Get parms, if any , from command line ## ############################################## $LOUD_OUTPUT=0; # if true, print all lines, even if all zero; else, skip most zero lines $NO_STEALTH_OUTPUT=0; # if true, print all catagories, even when all entries are zero. $ALLOW_UNKNOWN_MACHINES=0; # if true, print all machines, 1 per line, instead of using groups $ALL_MACHINES_ARE_OTHER=0; # if true, all machines dumped into other catagory. $TIMES_OUTPUT=0; # if true, print things like chart of console logins per each hour per mach. $BAD_IP_OUT=0; # if true, print table of ips vs bad loigns on ssh, telnet, etc. $OUTPUT_STATS=0; # if true, print summary of records in log file. $DETAILED_OUTPUT=0; # if true, print details of some statistics, such as individual counts of cmds. $REAL_DETAILED_OUTPUT=0; # if true, print details that most people would not care to witness. (V2.3) $REAL_REAL_DETAILED_OUTPUT=0; # if true, print details that seems more accounting based - id, no of times users log in. $STUPID_OUTPUT=0; ##ok if true, print detail you only look at when debuggeing... $DO_WARN_OUTPUT=0; ## no specific msg if we have an unknown rec type. $SYSTYPE="ALL"; $FIXED_WIDTH_OUTPUT = 0; # use variable column width output on output tables while ($#ARGV >= 0 && substr($ARGV[0],0,1) eq "-") { if($ARGV[0] eq "-q") { shift; $LOUD_OUTPUT=0;$NO_STEALTH_OUTPUT=1;} elsif($ARGV[0] eq "-Q") { shift; $LOUD_OUTPUT=0;$NO_STEALTH_OUTPUT=0;} elsif($ARGV[0] eq "-p") { shift; $LOUD_OUTPUT=1;$NO_STEALTH_OUTPUT=1;} elsif($ARGV[0] eq "-P") { shift; $LOUD_OUTPUT=1;$NO_STEALTH_OUTPUT=0;} elsif($ARGV[0] eq "-v") { shift; $ALL_MACHINES_ARE_OTHER=0; $ALLOW_UNKNOWN_MACHINES=1; } elsif($ARGV[0] eq "-V") { shift; $ALL_MACHINES_ARE_OTHER=0; $ALLOW_UNKNOWN_MACHINES=1; } elsif($ARGV[0] eq "-G") { shift; $ALLOW_UNKNOWN_MACHINES=0; $ALL_MACHINES_ARE_OTHER=1; } elsif($ARGV[0] eq "-W") { shift; $DO_WARN_OUTPUT=1; } elsif($ARGV[0] eq "-w") { shift; $DO_WARN_OUTPUT=1; } elsif($ARGV[0] eq "-FW") { shift; $FIXED_WIDTH_OUTPUT = 1;} elsif($ARGV[0] eq "-stats") { shift; $OUTPUT_STATS=1; } elsif($ARGV[0] eq "-s") { shift; $BAD_IP_OUT=1; } elsif($ARGV[0] eq "-d") { shift; $DETAILED_OUTPUT=1; } elsif($ARGV[0] eq "-D") { shift; $REAL_DETAILED_OUTPUT=1; $DETAILED_OUTPUT=1;} elsif($ARGV[0] eq "-DD") { shift; $REAL_REAL_DETAILED_OUTPUT=1; $REAL_DETAILED_OUTPUT=1; $DETAILED_OUTPUT=1;} elsif($ARGV[0] eq "-DDD") { shift; $STUPID_OUTPUT=1; $REAL_REAL_DETAILED_OUTPUT=1; $REAL_DETAILED_OUTPUT=1; $DETAILED_OUTPUT=1;} elsif($ARGV[0] eq "-skipfile") { shift; $skipfile=$ARGV[0];shift;} elsif($ARGV[0] eq "-sys") { shift; if ($ARGV[0] eq "ALL" ) { $SYSTYPE="ALL";} elsif ($ARGV[0] eq "sparc") { $SYSTYPE="sparc";} elsif ($ARGV[0] eq "osx") { $SYSTYPE="osx";} else {die "unknown value for -sys of $ARGV[0]";} shift;} elsif($ARGV[0] eq "-all") { # -all = sets parms -D -W -stats -s -T shift; $REAL_REAL_DETAILED_OUTPUT=0; $REAL_DETAILED_OUTPUT=1; $DETAILED_OUTPUT=1; $DO_WARN_OUTPUT=1; $OUTPUT_STATS=1; $BAD_IP_OUT=1; $TIMES_OUTPUT=1; } elsif($ARGV[0] eq "-T") { shift; $TIMES_OUTPUT=1; } else { die "Illegal option $ARGV[0]"; } } ## ## set up our table of machines and lab groups by name IF NOT VERBOSE ## so we can access globally later. ## $table_index is incremented by 1 for each output category ## $pat_table_index is incremented by 1 for each matching funcion ## Bad_ip_out_table->{"tablename"}="Bad_IP_Table_name"; $table_index=-1; ## index into table holding summary counts. >=1 pat_index per $table_index $pat_table_index=-1; ## index into table of pattern matches. ## skippable machines - ie, no error reporting for now $table_index = 0 ; ## MANDATORY INDEX - SKIP ANY PATTERNS DEFINED HERE ## $pattern_table[++$pat_table_index]="^skip-me" ; $pat_to_table[$pat_table_index]=$table_index; $table_id[1]=substr(" ",0,$OUTPUT_MACHINE_FIELD_SIZE); #leading space is necessary for sort on key ##default $table_index = 1; ## MANDATORY INDEX - HOLDING TANK FOR UNKNOWN MACHINE GROUPS $table_id[1]=substr(" Other ",0,$OUTPUT_MACHINE_FIELD_SIZE); #leading space is necessary for sort on key if ($ALL_MACHINES_ARE_OTHER) { New_Pattern_Table_entry (".*", "ALL machines"); # Add_Another_Pattern_TABLE_ENTRY(".*"); } ######################################## # # # CUSTOMIZE OUTPUT LINES HERE # # # ######################################## if ( ! $ALLOW_UNKNOWN_MACHINES && ! $ALL_MACHINES_ARE_OTHER) { ## add a new output line entry by calling New_Pattern_Table_entry ( pattern, table_id ); ## add a second pattern to q line with Add_Another_Pattern_TABLE_ENTRY (pattern) # ace and aliases # New_Pattern_Table_entry ("^oucsace.cs.ohiou.edu", "ace"); # Add_Another_Pattern_TABLE_ENTRY("^oucsace"); # Add_Another_Pattern_TABLE_ENTRY("^ace"); # # lab of 20 computers # New_Pattern_Table_entry ("^odd", "lab 183"); #### ### end processing for size of labels ### for ($i=2;$i<=$table_index; $i++) { $table_id[$i]= substr(join("",$table_id[$i]," "),0,$OUTPUT_MACHINE_FIELD_SIZE); } } ## end not verbose ## ## function to set patterns in table. ## sub New_Pattern_Table_entry { my($pat, $label) = @_; $table_index++; $pattern_table[++$pat_table_index]=$pat ; $pat_to_table[$pat_table_index]=$table_index; $table_id[$table_index]=$label; } ## ## add entry to table for existing label. ## sub Add_Another_Pattern_TABLE_ENTRY{ my($pat) = @_; $pattern_table[++$pat_table_index]=$pat ; $pat_to_table[$pat_table_index]=$table_index; } ## ## function to get the table id number (integer) for a specific name. ## returns table entry number (0 eq dont care -special) ## ## sub Get_Table_Entry { my($myhost_in) = @_; my ($t, $i, $myhost); if (defined($quick_map{$myhost_in})) { ## we have it return( $quick_map{$myhost_in}); ## unique machine ID even if we want to ignore it } if ($Def_Domain_name ne "") { ## add default domain if none present. if (index($myhost_in, '.') == -1) { $myhost = join(".",$myhost_in,$Def_Domain_name); } else { $myhost = $myhost_in; } } ## -- new mach. add to machine table. $Global_mach_cnt++; #number of unique mach we have found $Global_mach_name[$Global_mach_cnt]=$myhost; $Global_mach_index[$myhost]=$Global_mach_cnt; $quick_map{$myhost_in} = $Global_mach_cnt; ## -- now if we are in verbose mode, add 1 mach per output table. if ($ALLOW_UNKNOWN_MACHINES ) { $table_index++; $pat_table_index++; $pat_to_table[$pat_table_index]=$table_index; $table_id[$table_index]= substr(join("",$myhost," "), 0, $OUTPUT_MACHINE_FIELD_SIZE); $Output_table_machines[$table_index][0]=$Global_mach_cnt; #this machine with this output pattern $Output_table_machines[$table_index]->[$Output_table_machines_cnt[$table_index]++] = $Global_mach_cnt; #associate this machine with this output pattern return $Global_mach_cnt; } ## so now we add to output pattern list $t = 1 ; # 0 is skip, 1 is other(not in table) for($i=0; $i<=$pat_table_index; $i++) { if ( $myhost =~ $pattern_table[$i]) { $t=$pat_to_table[$i];last;} } $Output_table_machines[$t]->[$Output_table_machines_cnt[$t]++] = $Global_mach_cnt; #associate this machine with this output pattern return $Global_mach_cnt; } ########################## ## ## create jump table here based on field number 5 of syslog rec. ## ## also create a non-jump table that lists field 5 values that can ## look like programs (end in :) but are actallyu continuation lines- ## key is value in field 5, value in table is program that would ## generate this continuation line. ## ## decode_table contains jumps to decode by program ## pgm_continuation_table contains possible continuation values ## and these are defined with decode_table ## ########################## ############### ## Generic across all systems ############### $decode_table{"syslogd:" } = \&Decode_syslogd; ############### ## Solaris on sparc ############### if ($SYSTYPE eq "ALL" || $SYSTYPE eq "sparc") { ## general programs should be across all systems, more or less $decode_table{"mimedefang[" } = \&Decode_mimedefang; Decode_mimedefang_init(); $decode_table{"mimedefang.pl[" } = \&Decode_mimedefang_pl; Decode_mimedefang_pl_init(); $decode_table{"mimedefang-multiplexor[" } = \&Decode_mimedefang_multiplexor; Decode_mimedefang_multiplexor_init(); $pgm_continuation_table{"Plugin:"}="mimedefang-multiplexor["; $decode_table{"procmail[" } = \&Decode_procmail; # but check above for add_var_list_out $decode_table{"imapd[" } = \&Decode_imapd; Decode_imapd_init(); ## second stage jump table $decode_table{"ipop2d[" } = \&Decode_ipop2d; $decode_table{"ipop3d[" } = \&Decode_ipop3d; Decode_ipop3d_init(); $decode_table{"inetd[" } = \&Decode_inetd; Decode_inetd_init(); $decode_table{"sshd["} = \&Decode_sshd; Decode_sshd_init(); ## second stage jump table 2 # check his vor add_var_list_out $decode_table{"sendmail[" } = \&Decode_sendmail; Decode_sendmail_init(); ## second stage jump table. $decode_table{"pmx-milter[" } = \&Decode_pmx_milter; ## puremessage filters.. $decode_table{"pmx-manager[" } = \&Decode_pmx_manager; ## puremessage filters.. $decode_table{"sm-queue[" } = \&Decode_sm_queue; ## puremessage filters, also $decode_table{"xlock[" } = \&Decode_xlock; $decode_table{"xlock:" } = \&Decode_xlock; $decode_table{"xntpd["} = \&Decode_xntpd; Decode_xntpd_init(); $decode_table{"radiusd["} = \&Decode_radiusd; $decode_table{"ntpdate[" } = \&Decode_ntpdate; $decode_table{"in.named[" } = \&Decode_named; Decode_named_init(); # DO DDD2 $decode_table{"named[" } = \&Decode_named; ## Decode_named_init() is same as for in.named $decode_table{"in.identd[" } = \&Decode_identd; $decode_table{"identd[" } = \&Decode_identd; ## same as in.identd $decode_table{"tidentd:" } = \&Decode_tidentd; $decode_table{"cron[" } = \&Decode_cron; $decode_table{"nmbd[" } = \&Decode_nmbd; # miminal deocde $decode_table{"smbd[" } = \&Decode_smbd; $decode_table{"in.fingerd[" } = \&Decode_fingerd; $decode_table{"fingerd[" } = \&Decode_fingerd; $decode_table{"in.rexecd["} = \&Decode_inrexecd; $decode_table{"in.timed[" } = \&Decode_timed; $decode_table{"in.daytimed[" } = \&Decode_daytimed; $decode_table{"rexecd[" } = \&Decode_rexecd; $decode_table{"in.rshd[" } = \&Decode_rshd; $decode_table{"rsh[" } = \&Decode_rsh; $decode_table{"in.rwhod[" } = \&Decode_in_rwhod; $decode_table{"in.rlogind[" } = \&Decode_rlogind; $decode_table{"rlogind[" } = \&Decode_rlogind; $decode_table{"in.telnetd[" } = \&Decode_telnetd; $decode_table{"telnetd[" } = \&Decode_telnetd; $decode_table{"in.ftpd[" } = \&Decode_ftpd; Decode_ftpd_init(); ##in.ftpd, ftpd $decode_table{"ftpd["} = \&Decode_ftpd; #same ins in.ftpd $decode_table{"saslauthd[" } = \&Decode_saslauthd; $decode_table{"snmpd[" } = \&Decode_snmpd; #doubfully Solaris specific, but probably customized for solairs $decode_table{"gconfd" } = \&Decode_gconfd; # Real Detail only $decode_table{"winlock:" } = \&Decode_winlock; ## Solaris customized. should be on some other systems, I would think $decode_table{"nfs:"} = \&Decode_nfs; $pgm_continuation_table{"Action:"}="nfs:"; $decode_table{"nfssrv:"} = \&Decode_nfssrv; $decode_table{"/usr/lib/nfs/nfsd["} = \&Decode_slash_nfsd; $decode_table{"/usr/lib/nfs/nfsmapid["} = \&Decode_nfsmapid; $decode_table{"vold["} = \&Decode_vold; $decode_table{"/usr/sbin/vold["} = \&Decode_vold; $decode_table{"bootpd["} = \&Decode_bootpd; $decode_table{"automountd[" } = \&Decode_automountd; $decode_table{"printer:" } = \&Decode_printer; $decode_table{"svc.startd[" } = \&Decode_svc_startd; $decode_table{"mountd[" } = \&Decode_mountd; $decode_table{"mount[" } = \&Decode_mount; $decode_table{"printd[" } = \&Decode_printd; $decode_table{"lp[" } = \&Decode_lp; $decode_table{"lpr[" } = \&Decode_lpr; $decode_table{"lpq[" } = \&Decode_lpq; $decode_table{"in.lpd[" } = \&Decode_lpd; $decode_table{"lpstat[" } = \&Decode_lpstat; $decode_table{"cancel[" } = \&Decode_cancel; $decode_table{"lprm[" } = \&Decode_lprm; $decode_table{"lpsched[" } = \&Decode_lpsched; $decode_table{"bsd-gw[" } = \&Decode_bsd_gw; $decode_table{"rpcbind:" } = \&Decode_rpcbind; $decode_table{"statd[" } = \&Decode_statd; $decode_table{"nisd[" } = \&Decode_nisd; $decode_table{"nisping[" } = \&Decode_nisping; $decode_table{"user2netname:" } = \&Decode_user2netname; $decode_table{"dtlogin["} = \&Decode_dtlogin; $decode_table{"/sbin/dhcpagent["} = \&Decode_dhcpagent; $decode_table{"passwd[" } = \&Decode_passwd; $decode_table{"autofs:" } = \&Decode_autofs; $decode_table{"reboot:" } = \&Decode_reboot; $decode_table{"halt:" } = \&Decode_halt; ## Solaris specific programs/msgs, hardware boot msgs, etc $decode_table{"root:"} = \&Decode_root; $decode_table{"audit:"} = \&Decode_audit; Decode_audit_init(); $decode_table{"unix:"} = \&Decode_unix; Decode_unix_init(); $pgm_continuation_table{"NOTICE:"}="genunix:"; $decode_table{"genunix:" } = \&Decode_genunix; $pgm_continuation_table{"%l4-7:"}="genunix:"; $decode_table{"stfontserverd["} = \&Decode_stfontserverd; $decode_table{"ufs:" } = \&Decode_ufs; $decode_table{"su:" } = \&Decode_su; $decode_table{'nscd[' } = \&Decode_nscd; $decode_table{"tmpfs:" } = \&Decode_tmpfs; $decode_table{"pcfs:" } = \&Decode_pcfs; $decode_table{"hsfs:" } = \&Decode_hsfs; $decode_table{"swapgeneric:" } = \&Decode_swapgeneric; $decode_table{"rpc.nispasswdd[" } = \&Decode_rpc_nispasswdd; $decode_table{"dada:" } = \&Decode_dada; # ATA disk OK $decode_table{"usba:" } = \&Decode_usba; $decode_table{"ipf:" } = \&Decode_ipf; #ip filter $decode_table{"fmd:" } = \&Decode_fmd; $pgm_continuation_table{"EVENT-TIME:"}="fmd:"; $pgm_continuation_table{"PLATFORM:"}="fmd:"; $pgm_continuation_table{"SOURCE:"}="fmd:"; $pgm_continuation_table{"EVENT-ID:"}="fmd:"; $pgm_continuation_table{"DESC:"}="fmd:"; $pgm_continuation_table{"AUTO-RESPONSE:"}="fmd:"; $pgm_continuation_table{"IMPACT:"}="fmd:"; $pgm_continuation_table{"REC-ACTION:"}="fmd:"; $decode_table{"simba:" } = \&Decode_simba; $decode_table{"sbus:" } = \&Decode_sbus; #old sbus $decode_table{"ebus:" } = \&Decode_ebus; #pci/isa bridge driver $decode_table{"uata:" } = \&Decode_uata; #ide host bus adapter driver $decode_table{"qlc:" } = \&Decode_qlc; #host bus adapter driver $decode_table{"px:" } = \&Decode_pci_generic; $decode_table{"px_pci:" } = \&Decode_pci_generic; #pci Device $decode_table{"pcisch:" } = \&Decode_pci_generic; #pci Devices $decode_table{"pci_pci:" } = \&Decode_pci_generic; #pci Devices $decode_table{"pcipsy:" } = \&Decode_pci_generic; #pci Devices $decode_table{"nis_cachemgr:" } = \&Decode_nis_cachemgr; $decode_table{"savecore:"} = \&Decode_savecore; #solaris kernal ld errs. $decode_table{"bootparam_prot[" } = \&Decode_bootparam_prot; $decode_table{"inetadm[" } = \&Decode_inetadm; $decode_table{"krtld:"} = \&Decode_krtld; #solaris kernal ld errs. $decode_table{"power:" } = \&Decode_power; $decode_table{"scsi:" } = \&Decode_scsi; # DO DDD $pgm_continuation_table{"mpt0:"}="scsi:"; $pgm_continuation_table{"mpt1:"}="scsi:"; $pgm_continuation_table{"mpt2:"}="scsi:"; $pgm_continuation_table{"mpt3:"}="scsi:"; $decode_table{"rootnex:"} = \&Decode_rootnex; $decode_table{"/usr/lib/power/powerd:" } = \&Decode_powerd; $decode_table{"sys-suspend:" } = \&Decode_sys_suspend; $decode_table{"fd:" } = \&Decode_fd; # floppy disk $decode_table{"sd:" } = \&Decode_sd; #scsi disk $decode_table{"ip:" } = \&Decode_ip; $decode_table{"ge:" } = \&Decode_ge; #Gigabit-Ethernet driver $decode_table{"bge:" } = \&Decode_bge; # Gigabit Ethernet driver $decode_table{"qfe:" } = \&Decode_qfe; #Quad Fast-Ethernet driver $decode_table{"hme:" } = \&Decode_hme; #Fast-Ethernet driver $decode_table{"eri:" } = \&Decode_eri; #Fast Ethernet driver $decode_table{"nge:" } = \&Decode_nge; #Fast Ethernet driver $decode_table{"gld:" } = \&Decode_gld; #general lan driver $decode_table{"mac:" } = \&Decode_mac; #net registration of some type $decode_table{"kfb:" } = \&Decode_graphics_generic; #graphics card $decode_table{"pfb:" } = \&Decode_graphics_generic; #xvr-100 video card $decode_table{"m64:" } = \&Decode_graphics_generic; #m64 frame buffer $decode_table{"gfxp:" } = \&Decode_graphics_generic; #PGX32 Card $decode_table{"upa64s:" } = \&Decode_graphics_generic; # graphics port conn to graphics card ### talky daemons we add to avoid lots of unknown msgs. just count msgs from them, unless -DD, then verbose. $decode_table{"dtsession[" } = \&Decode_daemon_generic; ## on sun, netscape stupid log msg added by dtsession $decode_table{"dtspcd[" } = \&Decode_daemon_generic; ## on sun, netscape stupid log msg added by dtsession $decode_table{"in.rarpd[" } = \&Decode_daemon_generic; ## on sun, netscape stupid log msg added by dtsession $decode_table{"snmpXdmid:" } = \&Decode_daemon_generic; ## on sun, netscape stupid log msg added by dtsession $decode_table{"WBEM_Logging_Service[" } = \&Decode_daemon_generic; ## on sun, netscape stupid log msg added by dtsession $decode_table{"/usr/lib/snmp/snmpdx:" } = \&Decode_daemon_generic; ## for us, just dumb shutdown msgs. for others? ## we should do in.routed someday $decode_table{"raid:" } = \&Decode_raid; #hardware raid array ### $decode_table{"rdriver:" } = \&Decode_rdriver; #hardware raid array - no testing available $decode_table{"picld[" } = \&Decode_picld; $decode_table{"pseudo:" } = \&Decode_pseudo; ######################################### ## ## skip table for junk entries - we can safely just skip these ## ################################################ ## skip junk $decode_table_skip{"'\"" } = 1; ## sun hardware/boot msgs $decode_table_skip{"netstandard:" } = 1; ##network printing program ## generic skippers $decode_table_skip{"spamc[" } = 1; $decode_table_skip{"spamd[" } = 1; ## solaris skip programs $decode_table_skip{"dtfile[" } = 1; #V2.3 $decode_table_skip{"/usr/dt/bin/ttsession[" } = 1; $decode_table_skip{"xautolock[" } = 1; ## seems to not log anything ##some ttdbserverd msgs probably should be viewd $decode_table_skip{"rpc.ttdbserverd[" } = 1; $decode_table_skip{"/usr/dt/bin/rpc.ttdbserverd[" } = 1; ##gotta fix names.. ## ## skip printer model names, extra printer stuff - sun only so far $decode_table_skip{"netpr[" } = 1; #standard solaris output $decode_table_skip{"jetstandard:" } = 1; # $decode_table_skip{"lpd-port[" } = 1; ### ### decode 1st field in data area. This is useful when multiple programs issue the same ### error code that should always be skipped, or processed in the same way. ### tabulated for standard perusal... ### $decode_table2{"clnt_dg_create:"} = \&Decode2_clnt_dg_create; ## skip Sun msgs we cant do anything about $decode_table_skip2{"authdes_refresh:" } = 1; $decode_table_skip2{"authdes_seccreate:" } = 1; $decode_table_skip2{"authdes_validate:" } = 1; $decode_table_skip2{"user2netname:" } = 1; $decode_table_skip2{"_svcauth_des:" } = 1; $decode_table_skip2{"keyserv_client:" } = 1; $decode_table_skip2{"database:" } = 1; ## on sun, gnome utilities startup with this record, such as gnome-pdf-viewe $decode_table_skip2{"NIS+:" } = 1; ## on sun, we get err when some people mess with shell } ############### ## Mac OS X ############### if ($SYSTYPE eq "ALL" || $SYSTYPE eq "osx") { $decode_table{"ntpd["} = \&Decode_ntpd; Decode_ntpd_init(); $decode_table{"ntpdate[" } = \&Decode_ntpdate; $decode_table{"cp:" } = \&Decode_cp; $decode_table{"su:" } = \&Decode_su; $decode_table{"sudo:" } = \&Decode_sudo; $decode_table{"shutdown:" } = \&Decode_shutdown; $decode_table{"launchd:" } = \&Decode_launchd; $decode_table{"lookupd[" } = \&Decode_lookupd; $decode_table{"configd[" } = \&Decode_configd; $decode_table{"mDNSResponder:" } = \&Decode_mDNSResponder; $decode_table{"/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow:" } = \&Decode_loginwindow; $decode_table{"loginwindow[" } = \&Decode_loginwindow; $decode_table{"xinetd[" } = \&Decode_xinetd; $decode_table{"ConsoleMessage:" } = \&Decode_ConsoleMessage; $decode_table{"diskarbitrationd[" } = \&Decode_diskarbitrationd; $decode_table{"DirectoryService[" } = \&Decode_DirectoryService; $decode_table{"mdimportserver[" } = \&Decode_mdimportserver; $decode_table{"SystemStarter[" } = \&Decode_SystemStarter; $decode_table{"mDNSResponder-107" } = \&Decode_mDNSResponder_107; ## hmm.. the -107 may be just bs.. $decode_table{"mDNSResponder-107.3" } = \&Decode_mDNSResponder_107_3; ## hmm.. the -107 may be just bs.. $decode_table{"automount[" } = \&Decode_automount; $decode_table{"kernel[" } = \&Decode_kernel; Decode_kernel_init(); $decode_table{"SecurityAgent[" } = \&Decode_SecurityAgent; $decode_table{"KernelEventAgent[" } = \&Decode_KernelEventAgent; $decode_table{"enable-network[" } = \&Decode_enable_network; $decode_table{"launchproxy[" } = \&Decode_launchproxy; $decode_table{"com.apple.SecurityServer:" } = \&Decode_com_apple_SecurityServer; $decode_table{"Software" } = \&Decode_Software; ##Actually , shouldbe Software Update[ $decode_table{"memberd[" } = \&Decode_memberd; $decode_table{"crashdump[" } = \&Decode_crashdump; $decode_table{"postfix/postqueue[" } = \&Decode_postfix_postqueue; $decode_table{"/System/Library/CoreServices/KerberosAgent.app/Contents/MacOS/KerberosAgent[" } = \&Decode_apple_kerb; $decode_table{"/System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer:" } = \&Decode_macos_ccacheserver; $decode_table{"/Applications/Mail.app/Contents/MacOS/Mail:" } = \&Decode_macos_mail; $decode_table_skip{":" } = 1; $decode_table_skip{"Classic[" } = 1; ## classic startup $decode_table_skip{"/System/Library/CoreServices/Software" } = 1; ## software update. more after Software... $decode_table_skip2{"CGContextGetCTM:" } = 1; } ### ### Now read in anything the user wants to skip from a file ### if ($skipfile) { open(SKIPFILE,$skipfile) || die "Error - can not open skip file * $skipfile *" ; while () { chop; $Userskip{$_}=1; } close SKIPFILE; } ######################################################## ## ## MAIN PROCESSING LOOP IS HERE ## ########################################################## ## ## default log file is /var/log/syslogd.all ## unless overridden on command line ## if ($#ARGV < 0) { $SYSLOGFILE="/var/log/syslog"; } else { $SYSLOGFILE=$ARGV[0];} open(SYSLOGFILE,$SYSLOGFILE) || die "unable to open input file $SYSLOGFILE"; #### -- main output shell gatherer. # ################ # IN THIS LOOP WE CATCH SIG_INT TYPE INTERRUPTS # AND GO TO OUTPUT ROUTINE ################# $SIGNAL_SAYS_GO = 1; $SIG{'INT'} = 'sig_handler'; ## define handler routine. $my_getout = 1 ; process_record(); if ($syslog_rec->[0] ne "Jan" && $syslog_rec->[0] ne "Feb" && $syslog_rec->[0] ne "Mar" && $syslog_rec->[0] ne "Apr" && $syslog_rec->[0] ne "May" && $syslog_rec->[0] ne "Jun" && $syslog_rec->[0] ne "Jul" && $syslog_rec->[0] ne "Aug" && $syslog_rec->[0] ne "Sep" && $syslog_rec->[0] ne "Oct" && $syslog_rec->[0] ne "Nov" && $syslog_rec->[0] ne "Dec") { $my_getout = 1 ; process_record(); } $start_date = join (" ", $syslog_rec->[0], $syslog_rec->[1], $syslog_rec->[2]); ## start date from 2nd rec in case first is junk $my_getout = -1; process_record(); process_output(); exit; ### ok, done. ################################################################# # # pre-process input log files to form records, as 1 record might # be continued over several physical ones. Biggest problem is # records from various machines interminged... # ################################################################# sub process_input { if (! defined $Input_rec_eof) { ## we still have some input left - maybe while () { $input_rec_cnt++; chop; split; ### if ($#$syslog_rec < 9 && substr($syslog_rec->[5],0,1) eq "'") { next; } ## probably tail end of rec or blank line. ## ## Now see if this is a 'last message repeated .. time' line. If so, substitute the previous msg. ## or just skip if previous msg empty. Do on a per/machine (not group) level. ## $machine=$_[3]; if ($Last_Host_name ne $machine) { ## this stupid if clause save 5-10% run time compared to alwasy lookup. $host_index = &Get_Table_Entry ($machine); ## entry into table of counters $Last_host_index = $host_index; $Last_Host_name=$machine; } if ($_[4] eq "last" && $_[5] eq "message" && $_[6] eq "repeated") { # use old line stuff - do not decompose new line if ($OUTPUT_STATS) { ## if we want stats on rec counts, add them here. $STATS_log_entry{"last_msg_repeated"}++; } ## if ( ! defined (@$hold_prev_rec{$machine}) ) { next;} # in case of log rollover if ( ! defined $STATS_mach_rec_cnt{$machine} ) { next;} # in case of log rollover $EVENT_TIMES = $_[7]; } else { $EVENT_TIMES = 1; $data_field=4; #start of possible data if continuation rec if (substr($_[4],-1,1) eq ':' ) { ## regular start $data_field=5; } else { if ( substr($_[5],-2,2) eq '):') { $data_field=6; } ## skip extra garbage on special line - "gconfd (1atoporo-14120):" } if ($data_field != 4) { ## not continuation line - but check vs stupid programs. $check_pname=$_[4]; if (index($check_pname, '[') >= 0 ) { $check_pname=substr($check_pname,0,index($pname, '[')+1 ); } if (defined $pgm_continuation_table{$check_pname}) { $t1 = $hold_prev_input_rec{$machine}; $check_prev_pname = $t1->[4]; if ( $pgm_continuation_table{$check_pname} eq $check_prev_pname) { $data_field=4; } } } if ($data_field == 4) { ## continuation line - add to previous line if ( ! defined $STATS_mach_rec_cnt{$machine} ) { next;} # in case of log rollover # if ( ! defined (@$hold_prev_rec{$machine}) ) { next;} # in case of log rollover $t2 = $hold_prev_input_data{$machine}; $syslog_data = [splice(@_, $data_field)]; $hold_prev_input_data{$machine} = [ @$t2, @$syslog_data]; ## $hold_prev_input_data{$machine} = [ @$t2, $pname, [splice(@_, $data_field)]]; $t2 = $hold_prev_input_data{$machine}; next; } ## end of continuation line if ( $_[$data_field] eq '[ID' ) { $data_field=$data_field+3;} ## skip solaris 8 9 10 etc ID fields if ( ! defined $STATS_mach_rec_cnt{$machine} ) { # first record for machine. prime hold loop $STATS_mach_rec_cnt{$machine}=1; $hold_prev_input_data{$machine} = [splice(@_, $data_field)]; $hold_prev_input_rec{$machine} = [splice(@_, 0,$data_field)]; next; } $STATS_mach_rec_cnt{$machine}++; $syslog_rec= $hold_prev_input_rec{$machine}; $syslog_data = $hold_prev_input_data{$machine}; $hold_prev_input_data{$machine} = [splice(@_, $data_field)]; $hold_prev_input_rec{$machine} = [splice(@_, 0,$data_field)]; return(1); } } #while read is done - eof only } # end of if of $Input_rec_eof $Input_rec_eof = 1; my($key, $value); # @cc{Declare two variables at once} while ( ($key, $value) = each(%hold_prev_input_rec) ) { $machine = $key; $host_index = &Get_Table_Entry ($machine); ## entry into table of counters $syslog_rec= $hold_prev_input_rec{$machine}; $syslog_data = $hold_prev_input_data{$machine}; delete ($hold_prev_input_rec{$machine}); delete ($hold_prev_input_data{$machine}); return(1); } $Global_input_eof = 1; return (0); } ################################################################# # # pre-process each record here divide into fields, skip obvious junk # ################################################################# sub process_record { while (process_input()) { ## ### Decode by program name as per syslog file ## $pname=$syslog_rec->[4]; if (index($pname, '[') >= 0 ) { $pname=substr($pname,0,index($pname, '[')+1 ); } if ($OUTPUT_STATS) { ## if we want stats on rec counts, add them here. $STATS_machine[$host_index]++; $STATS_log_entry{$pname}++; } ## drop recs we dont care about if ( $#$syslog_data < 0) { next;} ## no data fields. if ($host_index eq 0) { next;} ## we dont care, like in printers we hate, whatever ## drop user defined skips if (defined $Userskip{$pname}) {next;}; $major_type_found = 0; ## inetd or sendmail or ... Decode_field_4_etc: { if (defined $decode_table{$pname}) { &{$decode_table{$pname}}() ; if ($major_type_found == 1) { next; } } ## junk records we can skip... if (defined $decode_table_skip{$pname}) { $major_type_found = 1; next; } ## now decode data field 1 if (defined $decode_table2{$syslog_data->[0]}) { &{$decode_table2{$syslog_data->[0]}}() ; if ($major_type_found == 1) { next; } } if (defined $decode_table_skip2{$syslog_data->[0]}) { if ($DETAILED_OUTPUT) { (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%skip_data1_table, $pname,(@line_list)); } else { $TEMP_key = join ("-",$pname, $syslog_data->[0]); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%skip_data1_table, $pname, $syslog_data->[0]); } $major_type_found = 1; next; } if ($major_type_found == 0) { if ($DO_WARN_OUTPUT) { print " UNKNOWN rec type - @$syslog_rec @$syslog_data\n"; } else { add_list_out($pname, $host_index, $EVENT_TIMES, \%Unknown_cmd_table, $pname); } } } # end Decode_field_4 ## ok, get out of it when we are done according to loop counter $my_getout--; return if $my_getout == 0; } } ## end of input processing section ############################### ## ## Control section for output ## ############################### sub process_output { #################### # # ok, we need to sort output if Verbose, as there # is no rhyme or reason for it. # # Also, 2 different outputs possible - mach and mach.domain # attend to truncating.. # # or I suppose we could sort it on input....Nah.. # ##################### ## for normal for ($i = 1; $i<=$table_index ; $i++) { $outindex[$i]=$i; $outkey{join (" " ,$table_id[$i],$i)}= $i; ## $i part of key for uniqueness.. } ## Sort the machines in alpha order for verbose output. if ( $ALLOW_UNKNOWN_MACHINES ){ $i=1; foreach $k (sort (keys %outkey)) { $outindex[$i]= $outkey{$k}; $i++; } } ### -- prelims over. Now for the output.. process_output_syslog(); process_output_hardware(); ## multiples - see below process_output_sys_daemons (); process_output_daemons (); ## inetd, svc, etc process_output_services (); ## major daemons such as ftp, bind. ... -see below process_output_logins (); process_output_root_logins (); process_output_radius_server (); process_output_logins_per_hour(); } sub process_output_hardware() { process_output_hardware_boot(); process_output_hardware_errs(); process_output_hardware_devs(); process_output_hardware_net(); process_output_hardware_file_sys(); } sub process_output_services() { process_output_services_ftpd(); process_output_services_named(); process_output_services_print(); process_output_services_ident(); process_output_services_rpcbind(); process_output_services_time(); process_output_services_snmp(); process_output_services_mail(); } #--------------- # syslog output #--------------- sub process_output_syslog() { $end_date = join (" ", @$syslog_rec[0 .. 2]); ## last rec from while loop or control-c #$start_date = join (" ", $syslog_rec->[0], $syslog_rec->[1], $syslog_rec->[2]); ## start date from 2nd rec in case first is junk print " \n\n\n" ; print " Syslog statistics report from $start_date to $end_date \n"; print " We processed $input_rec_cnt records from $SYSLOGFILE\n"; print " " ; @Headers= ( "<-------------- syslogd messages logged to syslog ------------->", "configuration going configuration no space console other", " restart down file err left I/O err I/O err"); put_unique_table_out ( " %6d %5d %6d %6d %7d %7d\n", \@Headers, \@syslogd_restart, \@syslogd_going_down, \@syslogd_config_file_err, \@syslogd_console_io_err, \@syslogd_no_space, \@syslogd_other_io_err ); put_usual_list_out("<------------- SYSLOGD Detail error messages ------------>", \%syslogd_full_msg_table); # -- if we have apple logs, print recs skipped because authentication logs messed up @Headers= ( "<---- Apple Security Authentication log records skipped ---->", "<---- due to improper log entry sequencing. ---->", " Authentication Authentication", " Successes Failures" ); put_unique_table_out ( " %5d %5d\n", \@Headers, \@apple_secserv_skip_succeed, \@apple_secserv_skip_fail ); # -- UNKNOWN RECORDS put_usual_list_out("<------ Syslog records that were unknown to this program ------>", \%Unknown_cmd_table); # -- skipped due to data field 1 put_usual_list_out("<------ Records skipped for these programs and interfaces ------>", \%skip_data1_table); if ($OUTPUT_STATS) { ## stats by machine, source @Headers= ( " syslog", "record counts" ); put_unique_table_out ( " %8d\n", \@Headers, \@STATS_machine ); # data collected by $STATS_log_entry{$pname}; Special format $m_head_x01 = substr("syslog rec ",0,$OUTPUT_MACHINE_FIELD_SIZE); $m_head_x02 = substr(" type ",0,$OUTPUT_MACHINE_FIELD_SIZE); $Out_header =1; foreach $i (sort (keys %STATS_log_entry)) { $check_sum = $STATS_log_entry{$i}; if ($LOUD_OUTPUT || ($NO_STEALTH_OUTPUT && $i == 1) || $check_sum > 0 ) { if ($Out_header) { $Out_header = 0; print " \n"; print " \n"; print " \n"; print "$m_head_x01 record\n"; print "$m_head_x02 counts\n"; } $new_table_id = substr(join("",$i," "),0,$OUTPUT_MACHINE_FIELD_SIZE); printf " %s %8d\n", $new_table_id, $STATS_log_entry{$i}; } } } ## end of stats output } # END PROCESS_OUTPUT_SYSLOG sub process_output_hardware_boot () { ## ##---- system boot recs ## # -- system reboot recs. @Headers= ( "<-------- system reboots, reboots, halts ------------->", "<-- command counts -> power off power power ", "<-reboot-> <- halt -> requests button button", " by by by by button or SC pressed pressed", "root|other root|other #reqs/Failed 2 times >2 times" ); put_unique_table_out ( "%4d|%4d %5d|%5d %5d/%6d %7d %7d\n", \@Headers, \@reboot_cmd_cnt_root, \@reboot_cmd_cnt_other, \@halt_cmd_cnt_root, \@halt_cmd_cnt_other, \@power_button_off, \@power_button_off_fail, \@genunix_power_button_2, \@genunix_power_button_3 ); # -- MORE system reboot recs. @Headers= ( "<---- system boots, reboots, halts ------------------------>", " sync system Auto- ", " Reboots file shutdown shutdown system ", " found by system via from coredumps system system", "mem=|audit records sys_suspend powerd started/ OK sleep wake "); put_unique_table_out ( "%4d|%5d %5d %6d %6d %5d/%4d %5d %5d\n", \@Headers, \@unix_mem_equals, \@audit_sys_boots, \@genunix_sync_recs, \@sys_suspend_shut, \@powerd_authshutdown, \@genunix_dumping, \@genunix_dumping_ok, \@kernel_system_sleep, \@kernel_system_wake); ## boot recs - non-errors usually if (DETAILED_OUTPUT) { ## V2.2 @Headers= ( "<----------- syslog entries added at system boot ----------->", " Kernel available CPU Additional Autofailback ", " cage mem TYPE CPUx disabled swap ", "ENABLED detected ID'd online (thru conf file) mounted"); put_unique_table_out ( "%5d %5d %4d %4d %4d %5d\n", \@Headers, \@unix_card_cage_ok, \@unix_avail_mem, \@unix_cpu_id, \@unix_cpu_init_online, \@scsi_auto_failback, \@swapgeneric_mount); } ## end of detailed output #-- proc table showing procs (trhreads) when system dumped coreS put_usual_list_out("<------ proc/thread names associated wth system abends ----------->", \%genunix_crash_proc_table); # -- machine errors, say at boot time.. put_usual_list_out("<------ Machine/kernel errors such as boot messages ----->", \%Machine_errs_table); #-- machine errs - suns predictive whatever daemon put_usual_list_out(" <------------ SUN Fault manager daemon error messages ----------->",%fmd_detail_table); #-- machine errs - suns picld daemon output put_usual_list_out("<------------ SUN picld daemon messages ----------->",\%picld_table); ## -- ok, so list cpus for the nosey put_usual_list_out("<------------ Sun machine type entries ----------->", \%rootnex_table); ## -- ok, so list cpus with spped for the nosey put_usual_list_out("<------------ Sun CPU ----------->", \%unix_cpu_table); ## -- ok, so list mem for the nosey put_usual_list_out("<------------ Sun memory installed entries ----------->",\%unix_mem_table); ## output detail recs of sbus devices found put_usual_list_out("<------------ SBUS device detection details ----------->",\%sbus_dev_msg_table); ## output detail recs of ebus devices found put_usual_list_out("<------------ EBUS devices found on bootup messages ----------->",\%ebus_dev_table); ## output detail recs of pci devices found put_usual_list_out("<------------ PCI devices found on bootup messages ----------->", \%pci_generic_dev_table); ## output detail recs of qlc devices found put_usual_list_out("<------------ qlc devices found on bootup messages ----------->", \%qlc_dev_table); ## output detail recs of psudo-devices put_usual_list_out("<------------ List of Pseudo devices ----------->", \%pseudo_dev_table); } # END OF PROCESS_OUTPUT_HARDWARE_BOOT sub process_output_hardware_errs() { ## -- system errors out @Headers= ( "<-------------------------- system errors ----------------------------->", " out of no swap exec rctl interrupt statd: Fatal BAD", " processes space code on errs and not no Port TRAP", " all/ user 4 stack stack warnings serviced response Error err"); put_unique_table_out ( "%6d/%6d %6d %6d %6d %6d %6d %6d %4d\n", \@Headers, \@genunix_out_of_all_proc, \@genunix_out_per_user_proc, \@genunix_no_swap_4_stack, \@genunix_exec_stack_code, \@genunix_rctl_condition_err, \@unix_interrupt_not_serv, \@statd_no_response, \@unix_fatal_port_err, \@unix_bad_trap_err); ## --- output any cant start pgms due to no memory msgs here -proably gnome put_usual_list_out("<---- Programs unable to be started - out of memory errors -------->", \%cant_create_no_mem_table); ## output rctl stats put_usual_list_out("<------------- rctl error messages ------------>", \%genunix_detail_rctl_counts_table); put_usual_list_out("<------------- BAD TRAP messages ------------>", \%unix_bad_trap_err_table); ## sys hardware errs @Headers= ( "<------------------------ hardware errors found by kernel ---------------------->", " unix removed periodic forceload device ", " scheduled page TOD tape ATA ATA raid of failed SUNW_", " page from clock cleaning disk disk event drv/..... power error", " ram removal service error needed errs OK records failed up msgs"); put_unique_table_out ( "%4d %5d %5d %5d %5d %5d %5d %5d %7d %6d %6d\n", \@Headers, \@AFSR_PSYND, \@unix_sched_remove_page, \@unix_removed_page, \@genunix_TOD_clock_err, \@Periodic_head_clean, \@$dada_ata_errs, \@dada_disk_ok, \@raid_rec_cnt, \@genunix_forceload_fail, \@genunix_dev_no_power_up, \@genunix_SUNW_msgs) ; ## output SUNW msg ids if we found any put_usual_list_out("<------------ SUN kernel level error messages ----------->", \%genunix_sunw_msg_id_table); ## output detail recs of of genunix dev err mgss put_usual_list_out(" <------------ Hardware error messages details ----------->", \%genunix_explain_dev_errs_table); ##---.. programs ending in a crashdump put_usual_list_out(" <------ Unsummarized Apple programs that had users successfully authenticate to ------>", \%apple_crashdump_table); } # END OF PROCESS_OUTPUT_HARDWARE_ERRS sub process_output_hardware_devs () { ## sys SCSI hardware errs @Headers= ( "<----------- SCSI errors found by kernel ------->", "<-Fault detected-> ", "<---Device is ---> dev. dev. disconn. ioc ", " <-unavail--> off- on- Dev. command init ", "avail once/ still line line down timeout fails") ; put_unique_table_out ( "%5d %5d/%6d %5d %5d %5d %5d %5d\n", \@Headers, \@genunix_dev_still_available, \@genunix_dev_unavailable, \@genunix_dev_still_unavailable, \@genunix_device_offline, \@genunix_device_online, \@genunix_device_down, \@genunix_disc_cmd_timeout, \@genunix_ioc_failure) ; ## -- scsi recs @Headers= ( "<--------- SCSI records summary Errors ------->", "device ASC sense WARNING Request block", " gone errors Key records (block errors)"); put_unique_table_out ( "%6d %6d %5d %6d %6d \n", \@Headers, \@scsi_dev_gone, \@scsi_asc_errs, \@scsi_asc_key_errs, \@scsi_warnings, \@scsi_req_block_recs) ; ## -- REAL detailed output of scsi at recs put_usual_list_out("<---------------- SCSI WARNING records Detail entries --------------->", \%scsi_WARNING_table); put_usual_list_out( "<---------------- SCSI records Detail entries interface types --------------->", \%scsi_at_detail_counts_table); put_usual_list_out( "<---------------- SCSI Sense Key record Detail - errors--------------->", \%scsi_sense_tail_key_table); put_usual_list_out( "<---------------- SCSI ASC records Detail - errors --------------->", \%scsi_asc_detail_key_table); put_usual_list_out( "<------------ SCSI device detection details ----------->", \%genunix_scsi_dev_table); ## output detail recs of of genunix scsi dev err mgss put_usual_list_out( "<------------ Hardware error messages details ----------->", \%genunix_explain_scsidev_errs_table); ## output detail recs of auto-failback records put_usual_list_out( "<------------ SCSI auto-failback messages ----------->", \%scsi_auto_failback_table); ## -- REAL detailed output of names of ata disk drives per machine. put_usual_list_out( "<------------ Disk Details entries ----------->", \%dada_detail_table); ## output detail recs of dada error msgs put_usual_list_out( "<------------ DADA driver (ATA disk) error messages details ----------->", \%dada_err_msg_table); ## output detail recs of uata devices found put_usual_list_out( "<------------ UATA devices found on bootup messages ----------->", \%uata_dev_table); ## output detail recs of graphics system msgs put_usual_list_out( "<------------ Grapics driver/hardware messages ----------->", \%graphics_msg_table); ## -- usb records @Headers= ( "<-------- USB Hardware Recognizion -------->", " no PM enabled", "keyboard mouse storage for device"); put_unique_table_out ( " %7d %5d %7d %7d\n", \@Headers, \@usba_keyboard, \@usba_mouse, \@usba_storage, \@usba_no_PM_4_dev); ### usb put_usual_list_out( "<------------USBA device mount details ----------->", \%usba_detail_table); ## --- PCI device listing put_usual_list_out( "<------------ SIMBA device detection details ----------->", \%simba_detail_table); ## output specific offline devices - scsi? stuff put_usual_list_out( "<------------ specific device offline/online/down messages ----------->", \%genunix_offline_table); } # END OF PROCESS_OUTPUT_HARDWARE_DEVS sub process_output_hardware_net () { ## --- network hardware settingd and defs. @Headers= ( "<--- Various configuration options messages -------->", " Appletalk ", "wireless enabled "); put_unique_table_out ( "%7d %5d\n", \@Headers, \@configd_wireless, \@configd_appletalk) ; ## --- wireless.. @Headers= ( "<---- wireless network--> <------------ wired network ------------>", " 10Mb 100Mb 1000Mb ", "<- Apple AirPort Links -> up up up up up up link", " UP Active DOWN half/full half/full half/full down"); put_unique_table_out ( " %5d %6d %5d %4d/%4d %4d/%4d %4d/%4d %4d\n", \@Headers, \@kernel_airport_active, \@kernel_airport_up, \@kernel_airport_down, \@global_network_up_10_half, \@global_network_up_10_full, \@global_network_up_100_half, \@global_network_up_100_full, \@global_network_up_1000_half, \@global_network_up_1000_full, \@global_network_down) ; @Headers = ( "<----------- Network Hardware Errors Details ------------>", "<--- Fault Detected --> Possible Fault cleared", "<- service Degraded -> cable Service", " 1st err still bad problem Available"); put_unique_table_out( " %6d %6d %6d %6d \n", \@Headers, \@genunix_dev_degraded, \@genunix_dev_still_degraded, \@genunix_dev_cable_down, \@genunix_dev_now_available); ### explain net errors when detail output put_usual_list_out( "<--------------- Network error records Detail entries --------->", \%genunix_explain_netdev_errs_table); ## output network devices msgs put_usual_list_out( "------- network device messages ---------------", \%network_dev_msg_table); } #### END OF PROCESS_OUTPUT_HARDWARE_NET sub process_output_hardware_file_sys() { ## ----- file system errors @Headers = ( "<------------------- files system errors --------------------->", " tempfs disk file system unexpected freeing", " disk disk ufs does not have a free free ", " full full WARNINGS UFS magik number inode frag "); put_unique_table_out( "%5d %5d %5d %6d %6d %6d\n", \@Headers, \@disk_full_cnt, \@tmpfs_file_sys_full, \@ufs_warning_cnt, \@ufs_mount_not_magik, \@ufs_unexpected_free_inode, \@unix_free_free_frag) ; put_usual_list_out( "<------------- ufs filesystems FULL ------------>", \%ufs_fs_full_table); put_usual_list_out( "<------------- tmpfs file system full messages ------------>", \%tmpfs_fs_full_table); put_usual_list_out( "<------------- ufs filesystem Detail error messages ------------>", \%ufs_warning_table); ##--- PCFS and HSFS @Headers = ( " <---- HSFS ---> <-- PCFS -->", " warning cron ", "mount (cdrom) /error status error err ", " OK mounts msgs msgs msgs msgs "); put_unique_table_out( "%5d %6d %6d %6d %5d %5d\n", \@Headers, \@local_mount, \@hsfs_mounts, \@hsfs_msgs, \@pcfs_msgs, \@pcfs_errs, \@cron_err_cnt) ; put_usual_list_out( "<------------- OK file system system mounts ------------>", \%mount_ok_table); put_usual_list_out( "<------------- PCFS error records ------------>", \%pcfs_errs_table); ### - quota messages @Headers = ( "<--- exceeded disk quota messages ---> ", "<-- soft ---> <--- hard --> disk and ", " disk file disk file time ", " space count space count limit"); put_unique_table_out( "%6d %6d %6d %6d %6d\n", \@Headers, \@over_soft_quota_cnt, \@over_soft_file_quota_cnt, \@over_hard_quota_cnt, \@over_hard_file_quota_cnt, \@over_disk_time_quota_cnt) ; ## details put_usual_list_out( "<------------- ufs - over quota errors ------------>", \%ufs_over_quota_table); ##---- NFS type file system msgs @Headers = ( "<---------------- NFS errors by clients ----------------->", " ", " can't dom. <--- server ----> can't ", " re- init name |mount| no get compound", " claim call miss |point| response mapping svr-fail write", " lock fail match OK| ok |1st (stil.) daemon timeout error"); put_unique_table_out( "%5d %5d %5d %5d|%5d|%5d(%5d) %5d %5d %5d\n", \@Headers, \@nfs_no_reclaim_lock, \@nfs_domain_not_matching, \@nfs_init_call_failed, \@nfs_server_ok, \@nfs_mount_pt_ok, \@nsf_client_svr_no_rsponse, \@nsf_client_svr_no_rsponse_still, \@nfs_cant_get_nfsmapid, \@nsf_client_compound_rpc_timeout, \@nsf_client_write_error) ; @Headers = ( "<------------------ NFS errors by clients ------------------------->", " ", " <----------- file recovery ---------> file", " errs errs | | |<-caused -> lost temp.", " execing cause| num | num| lost|file requests NFS4 un- ", " delmap recov|start| end| lock|close open|close|delegret errs avail.") ; put_unique_table_out( "%6d %5d|%5d|%5d|%5d|%5d %5d|%5d|%8d %5d %5d\n", \@Headers, \@nfs_error_on_delmap_cmd, \@nfs_causing_recovery, \@nfs_start_recovery, \@nfs_end_recovery, \@nfs_lost_lock_recov_err, \@nfs_closed_recov_err, \@nfs_lost_close_req, \@nfs_lost_open_req, \@nfs_lost_op_deleg_req, \@nfs_err_cnt, \@nfs_file_temp_unavail) ; @Headers = ( "<------------ nfsmapid daemon messages ------------------>", " ", "daemon ", "startup"); put_unique_table_out( "%6d\n", \@Headers, \@nfsmapid_startup); put_usual_list_out( "<----- nfs server host vs domain name found by nfsmapid ------>", \%nfsmapid_domain_table); put_usual_list_out( "<------------ NFS4 FACT SHEET records ----------->", \%NFS4_errs_table); ## -- nfs vold errors @Headers = ( "<------------ VOLD errors -------------------------->", " ", " NFS server for ", " volume management (/vol) ", " Not responding | OK "); put_unique_table_out( " %5d | %5d\n", \@Headers, \@nsf_client_vold_ok_resp, \@nsf_client_vold_not_resp); $Out_vars[$Out_Posit++] += $nsf_client_vold_ok_resp[$j]; $Out_vars[$Out_Posit++] += $nsf_client_vold_not_resp[$j]; ## --------- @Headers = ( "<----------------------- NFS errors by SERVERS -------------------->", " ", " <---- server --> ", " can't init |mount| no cant get compound", "reclaim call |point| response mapping svr-fail write", " lock fail OK| ok |1st (stil.) daemon timeout error") ; put_unique_table_out( "%6d %6d %6d|%5d|%5d(%5d) %6d %6d\n", \@Headers, \@nfs_server_no_reclaim_lock, \@nfs_server_init_call_failed, \@nfs_server_server_ok, \@nfs_server_mount_pt_ok, \@nsf_server_client_svr_no_rsponse, \@nsf_server_client_svr_no_rsponse_still, \@nsf_server_client_compound_rpc_timeout, \@nsf_server_write_error); # \@nfs_cant_get_nfsmapid, @Headers = ( "<----------------------------- NFS errors by SERVERS ----------------------------------->", " ", "<-----------file recovery---------> <----------- nfsserv --------->", " errs errs | | |<-caused-> lost <---- nfsauth ---> ", "execing cause| num | num|lost|file requests upcall| mount not bad ", "delmap recov|start| end|lock|close open|close|delegret failed|responding getargs"); put_unique_table_out( "%6d %5d|%5d|%4d|%4d|%5d %4d|%5d|%8d %6d| %8d %5d\n", \@Headers, \@nfs_server_error_on_delmap_cmd, \@nfs_server_causing_recovery, \@nfs_server_start_recovery, \@nfs_server_end_recovery, \@nfs_server_lost_lock_recov_err, \@nfs_server_closed_recov_err, \@nfs_server_lost_close_req, \@nfs_server_lost_open_req, \@nfs_server_lost_op_deleg_req, \@nfssrv_upcall_fail, \@nfssrv_mountd_no_respond, \@nfssrv_bad_getargs) ; @Headers = ( "<--- Details on NFS errors that caused recovery actions per CLIENT --->", " NFS number <--------- files closed ---------->", " FACT of recovery File hndl NFSv4 bad ", "SHEETS errors err changed invalid State_ID"); put_unique_table_out( "%6d %6d %6d %6d %6d %6d\n", \@Headers, \@nfs_detail_fact_sheets, \@nfs_causing_recovery, \@nfs_detailed_closed_stale, \@nfs_detailed_closed_fh_change, \@nfs_detailed_closed_inval, \@nfs_detailed_closed_bad_state_id); put_usual_list_out( "<------------ NFS COMMANDS THAT RESULTED IN ERRORS ON CLIENTS ----------->", \%nfs_err_op_table); put_usual_list_out( "<------------ NFS COMMANDS THAT RESULTED IN ERRORS BY SERVERS ----------->", \%nfs_server_err_op_table); @Headers = ( "<--- Details on NFS errors that caused recovery actions per SERVER --->", "number <--------- files closed ---------->", " of recovery File hndl NFSv4 bad ", "errors err changed invalid State_ID"); put_unique_table_out( "%6d %6d %6d %6d %6d\n", \@Headers, \@nfs_server_causing_recovery, \@nfs_server_detailed_closed_stale, \@nfs_server_detailed_closed_fh_change, \@nfs_server_detailed_closed_inval, \@nfs_server_detailed_closed_bad_state_id); put_usual_list_out( "<------------ NFS RECOVERY ACTIONS BY CLIENTS ----------->", \%nfs_recovery_action_table); put_usual_list_out( "<------------ NFS RECOVERY ACTIONS BY SERVERS ----------->", \%nfs_server_recovery_action_table); @Headers = ( "<------------ automountd -------------> Mountd <------ autofs ------> OSX", " no server no refused automountd automountd ", "such not Permission unknown NFS to allow not now automount", "dirs respond denied host service mount running OK attempt/fail"); put_unique_table_out( "%4d %5d %5d %4d %7d %7d %7d %6d %5d/%4d\n", \@Headers, \@automountd_nosuch_cnt, \@automountd_svr_no_respond, \@automountd_perm_denied, \@automound_no_nfs_service, \@automountd_unknown_host, \@mountd_refused, \@autofs_no_mountd, \@autofs_mountd_OK, \@automount_mount_attempts, \@automount_mount_fail); put_usual_list_out( "<------------ Mount errors ----------->", \%mount_msg_err_table); put_usual_list_out( "<------------ Mount access denied details ----------->", \%mountd_ref_fs_table); put_usual_list_out( "<------------ VOLD error records ----------->", \%vold_errs_table); put_usual_list_out( "<------------ statd error messages ----------->", \%statd_table); ## -- mimimal SAMBA nmbd decode @Headers = ( "<----------- Samba msgs ------------> ", "became ", "logon denied invalid wrong ", "server connection user password "); put_unique_table_out( "%6d %6d %6d %6d\n", \@Headers, \@nmbd_login_server, \@smbd_denied_connection, \@smbd_invalid_user, \@smbd_wrong_passwd); put_usual_list_out( "<------------ SMBD - users with bad passwords and invalid user ids ----------->", \%smbd_bad_user_table); put_usual_list_out( "<------------ SMBD - source of connections that were denied ----------->", \%smbd_conn_denied_table); } # END PROCESS_OUTPUT_HARDWARE_FILE_SYS sub process_output_sys_daemons () { ## ##---- system daemons , such as packet filter, audit system, - low level stuff ## ### -- audit system messages @Headers = ( "<------- Audit System warnings -------->", " Soft limit exceeded on mail alias", " File All filesystems not defined"); put_unique_table_out( "%6d %6d %6d\n", \@Headers, \@root_audit_file_limit_exceed, \@root_audit_filesystems_limit_exceed, \@root_audit_alias_ndef); ## -- ipf records - packet filtger @Headers = ( "<--------- Packet Filter Messages -------->", "Running"); put_unique_table_out( "%7d\n", \@Headers, \@ipf_running); ## -- nscd @Headers = ( "<---- nscd statistics ---->", " possible server", "name vs IP buff overflow not ", " mismatch attempt responding"); put_unique_table_out( " %6d %7d %6d\n", \@Headers, \@nscd_name_ip_match, \@nscd_buff_overflow_attempt, \@nscd_server_not_responding); ## -- mimimal bootpd decode @Headers = ( "<- bootpd msgs -> \n", "daemon IP not\n", "starts Found \n"); put_unique_table_out( "%6d %6d\n", \@Headers, \@bootpd_start, \@bootpd_ip_not_found); ## -- if present, output counts of ips bootp was unable to find put_usual_list_out( "<-- IP requests unknown to bootpd ----------->", \%bootpd_bad_ip_table); } ### END OF PROCESS_OUTPUT_SYSTEM_DAEMONS sub process_output_daemons () { ## ##---- daemons logs - start, stop, errs.... First generic (svcs,inetd), then specific (ftp) ## ### log of dameons and such started at boot... or restarted? @Headers = ( "<------------ syslog entries added by various startup daemons (OS X) ----------->", " SystemStarter", " xinetd error msgs. mDNSResponder-107 mDNSResponder-107.3 automount memberd"); put_unique_table_out( " %6d %6d %6d %6d %6d %6d \n", \@Headers, \@xinetd_started, \@SystemStarter_startup_fails, \@nDNSResponder_107_startup, \@nDNSResponder_107_3_startup, \@automount_started, \@apple_memberd_startup); ## -- svc problems @Headers = ( "<------------- svc.startd errors ----------->", "method instance exited no status other", "failed w/bad exit code for contract errors"); put_unique_table_out( "%6d %6d %6d %6d\n", \@Headers, \@svc_startd_method_failed, \@svc_startd_bad_exit_code, \@svc_startd_no_get_status, \@svc_startd_err); ## output summaries of svc startd stuff put_usual_list_out( "<------------ svc startd error messages ----------->", \%svc_startd_msg_table); if ($DETAILED_OUTPUT) { @Headers = ( "<---- stfontserverd messages logged to syslog --->", " terminating", " starting terminating on signal "); put_unique_table_out( " %8d %8d %8d\n", \@Headers, \@tfontserverd_start, \@tfontserverd_terminating, \@tfontserverd_signal); } ## END DETAILED OUTPUT ### ###---- here is inetd type daemons... ### ##---- inetd connection summary put_usual_list_out( "<------------- Connections to services via INETD ------------>", \%inetd_connection_table); ### output connections reported by the daemons. Regular output is only connections that are not ### reported via inetd. REAL_REAL_DETAILED_OUTPUT outputs duplicate data anyway. if ($REAL_REAL_DETAILED_OUTPUT) { put_usual_list_out( "<----- ALL Connections to services as reported by the DAEMON. ----------->", "<----- This includes services running via inetd. ----------->", \%daemon_connection_table); } else { ## --- otherwise, ... ##-- we have detailed output.., but only do for non-inetd stuff if ( defined (%daemon_connection_table)) { ## we have detailed output.., but only do for non-inetd stuff for ($indx=0; $indx<= $Global_mach_cnt; $indx++) { if ($USE_inetd_connection[$indx] > 0 && defined (%daemon_connection_table->{"values"}->[$indx])) { undef (%daemon_connection_table->{"values"}->[$indx]) ; } } $out_count=0; ## number of hosts to output foreach $indx ( $daemon_connection_table->{"values"}) { if ($index ne "") { $out_count++; } } if ($out_count > 0) { put_usual_list_out( "<------------ Connections to services not recorded by INETD ------------>", \%daemon_connection_table); } } } ## output counts of connections for daemons we usually just ignore put_usual_list_out( "<------------ Connections counts to various daemons ----------->", \%generic_deamon_connect_table); ## output counts of msgs for daemons we usually just ignore put_usual_list_out( "<------------ Messages counts per various daemons that produce verbose status mgs ----------->", \%generic_deamon_msg_table); ## output verbose counts of msgs for daemons we usually just ignore put_usual_list_out( "<------------ Detail msg list of various daemon msgs. -------------------------->", \%generic_deamon_verbose_msg_table); ##---- inetd warning summary put_usual_list_out( "<------------- Errors/Warnings concerning Connections to services via INETD ----------->", \%inetd_warn_err_table); ##---- inetd detail list put_usual_list_out( "<------------- Errors/Warnings/Notes concerning Connections to services via INETD ----------->", \%inetd_full_err_table); ##---- inetadm msgs - probably all warnings/errors, so print put_usual_list_out( "<------------- Errors/Warnings From INETADM ----------->", \%inetadm_msg_table); ##---- daemon err connection summary put_usual_list_out( "<------------- Deamon error table ----------->", \%daemon_err_table); ## output detail recs of SystemStarter failures put_usual_list_out( "<------------ SystemStarter - tasks that did not complete successfully ----------->", \%SystemStarter_err_table); ## -- if present, we output gconfd err msg table (probably all junk) put_usual_list_out( "<------------ gconf error messages ------------>", \%gconfd_table); } # END OF PROCESS_OUTPUT_DAEMONS sub process_output_services_ftpd() { ##---- ftpd server entries. Detailed output. @Headers = ( "<--------------------------- FTPD Command Summary ------------------------------------------>", " change make delete delete rename <-- sent to client -><--recv from client->", " Permissions directory directory files files files bytes files bytes ", " OK/ bad OK/ bad OK/ bad OK/ bad OK/ bad OK/ bad/ xferred OK/ bad/ xferred"); put_unique_table_out( "%6d/%5d%6d/%4d%5d/%4d%6d/%4d%5d/%4d%6d/%4d/%9d%6d/%4d/%9d\n", \@Headers, \@ftpd_ok_change_perm, \@ftpd_bad_change_perm, \@ftpd_ok_mkdir, \@ftpd_bad_mkdir, \@ftpd_ok_del_dir, \@ftpd_bad_del_dir, \@ftpd_ok_del_file, \@ftpd_bad_del_file, \@ftpd_ok_renamed, \@ftpd_bad_renamed, \@ftpd_xfer_recv_cnt, \@ftpd_bad_upload, \@ftpd_xfer_recv_bytes, \@ftpd_xfer_send_cnt, \@ftpd_bad_download, \@ftpd_xfer_send_bytes); ##---.. list of ftp SITE commands used put_usual_list_out( "<------------ Counts of all SITE commands issued to FTPD server ----------->", \%ftpd_SITE_cmds_table); put_usual_list_out( "<------------ Counts of FULL commands issued to FTPD server ----------->", \%ftpd_total_cmds_table); ##-- errors found in ftp streams put_usual_list_out( "<------------ Counts of errors recorded by FTPD server ----------->", \%ftpd_errs_table); ##-- very detailed errors found in ftp streams put_usual_list_out( "<------------ DETAILED Error counts for commands issued to FTPD server ----------->", \%ftpd_detail_errs_table); ##---.. list of ftp commands used put_usual_list_out( "<------------ Counts of all commands issued to FTPD server ----------->", \%ftpd_cmds_table); } # END OF PROCESS_OUTPUT_SERVICES_FTPD sub process_output_services_named() { ## ---- named output @Headers = ( "<------------------------- named query error entries ------------------->", " mal- named unexpected late ", " query Lame bad wrong formed resolving findns src of CNAME ", "denied server referral answer respons errs errs response in ansr"); put_unique_table_out( "%6d %6d %6d %6d %6d %6d %6d %6d %6d\n", \@Headers, \@named_denied_query, \@named_lame_server, \@named_bad_referral, \@named_wrong_ans, \@named_malformed_response, \@named_resolving_err, \@named_findns_err, \@named_unexp_source, \@named_late_cname_answer); @Headers = ( "<---- named query error entries ------>", "invalid unrelated enforce", " RR additional Delegate", " Type info. only"); put_unique_table_out( "%6d %6d %6d\n", \@Headers, \@named_invalid_rr_type, \@named_unrelated_additional, \@$named_enforce_delegate_only); # -- errors returned within queries. put_usual_list_out( "<------ Errors within replies of DNS queries. ------>", \%named_ns_forw_resp_table); # -- resolving errors on Detailed output put_usual_list_out( "<------ Detailed list of unexpected errors while resolving dns entries ------>", \%named_resolving_table); # -- query denied errors put_usual_list_out( "<------ Detailed list of queries denied by local server ------>", \%named_denied_table); #-- named server stuff @Headers = ( "<---------------------------- Name Server Daemon Stats ----------------------------------------------->", " ", " name name no ok load allows dispatch bind total # of ", "server server open open zone update receive socket bind RRsets bind freeze unfreeze unkn", "starts reload cmd cmd from by zone TCP in run- cleaned exiting zone zone cntl", " config chnl chnl file IP expired error use ing frm cache records ok/not ok/not cmds"); put_unique_table_out( "%6d %6d %4d %4d %4d %6d %7d %8d %6d %4d %7d %7d %2d/%3d %3d/%3d %4d\n", \@Headers, \@named_starts, \@named_load_config, \@named_no_open_cmd_channel, \@named_OK_open_cmd_channel, \@named_loaded_zone_file, \@named_allows_update_by_ip, \@named_zone_expired, \@named_dispatch_rec_err, \@named_bind_socket_in_use, \@named_running, \@named_cleaned_cache_RRSETS, \@named_exiting, \@named_freeze_ok, \@named_freeze_notok, \@named_unfreeze_ok, \@named_unfreeze_notok, \@named_unknown_control_cmd); @Headers = ( "<------------------------------ named errors/warnings ---------------------------------->", " ", " extra load bad bad MASTER other allow SOA", " check no root data zone owner name unknwn unknwn MASTER no update conn not", "option hints nameservers in root from cache cache RR class/ file TTL by timed first", " errs msgs in class hints file file file type type errs spec IP out line "); put_unique_table_out( "%6d %5d %5d %8d %5d %5d %5d %6d %6d %5d %4d %5d %5d %4d\n", \@Headers, \@named_option_errs, \@named_check_hints, \@named_no_root_servers, \@named_extra_dat_root_hints, \@named_loaded_zone_file, \@named_file_bad_owner_name, \@named_file_bad_name, \@named_unknown_RR_type, \@named_load_unknown_class, \@named_file_err, \@named_file_no_ttl, \@named_allows_update_by_ip, \@named_conn_timed_out, \@named_SOA_not_at_top); ## - cant open a file - list files here, if any... put_usual_list_out( "<------ Files not found by named daemon ------>", \%named_file_not_found_table); put_usual_list_out( "<------ Unknown named commands via command channel ------>", \%named_unk_cmd_table); # -- option errors in config file on Detailed output put_usual_list_out( "<------ Detailed list of illegal options ----->", \%named_opt_err_table); ## -- drop 1st several cols here @Headers = ( "<----------- named domain transfer statistics ------------>", "<------------------------- tries -------------------------->", "<---- transfers starting ---> transfer failed to socket <--denied--->", "general IXFR(TSIG) AXFR(TSIG) complete connect to not conn. IXFR AXFR"); put_unique_table_out( "%7d %4d(%4d) %4d(%4d) %6d %6d %6d %5d %5d\n", \@Headers, \@named_transfer_started, \@named_transfer_ixfr_start, \@named_transfer_ixfr_tsig_start, \@named_transfer_axfr_start, \@named_transfer_axfr_tsig_start, \@named_transfer_done, \@named_transfer_failed_conn, \@named_transfer_sock_not_conn, \@named_denied_ixfr, \@named_denied_axfr); @Headers = ( "<------------------------- Name Server Zone Transfer Failure Stats ------------------------------------>", "update bad zone", " no no timed CNAME not NX bad xfer deferred transfer transfer bad unexpec. transfer", "effect SOA out +other exact EOF DOMAIN owner resets (quota) REFUSED cancelled names errors request"); put_unique_table_out( "%6d %3d %5d %5d %5d %3d %6d %5d %6d %7d %5d %6d %5d %5d %5d\n", \@Headers, \@named_update_no_effect, \@named_client_no_SOA, \@named_transfer_timed_out, \@named_transfer_failed_CNAME, \@named_transfer_failed_not_exact, \@named_transfer_failed_EOF, \@named_transfer_failed_NXDOMAIN, \@named_bad_owner_name, \@named_transfer_resetting, \@named_transfer_deferred_quota, \@named_transfer_REFUSED, \@named_transfer_cancelled, \@named_zone_contains_bad_name, \@named_transfer_unexpected_err, \@named_client_bad_zone_xfer_req); ## ixfr and axfr denied msgs. put_usual_list_out( "<------ Detailed list of AXFR denied messages ----->", \%named_denied_axfr_table); put_usual_list_out( "<------ Detailed list of IXFR denied messages ----->", \%named_denied_ixfr_table); @Headers = ( "<---------------------------------- name server messages ---------------------------------->", " zone tsig <--------------------------------- refresh --------------------------------->", "up to verif. retry_limt NODATA non-authoritive unexpected rcode CNAME fail trying", " date err exceeded response ansr from master from master problem master "); put_unique_table_out( "%5d %5d %5d %6d %5d %5d %5d %5d\n", \@Headers, \@named_zone_up_to_date, \@named_tsig_ver, \@named_retry_limit, \@named_refresh_nodata, \@named_refresh_non_author, \@named_refresh_bad_rcode, \@named_refresh_cname_problem, \@named_refresh_from_master_fail); # -- output TSIG errors list. put_usual_list_out( "<--- Detailed list of TSIG errors --->", \%named_tsig_table); @Headers = ( "<------------------- name server client entries ---------------->", "<- receive notify for zones-> refused error zone zone <--- client update ---->", " zone non-authoritive notify from on xfer serial# unsuccessful", " count| TSIG |zones(errors) non-master send denied < ours denied (NXRRSET|YXRRSET)"); put_unique_table_out( "%6d|%6d| %7d %8d %6d %6d %6d %6d %6d|%7d\n", \@Headers, \@named_client_notify, \@named_client_notify_TSIG, \@named_client_notify_err, \@named_zone_non_master, \@named_client_error_send, \@named_client_zone_xfer_denied, \@named_zone_serial_no_lt, \@named_client_update_denied, \@named_client_update_unsuc_NXRRSET, \@named_client_update_unsuc_YXRRSET); # -- output zone names for not our zone updates recieved put_usual_list_out( "<------ Detailed list of zone names received for updating that are not ours. ------>", ,\%named_not_our_zone_table); ## named output - XSTAT records if ( $XSTAT_FIELD_cnt > 0) { for ($indx = 1; $indx<=$Global_mach_cnt ; $indx++) { $i= $indx; if ( $XSTAT_rec_cnt[$i] > 1 ) { ## need 2 records start and end.. for ($k=1; $k<=$XSTAT_FIELD_cnt; $k++) { $this_key = join ("-",$i, $XSTAT_FIELD_name_index[$k]); add_list_out($XSTAT_FIELD_name_index[$k], $i, $XSTAT_end{$this_key} - $XSTAT_begin{$this_key}, \%XSTAT_detail_table, $XSTAT_FIELD_name_index[$k]); } } } put_usual_list_out( "<---------------- XSTATS record Summaries for named --------------->", \%XSTAT_detail_table); } ## end of all segments of XSTAT out ## named output - NSTAT records if ( $NSTAT_FIELD_cnt > 0) { for ($indx = 1; $indx<=$Global_mach_cnt ; $indx++) { $i= $indx; if ( $NSTAT_rec_cnt[$i] > 1 ) { ## need 2 records start and end.. for ($k=1; $k<=$NSTAT_FIELD_cnt; $k++) { $this_key = join ("-",$i, $NSTAT_FIELD_name_index[$k]); add_list_out($NSTAT_FIELD_name_index[$k], $i, $NSTAT_end{$this_key} - $NSTAT_begin{$this_key}, \%NSTAT_detail_table, $NSTAT_FIELD_name_index[$k]); } } } put_usual_list_out( "<---------------- NSTATS record Summaries for named --------------->", \%NSTAT_detail_table); } ## end of all segments of NSTAT out } # END PROCESS_OUTPUT_SERVICES_NAMED sub process_output_logins () { @Headers = ( "<- Console Activity ->", "<-- logins -> ", " OK / Bad winlock ", "logins/passwd timeout "); put_unique_table_out( "%6d/%6d %7d\n", \@Headers, \@audit_console_login, \@audit_console_login_bad, \@winlock_timeout_cnt); @Headers = ( "<------------------------ Console lock messages ------------------>", " # of <-display> ", " OK open lock bad time exit # of unable to grab xio", "locks fail fail pwds expired failed stops keybd or pointer errs"); put_unique_table_out( "%5d %4d %4d %4d %7d %6d %5d %5d %4d\n", \@Headers, \@xlock_cnt, \@xlock_failed_open_display, \@xlock_cannot_lock_disp, \@xlock_failed_unlock_cnt, \@xlock_expired_cnt, \@xlock_failed_exit_cnt, \@xlock_stops, \@xlock_no_grab_keybd, \@xlock_xio_error); ## --- output users who locked term. put_usual_list_out( "<---- Users who locked terminals -------->", \%xlock_user_table); ## --- output users who failed to unlock term. put_usual_list_out( "<---- Users who failed to unlock terminals -------->", \%xlock_failed_user_table); #---- @Headers = ( "<--------- OsX Console Activity -------->", "<-------------- login window ----------->", "startups security agent starts halts"); put_unique_table_out( "%6d %6d %6d\n", \@Headers, \@loginwindow_starts, \@loginwindow_security_agent_starts, \@loginwindow_halts); #---- local logins @Headers = ( " CDE(dtspc) admin logins", " Logins / Num (SMC) ", " ok/ bad/conn ok/ bad "); put_unique_table_out( "%4d/%4d/%4d %4d/%4d\n", \@Headers, \@$login_dtspc, \@$bad_dtspc, \@$inetd_conn_dtspc, \@$audit_admin_login, \@$audit_admin_bad_login); ## -------- connection and login report rlogin, rsh, rexec ## this one is special, as we define values for output fields on the fly $Out_header = 1; for ($indx = 0; $indx<=$table_index ; $indx++) { $i = $outindex[$indx]; if ( defined $Output_table_machines[$i]) { undef @Out_vars; for ($jj=0; $jj< $Output_table_machines_cnt[$i]; $jj++) { $j = $Output_table_machines[$i][$jj]; $Out_Posit=0; $Out_vars[$Out_Posit++] += defined($USE_audit_rsh[$j]) ? $audit_rsh_login[$j] : $rshd_rsh_login[$j] ; $Out_vars[$Out_Posit++] += defined($USE_audit_rsh[$j]) ? $audit_rsh_login_bad[$j] : $rshd_rsh_login_bad[$j] ; $Out_vars[$Out_Posit++] += $rshd_dns_err[$j]; $Out_vars[$Out_Posit++] += defined($USE_inetd_connection[$j]) ? $inetd_conn_rsh[$j] : $rshd_conn_rsh[$j] ; $Out_vars[$Out_Posit++] += $audit_rlogin_login[$j] ; $Out_vars[$Out_Posit++] += $audit_rlogin_login_bad[$j]; $Out_vars[$Out_Posit++] += $rlogind_dns_err[$j]; $Out_vars[$Out_Posit++] += defined($USE_inetd_connection[$j]) ? $inetd_conn_rlogin[$j] : $rlogind_conn_rlogind[$j] ; $Out_vars[$Out_Posit++] += defined($USE_audit_rexec[$j]) ? $audit_rexec_login[$j] : $rexecd_rsh_login[$j] ; $Out_vars[$Out_Posit++] += defined($USE_audit_rexec[$j]) ? $audit_rexec_login_bad[$j] : $rexecd_rsh_login_bad[$j] ; $Out_vars[$Out_Posit++] += $inrexecd_connect[$j]; } $check_sum = 0; for ($j=0;$j<$Out_Posit;$j++) { $check_sum += $Out_vars[$j];} if ($LOUD_OUTPUT || ($NO_STEALTH_OUTPUT && $i == 1) || $check_sum > 0 ) { if ($Out_header) { $Out_header=0; print "\n\n"; print "$m_head_spc <------------------ Network Logins via various services ------------------>\n"; print "$m_head_spc <- successful / unsuccessful / conn rejected (DNS err)/ total connections ->\n"; print "$m_head_spc <--------------rsh------------> <------------rlogin-----------> <-------------rexec----------->\n"; } #outheader printf "%s %7d/%7d/%7d/%7d %7d/%7d/%7d/%7d %7d/%7d/_______/%7d\n", $table_id[$i], @Out_vars; } #outstealth } } ## -------- connection and login report ssh, ftp, telnet $Out_header = 1; for ($indx = 0; $indx<=$table_index ; $indx++) { $i = $outindex[$indx]; if ( defined $Output_table_machines[$i]) { undef @Out_vars; for ($jj=0; $jj< $Output_table_machines_cnt[$i]; $jj++) { $j = $Output_table_machines[$i][$jj]; $Out_Posit=0; $Out_vars[$Out_Posit++] += defined($USE_audit_ssh[$j]) ? $audit_ssh_login[$j] : $sshd_ssh_login[$j] ; $Out_vars[$Out_Posit++] += defined($USE_audit_ssh[$j]) ? $audit_ssh_login_bad[$j] : $sshd_ssh_login_bad[$j] ; $Out_vars[$Out_Posit++] += $sshd_dns_err[$j]; $Out_vars[$Out_Posit++] += $conn_ssh[$j]; $Out_vars[$Out_Posit++] += defined($USE_audit_ftpd[$j]) ? $audit_ftp_login[$j] : $ftpd_ftp_login[$j]; $Out_vars[$Out_Posit++] += defined($USE_audit_ftpd[$j]) ? $audit_ftp_login_bad[$j] : $ftpd_ftp_login_bad[$j]; $Out_vars[$Out_Posit++] += $ftpd_dns_err[$j]; $Out_vars[$Out_Posit++] += defined($USE_inetd_connection[$j]) ? $inetd_conn_[$j] : $ftpd_conn_ftpd[$j] ; $Out_vars[$Out_Posit++] += $audit_telnet_login[$j]; $Out_vars[$Out_Posit++] += $audit_telnet_login_bad[$j]; $Out_vars[$Out_Posit++] += $telnetd_dns_err[$j]; $Out_vars[$Out_Posit++] += defined($USE_inetd_connection[$j]) ? $inetd_conn_telnet[$j] : $telnetd_conn_telnetd[$j] ; } $check_sum = 0; for ($j=0;$j<$Out_Posit;$j++) { $check_sum += $Out_vars[$j];} if ($LOUD_OUTPUT || ($NO_STEALTH_OUTPUT && $i == 1) || $check_sum > 0 ) { if ($Out_header) { $Out_header=0; print " \n"; print " \n"; print "$m_head_spc <------------------ Network Logins via various services ------------------>\n"; print "$m_head_one <- successful / unsuccessful / conn rejected (DNS err)/ total connections ->\n"; print "$m_head_two <--------------ssh------------> <------------ftp--------------> <-----------telnet------------> \n"; } #outheader printf " %s %7d/%7d/%7d/%7d %7d/%7d/%7d/%7d %7d/%7d/%7d/%7d \n", $table_id[$i], @Out_vars; } #outstealth } } #--- sshd server stats here, before general access stats. @Headers = ( "<-------------------- SSHD daemon msg summary ----------------------->", " ", " channel too many scanned by SSHD no", "listening subsystem open authentication version monitor ident", "(startup) request failure failures mapper killed id"); put_unique_table_out( "%6d %6d %6d %6d %6d %6d %6d\n", \@Headers, \@sshd_server_listening, \@sshd_subsystem_req, \@sshd_channel_open_fail, \@sshd_too_many_authen_fail, \@sshd_scanned_ver_map, \@sshd_monitor_killed, \@sshd_no_ident_id); ## --and errors if any for sshd server... - detailed output only put_usual_list_out( "<----------------- SSHD Daemon errors ------------------>", \%sshd_errs_table); ## --and summary of msgs if stupid output enabled put_usual_list_out( "<------- SSHD Daemon very verbose errors ------------------>", \%sshd_stupid_output_table); # -- ok, if nosey, put out types of access that were ok. put_usual_list_out( "<------ Detailed list of access types ssh used to authenticate users ----->", \%sshd_accept_type_table); # -- ok, if REAL REAL nosey, list users and where they logged in put_usual_list_out( "<----- Detailed list of users and machines they sshd in to report by ssd --->", \%sshd_accept_user_table); # -- ok, if nosey, put out types of access that failed put_usual_list_out( "<----- Detailed list of access types ssh used when authorization failed report by sshd -->", \%sshd_failed_type_table); # -- ok, if REAL REAL nosey, list users and where they failed to logged in put_usual_list_out( "<----- Detailed list of users/machines when sshd authentication failed report by sshd --->", \%sshd_failed_user_table); # -- ok, if REAL REAL nosey, list failed users and where they failed to logged in put_usual_list_out( "<----- Detailed list of invalid users and machines when sshd authentication failed report by sshd -->", \%sshd_I_failed_user_table); # -- ok, if REAL REAL nosey, list failed users and where they failed to logged in to via AUDIT recs put_usual_list_out( "<----- Detailed list of users and machines when sshd authentication failed report by AUDIT deamon --->", \%audit_ssh_failed_user_table); ###---------- su type data @Headers = ( " <-change passwd-> ", " su sudo change fail to can't get ", " attempts attempts passwd reach master for", " OK/ bad OK/ bad ok/fail daemon passwd map"); my $local_index, @local_su, @local_su_bad; for ($local_index=0; $local_index <= $Global_mach_cnt; $local_index++) { $local_su[$local_index] = (defined($USE_audit_su[$local_index]) ? $audit_su[$local_index] : $su_su[$local_index]) ; $local_su_bad[$local_index] = (defined($USE_audit_su[$local_index]) ? $audit_su_bad[$local_index] : $su_su_bad[$local_index]) ; } put_unique_table_out( "%4d/%4d %4d/%4d %4d/%4d %8d %6d\n", \@Headers, \@local_su, \@local_su_bad, \@sudo, \@sudo_bad, \@audit_passwd_change, \@audit_passwd_change_bad, \@passwd_handle_cnt, \@passwd_nomaster_map_cnt); ## -- tables of su ok put_usual_list_out( "<------------ users who successfully su'd ----------->", \%su_ok_from_table); ## -- tables of su ok put_usual_list_out( "<------------ users successfully su'd to ----------->", \%su_ok_to_table); ## -- tables of su bad. put_usual_list_out( "<------------ users who failed to su ----------->", \%su_bad_from_table); ## -- tables of su bad. put_usual_list_out( "<------------ user ids that were the target of failed su's ----------->", \%su_bad_to_table); # -- ok, if nosey, put out types of access that failed put_usual_list_out( "<----- Detailed list of access failures defined via audit facility ----->", \%audit_failure_table); put_usual_list_out( "<----- Detailed list of users and machines when admin(SMC) authentication failed report by AUDIT deamon -->", \%audit_admin_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines when authentication failed report by AUDIT deamon -->", \%audit_ftpd_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines when authentication failed report by FTP deamon -->", \%ftpd_ftp_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines when console authentication failed report by AUDIT deamon -->", \%audit_console_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines when rlogin authentication failed report by AUDIT deamon --->", \%audit_rlogin_failed_user_table); put_usual_list_out( "<---- Detailed list of users and machines when rsh authentication failed report by AUDIT deamon -->", \%audit_rsh_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines when telnet authentication failed report by AUDIT deamon -->", \%audit_telnet_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines when rexec authentication failed report by AUDIT deamon -->", \%audit_rexec_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines who tried to su and failed report by AUDIT deamon -->", \%audit_su_failed_user_table); put_usual_list_out( "<----- Detailed list of users and machines who tried to change passwords and failed report by AUDIT deamon -->", \%audit_passwd_failed_user_table); ## -- if present, output rshd bad login table put_usual_list_out( "<--------- login id of bad rsh logins ----------->", \%rshd_bad_login_table); ## -- if present, output rexec bad login table put_usual_list_out( "<--------------- login id of bad rexec logins ----------->", \%rexec_bad_login_table); # -- ok, if REAL REAL nosey, list OK users and where they failed to logged in put_usual_list_out( "<----- Detailed list of invalid users and machines when sshd authentication OK report by sshd -->", \%sshd_I_OK_user_table); # -- ok, if REAL REAL nosey, list OK users and where they failed to logged in to via AUDIT recs put_usual_list_out( "<----- Detailed list of users sshing into machines reported by AUDIT deamon --->", \%audit_ssh_OK_user_table); put_usual_list_out( "<----- Detailed list of users authenticating SMC reported by AUDIT deamon --->", \%audit_admin_OK_user_table); put_usual_list_out( "<----- Detailed list of users ftping to machines reported by AUDIT deamon --->", \%audit_ftpd_OK_user_table); put_usual_list_out( "<----- Detailed list of users logged onto machine consoles reported by AUDIT deamon --->", \%audit_console_OK_user_table); put_usual_list_out( "<----- Detailed list of users rloged into machines reported by AUDIT deamon --->", \%audit_rlogin_OK_user_table); put_usual_list_out( "<----- Detailed list of users rshed into machines reported by AUDIT deamon --->", \%audit_rsh_OK_user_table); put_usual_list_out( "<----- Detailed list of users rexeced into machines reported by AUDIT deamon --->", \%audit_rexec_OK_user_table); put_usual_list_out( "<----- Detailed list of users telnetted into machines reported by AUDIT deamon --->", \%audit_telnet_OK_user_table); put_usual_list_out( "<----- Detailed list of users and machines who sud to other users reported by AUDIT deamon --->", \%audit_passwd_OK_user_table); put_usual_list_out( "Detailed list of users and machines who changed passwords reported by AUDIT deamon -->", \%audit_passwd_OK_user_table); put_usual_list_out( "<----- Detailed list of users and machines who LOCKED the console screenlock reported by AUDIT deamon --->", \%audit_screenlock_OK_user_table); put_usual_list_out( "<----- Detailed list of users and machines who tried and failed to unlock the console screenlock reported by AUDIT deamon --->", \%audit_screenlock_failed_user_table); @Headers = ( "<--------- saslauthd ---------->", " pgm pgm authorizations", "startup shutdown ok failure"); put_unique_table_out( "%6d %6d %6d %6d\n", \@Headers, \@saslauthd_init, \@saslauthd_master_exit, \@saslauthd_success, \@saslauthd_failurer); ## -- if present, we output sasl authorizaton failures put_usual_list_out( "<------------ SASL AUTHORIZATION FAILURES ----------->", \%saslauth_failed_user_table); ## -- if present, we output sasl authorization success put_usual_list_out( "<------------ SASL AUTHORIZATION SUCCESSES ----------->", \%saslauth_OK_user_table); ##---- NISD stuff @Headers = ( "<---------------- NIS Authenticaton -------------> NIS response ", "server replayed Corrupted <---- timestamp ----> RPC problems ", "starts credentials window invalid|early|expired error servr/nisping "); put_unique_table_out( "%6d%6d %8d %7d |%4d | %5d %5d %5d/%5d\n", \@Headers, \@nisd_started, \@nisd_replayed, \@nisd_corrupted_win, \@nisd_invalid_timestamp, \@nisd_early_timestamp, \@nisd_expired_timestamp, \@nisd_rpc_error, \@niscachemgr_server_response_problem, \@nisping_no_contact); ## -- ok, so display all nisd type errs..... put_usual_list_out( "<--- NISD svcauth_des errors ----->", \%nisd_max_err_msg); @Headers = ( "<--------- rpc_nispasswd ---------->", " too many cannot RPC ", " pgm pgm servers corrupt failed reencrypt system", "start exiting unreachable window attempts creds problem"); put_unique_table_out( "%5d %4d %4d %5d %5d %5d %5d\n", \@Headers, \@rpc_nispasswdd_start, \@rpc_nispasswdd_exit, \@rpc_nispasswdd_servers_unreach, \@rpc_nispasswdd_corrupt_window, \@rpc_nispasswdd_cannot_reencrypt_creds, \@rpc_nispasswdd_too_many_fails, \@rpc_nispasswdd_rpc_err); ## -- if present, we output users wth too many passwd fails put_usual_list_out( "<--- users with too many failures rpc.nispasswd error msgs ----->", \%nispasswdd_too_many_fails_table); ## -- if present, we output summary of unble to rencrypt erros put_usual_list_out( "<--- rpc_nispasswd errors - unable to rencrypt creds for these users ----->", \%rpc_nispasswd_bad_reencrypt_table); ## ## Apple OSX output ## @Headers = ( "<--- Apple OS X Directory Services entries -> Software programs that", "Directory Services Number of times users update terminated in", " startups failed authentication > 5 tries ran a crashdump"); put_unique_table_out( "%5d %5d %5d %5d \n", \@Headers, \@DirectoryService_starts, \@DirectoryService_toomanyfails, \@apple_software_update, \@apple_crashdumps); ##---.. list of random authentication msgs by random pgms put_usual_list_out( "<----- Unsummarized Apple programs that had users successfully authenticate to ---->", \%Apple_auth_succeed_pgm_table); put_usual_list_out( "<----- Unsummarized Apple programs that had users fail to authenticate to ---->", \%Apple_auth_fail_pgm_table); ##---.. list of rights granted to random programs put_usual_list_out( "<----- Summary of rights granted by machine for Apple osX --->", \%Apple_auth_ok_rights_table); put_usual_list_out( "<------ Summary of rights denied by machine for Apple osX ---->", \%Apple_auth_bad_rights_table); put_usual_list_out( "<----- Detailed list of users who failed authentication more than 5 times (OS X). ------>", \%DirectoryService_toomanyfails_user_table); ## table of sources of bad logins, listed by src addr vs login id. ## since we lump all machhines into this catagory, we only include ## entries in tables for machines that do not have $USE_audit_ssh_XXX[machine] set. ## This is determined a decode of input record time, not output of stats time, so this ## can be off by a record or 2. if ($BAD_IP_OUT) { ## stats of bad logins by source ip put_varvar_list_out ( "<--------------------------- Table of bad logins vs. sources ---------------------------->\n", \%Bad_ip_out_table); } ## id of BAD_IP_OUT } # END OF PROCESS_OUTPUT_LOGINS sub process_output_services_print() { ### ------ lp, lpr. etc @Headers = ( "<--------------------------- printer (lp, lpd, printd) ------------------------------------->", "<-------- lpd ------> <--printd-> <------- lp ----------> <--------- lpr --------> <--lprm-->", "<----connections----> jobs <-sending->/ jobs sending/ jobs requests", " / / refused failed jobs/ to / failed / to / failed / to", " to/ from/ by/ from to/ from from/ srvr/ to/ from from/ srvr/ to/ from from/ srvr"); put_unique_table_out( "%5d/%5d/%3d/%5d %5d/%5d %5d/%5d/%5d/%5d %5d/%5d/%5d/%5d %5d/%5d \n", \@Headers, \@lpd_conn_lp_to, \@lpd_conn_lp_from, \@lpd_refused, \@lpd_refused_from, \@printd_failed_to_err, \@printd_failed_from_err, \@lp_jobs, \@lp_conn_to_host, \@lp_failed_to_err, \@lp_failed_from_err, \@lpr_jobs, \@lpr_to_host, \@lpr_failed_to_err, \@lpr_failed_from_err, \@lprm_conn_from, \@lprm_conn_to); # -- refused connections... put_usual_list_out( "<------- Table of refused connections to lpd by print server ------>", \%lpd_refused_conn_msg_table); ### ------ bsd @Headers = ( "<---------------------------------- bsd-gw (printer) ----------------------------->", " can't invalid Can't bad xfer ", " connects unkn determine protocol commun. to unkwn job pwrite ID ", " to/ from prtr printer request w/spoolr printer canceled error Collision"); put_unique_table_out( "%5d/%5d %5d %5d %6d %5d %6d %5d %5d %5d\n", \@Headers, \@bsd_gw_client_con_to, \@bsd_gw_client_con_from, \@bsd_gw_unknown, \@bsd_gw_cant_determ_printer, \@bsd_gw_inv_proto, \@bsd_gw_cant_comm_spooler, \@bsd_gw_bad_transfer, \@bsd_gw_cancel, \@bsd_gw_pwrite_err, \@bsd_gw_id_collision); # -- transfer to bad printer put_usual_list_out( "<------ Table of unknown/diabled printers jobs were attempteed to be transfered to ------>", \%bsd_gw_bad_printer_table); # -- request unknown printer put_usual_list_out( "<------ Table of unknown printers requested - by print server ------>", \%bsd_gw_req_unk_printer_table); # -- cant communicate with spooler for printer put_usual_list_out( "<------ Table of unknown/diabled printers jobs were attempteed to be transfered to ------>", \%bsd_gw_no_comm_spooler_table); ### ------ lpsched. @Headers = ( "lpstat lpq <-cancels-> <------------ lpsched ------->", " / conn printer printer ", " conn. conn. # of/ to jobs enabled/ printer", " from from jobs/server from/cancel disabled faults"); put_unique_table_out( "%5d %5d %5d/%6d %5d/%5d %5d/%5d %5d\n", \@Headers, \@lpstat_conn_from, \@lpq_conn_from, \@cancel_job, \@cancel_to_server, \@lpsched_print_from, \@lpsched_cancel, \@lpsched_server_enabled, \@lpsched_server_disabled, \@lpsched_server_printer_faults); ### lp, lpr. etc output by printer... @Headers = ( "<--- STATISTICS AS ABOVE, BUT IDENTIFIED BY PRINTER ---->", "<-------------- printer (lp, lpd, printd) -------------->", "<------ lpd ---> <-printd> <--lp---> <--lpr--> lprm ", "<--connections-> jobs jobs to jobs to ", " / /refused failed printer printer jobs ", " to/from/by/from to OK /fail OK / fail killd"); put_unique_table_out( " %5d/ %5d/%5d %5d/%5d %5d \n", \@Headers, \@printd_printer_failed_err, \@lp_conn_to_printer, \@lp_printer_failed_err, \@lpr_to_printer, \@lpr_printer_failed_err, \@lprm_pr_cancel); ### bsd-gw @Headers = ( "<-- STATISTICS AS ABOVE, BUT IDENTIFIED BY PRINTER -->", "<------------------ bsd-gw -------------------> ", " invalid Can't bad xfer ", "connects unkn protocol commun. to unkwn job ", " to/from prtr request w/spoolr printer cancel "); put_unique_table_out( "%4d/%4d %4d %6d %5d %6d %5d\n", \@Headers, \@bsd_printer_gw_con_to, \@bsd_printer_gw_unknown, \@bsd_printer_gw_cant_comm_spooler, \@bsd_printer_gw_bad_transfer, \@bsd_printer_cancel); ### lpsched by printer (status should be same totals as above) @Headers = ( "<-- STATISTICS AS ABOVE, BUT IDENTIFIED BY PRINTER ----->", "lpstat lpq lprm cancel <-------- lpsched --------->", " query query query printer printer ", " on on on jobs jobs enabled/ printer", "printr printr printr killed cancel disabled faults"); put_unique_table_out( "%6d %6d %6d %6d %6d %6d/%6d %6d \n", \@Headers, \@lpstat_pr_query, \@lpq_pr_query, \@lprm_pr_query, \@cancel_printer, \@lpsched_pr_cancel, \@lpsched_enabled, \@lpsched_disabled, \@lpsched_printer_faults); # -- printer faults put_usual_list_out( "<------ Table of printer faults by print server ------>", \%lpsched_server_printer_fault_table); # -- printer faults by printer put_usual_list_out( "<------ Table of printer faults by printer ------>", \%lpsched_printer_fault_table); # -- host vs requested printer table via bsd_gw put_usual_list_out( "<------ Table of printer requests, src machine to server/printer as per bsd-gw daemon ------>", \%bsd_gw_host_vs_printer_table); # -- host vs requested printer table via lp put_usual_list_out( "<------ Table of printer requests, src machine to server/printer as per lp command ------>", \%lp_host_vs_printer_table); # -- host vs requested printer table via lpr put_usual_list_out( "<------ Table of printer requests, src machine to server/printer as per lpr daemon ------>", \%lpr_host_vs_printer_table); # -- lpsched table of dispatches in syslog put_usual_list_out( "<------ Detailed list DISPATCH commands logged by lpsched. ------>", \%lpsched_dispatch_table); ## -- messagesd logged by printers to syslog @Headers = ( "<------------------------ Messages logged by printers -------------------------->", " idle other ", "power mem error off- paper ink output cover paper time connection connect.", " up out cleared line out out full open jam -out aborted problem"); put_unique_table_out( "%5d %4d %5d %5d %5d %5d %5d %5d %5d %5d %6d %6d\n", \@Headers, \@printer_power_up, \@printer_memory_out, \@printer_cleared, \@printer_offline, \@printer_paper_out, \@printer_ink_low, \@printer_output_full, \@printer_door_open, \@printer_paper_jam, \@printer_idle_timeout, \@printer_aborted, \@printer_access_other); ## second set of printer output - Major Alerts @Headers = ( "<---- report on configuration msgs logged by printers --->", "iface. ", "recon- hostname access", "figured changed denied"); put_unique_table_out( "%6d %7d %6d\n", \@Headers, \@printer_reconfigured, \@printer_hostname, \@printer_access_denied); # -- printer table of disconnects and timeouts put_usual_list_out("<------ Detailed list of printer connection blocks and drops -------->", \%printer_badconn_table); } # END PROCESS_OUTPUT_SERVICES_PRINT sub process_output_services_ident() { @Headers = ( "<------------------------- Ident Server -------------------------------------->", " |various| |endpoint | kvm", "daemon|daemon| conn| conn | DNS | peer|answer received| miss| not | open", "starts| ends | to |refused|errors |reset|username| ERROR| hash|connected|error"); put_unique_table_out( " %5d| %5d|%5d|%5d |%5d |%5d|%5d |%6d|%5d|%6d |%5d\n", \@Headers, \@ident_started, \@ident_terminating, \@ident_connect, \@ident_conn_refused, \@ident_dns_err, \@ident_conn_reset, \@ident_reply, \@ident_reply_err, \@ident_hass_miss, \@ident_endpoint_not_conn, \@ident_kvm_open); ##--- ident test server output @Headers = ( "< -- ident test server ->", " Successful", " Replies Errors"); put_unique_table_out( " %6d %6d\n", \@Headers, \@tident_reply, \@tident_errors); # -- output errors put_usual_list_out("<------ Detailed list of errors as per ident daemons. ------>", \%tident_err_table); # -- output accesses put_usual_list_out("<------ Detailed list of accesses AS per ident daemons. ------>", \%tident_access_table); # -- ok, if REAL REAL nosey, list ident returned users put_usual_list_out("<------ Detailed list of user ids returned by ident daemons. ------>", \%sshd_rfc931_user_table); } #END PROCESS_OUTPUT_SERVICES_IDENT sub process_output_services_rpcbind() { ##---- output RPCBIND @Headers = ( "<------ connections TO services via RPCBIND ----------->", "<-connections from-> pgm. not ", "same ip/ foreign ip registered"); put_unique_table_out( "%7d/ %7d %10d\n", \@Headers, \@rpcbind_local, \@rpcbind_foreign, \@rpc_not_registered); put_usual_list_out("<------------- Source of connections to rpcbind on local machine. ------------>", \%RPCbind_all_src_table); put_usual_list_out("<------------- Detailed rpcbind connections from 127.0.0.1 ------------>", \%RPCbind_127_table); put_usual_list_out("<------------- Detailed rpcbind connections from loopback ------------>", \%RPCbind_loopback_table); put_usual_list_out("<------------- Detailed rpcbind connections from own ip address ------------>", \%RPCbind_me_table); put_usual_list_out("<------------- Detailed rpcbind connections from foreign ip address ------------>", \%RPCbind_foreign_table); } # END PROCESS_OUTPUT_SERVICES_RPCBIND sub process_output_services_time() { @Headers = ( "<------ xntpd/ntpd ----------> <----------------------- ntpdate ------------------->", "start time time time misc. start Can't find no servers step adjust no_server", " ups syncs sets resets signal ups time host exiting server server for_sync."); put_unique_table_out( "%5d %5d %4d %5d %5d %5d %6d %5d %4d %4d %7d\n", \@Headers, \@xntpd_startup, \@xntpd_resyncs, \@xntpd_sets, \@xntpd_resets, \@xntpd_signal_no_reset, \@ntpdate_startup, \@ntpdate_cant_find_host, \@ntpdate_no_servers_exit, \@ntpdate_steps, \@ntpdate_adjusts, \@ntpdate_no_server); ### --- ips synced to put_usual_list_out("<------------- Time servers synced to ---------------------------------->", \%ntpdate_ip_sync_to_table); ### --- cant find time server put_usual_list_out("<------------- Can't find these time servers ---------------------------------->", \%ntpdate_cant_find_table); @Headers = ( "<----------------------- ntpd/xntpd messages logged to syslog -------------------------------------------->", "can't resolve unknown use offset peer precision tickadj sync connection sys network", " time server filegen phaselock msgs msgs msgs msgs lost re-established event error exiting"); put_unique_table_out( " %5d %5d %6d %5d %5d %6d %6d %5d %5d %5d %5d %5d\n", \@Headers, \@xntpd_count_not_resolv, \@xntpd_unknown_filegen_msg, \@xntpd_use_phaselock, \@xntpd_offset_msg, \@xntpd_peer_msg, \@xntpd_precision_msg, \@xntpd_tickadj_msg, \@xntpd_sync_lost_msg, \@xntpd_conn_re_estab, \@xntpd_sys_event, \@xntpd_exiting, \@xntpd_network_err); ### --- detail error list put_usual_list_out("<------------- Detailed xntpd error table ---------------------------------->", \%xntpd_errors_table); ### --- sync to table put_usual_list_out("<------------- Xnptd time syncronization table ---------------------------------->", \%xntpd_sync_to_table); ### --- peer table put_usual_list_out("<------------- Xnptd peers table ---------------------------------->", \%xntpd_peer_table); } #END PROCESS_OUTPUT_SERVICES_TIME sub process_output_services_snmp() { ### --- snmp msgs in log put_usual_list_out("<------------- SNMP messages in log --------------------------------->", \%snmp_msg_table); ### --- snmp connections etc output put_usual_list_out("<------------ SNMP connection counts ---------------------------------->", \%snmp_table); ### --- snmp connections crossref of sources put_usual_list_out("<------------- SNMP sources of connections --------------------------------->", \%snmp_conn_xref_table); } #END PROCESS_OUTPUT_SERVICES_SNMP sub process_output_services_mail() { @Headers = ( "<-------------------------------------- sendmail ---------------------------------->", " alias alias SMTP unable proc_list_probe", " daemon file DB socket to write found wrong num", "startups startups reads rebuilds problem PID of children "); put_unique_table_out( " %6d %5d %6d %5d %5d %5d %7d\n", \@Headers, \@sendmail_startup, \@sendmail_daemon_startup, \@sendmail_read_aliases, \@sendmail_aliase_DB_rebuild, \@sendmail_SMTP_sock_prob, \@sendmail_unable_write_pid, \@sendmail_proc_list_probe_cnt); @Headers = ( "<-------------------------------- sendmail ------------------------------>", "<--------------------- connections ----------------> ", " <-external -> <-- secure cons --> <-delivered-> ", " From time- no Bad <--- mail --> ", " local/ to/ from to/ from/ fail outs cmds Pwds local/non-local"); put_unique_table_out( "%6d/%6d/%6d %6d/%6d/%6d %5d %5d %5d %6d/%7d \n", \@Headers, \@conn_sendmail_local, \@conn_sendmail_foreign, \@conn_sendmail_out, \@conn_sendmail_tls_server, \@conn_sendmail_tls_client, \@conn_sendmail_tls_server_fail, \@sendmail_timeouts, \@sendmail_no_issue_cnt, \@sendmail_bad_passwords, \@sendmail_sent_local, \@sendmail_sent_nonlocal); ## sendmail 2 now 3k @Headers = ( "<-------------------------------------- sendmail ----------------------------------->", "<------- connections --------> <-- connections rejected -> <-failed Outgoing conns ->", "throttle- Deferring max_conn out of max load time", "RCPT flood (rate/sec) tempfail per ip disk avg. refused failed outs other"); put_unique_table_out( " %5d %8d %6d %6d %5d %8d %7d %5d %5d %5d \n", \@Headers, \@sendmail_throttle_cnt, \@sendmail_defer_con_deamon_cnt, \@sendmail_tempfailed_cnt, \@sendmail_max_children_cnt, \@sendmail_out_of_disk_space_cnt, \@sendmail_load_avg_cnt, \@sendmail_make_outgoing_refused, \@sendmail_make_outgoing_failed, \@sendmail_make_outgoing_timeout, \@sendmail_make_outgoing_other); my @local_sendmail_return, $local_index; for ($local_index=0; $local_index <= $Global_mach_cnt; $local_index++) { $local_sendmail_return[$local_index] = $sendmail_return_to_sender_cnt[$local_index]+ $sendmail_sender_notify_cnt[$local_index]; } @Headers = ( "<--------------------------------- sendmail ----------------------------------------------->", " <---------- commands -----------> forwarded other return to ", " VRFY | EXPN | ETRN | possible addrs. msgs. deliv return or notify ", " ok/Bad| ok/Bad| ok/Bad| wiz|debug attacks aliased -OK-/errs errs rcpt sender/postmaster"); put_unique_table_out( "%3d/%3d|%3d/%3d|%3d/%3d|%4d|%5d %7d %5d %4d/%4d %5d %5d %6d/%6d \n", \@Headers, \@conn_sendmail_verify, \@conn_sendmail_verify_bad, \@conn_sendmail_expn, \@conn_sendmail_expn_bad, \@conn_sendmail_etrn, \@conn_sendmail_etrn_bad, \@sendmail_wiz_command_cnt, \@sendmail_debug_command_cnt, \@sendmail_smtp_attack, \@sendmail_alias_cnt, \@sendmail_forward_cnt, \@sendmail_forward_err_cnt, \@sendmail_delivery_err, \@sendmail_return_receipt, \@local_sendmail_return, \@sendmail_postmaster_notify_cnt); ##sendmail section 4 @Headers = ( "<-------------------------------- sendmail ---------------------------------------->", " unsafe low cannot invalid (panic)", " server dir on grew create regex <------- errors------> domain lost ", "throttled path space worklist file Warns header SYSERR SSL ans1 name files "); put_unique_table_out( " %6d %6d %5d %6d %5d %5d %6d %6d %3d %4d %6d %5d\n", \@Headers, \@sendmail_throttle_cnt, \@sendmail_unsafe_dir_path_cnt, \@sendmail_low_on_space_cnt, \@sendmail_grew_worklist_cnt, \@sendmail_cannot_create_file_cnt, \@sendmail_regex_warning_cnt, \@sendmail_header_problem, \@sendmail_NOQUEUE_syserr_cnt, \@sendmail_client_SSL_err, \@sendmail_asn1_err, \@sendmail_invalid_domain_name, \@sendmail_lost_files_cnt); ### --- ful text sendmail client errors put_usual_list_out("<------------ Details of client error msgs ----------------------------------", \%sendmail_client_errs_table); @Headers = ( "<--------- procmail --------> <---- sendmail ---->", " suspicious procmail rename check_* Msg Rejected", " procmail write bogus ruleset pre-greeting", " rc file errors file rejections traffic "); put_unique_table_out( " %6d %6d %6d %7d %7d\n", \@Headers, \@procmail_suspicious_rc, \@procmail_write_error, \@procmail_rename_bogus, \@sendmail_check_rules_errs, \@sendmail_pre_greeting_traffic_cnt); ## -- output summary of milter actions as reportec by sendmail (high milter debugging) put_usual_list_out("<------------- sendmail summary of milter actions ------------------------------->", \%sendmail_milter_actions_table); ## -- output errors returned by milter to sendmail put_usual_list_out("<------------- sendmail milter returned errors ---------------------------------->", \%sendmail_milter_err_table); ##-- detailed summaries put_usual_list_out("<------------ sendmail timeout detailed errors ---------------------------------->", \%sendmail_timeout_table); put_usual_list_out("<------------ sendmail header warnings and errors ------------------------------->", \%sendmail_header_err_table); put_usual_list_out("<------------ sendmail forward detailed errors ---------------------------------->", \%sendmail_forward_err_table); put_usual_list_out("<------------ sendmail SYSERR detailed errors ---------------------------------->", \%sendmail_SYSERR_table); put_usual_list_out("<------------ sendmail detailed message delivery status ------------------------>", \%sendmail_status_table); put_usual_list_out("<------------ sendmail detailed delivery ERROR messages ---------------------->", \%sendmail_delivery_table); put_usual_list_out("<------------ sendmail detailed return to user ERROR messages -------------------->", \%sendmail_return_reason_table); put_usual_list_out("<------------ sendmail detailed notify user or postmaster messages ------------->", \%sendmail_notify_reason_table); put_usual_list_out("<------------ sendmail detailed errors from sendmail.cf check_* rules ------------->", \%sendmail_check_rules_table); put_usual_list_out("<------------ users logging into sendmail --------------------------------->", \%sendmail_login_table); put_usual_list_out("<------------ Procmail unable to write to these files --------------------------------->", \%procmail_write_err_table); put_usual_list_out("<------------ Procmail Renamed these files as being bogus mail files ----------------->", \%procmail_bogus_file_table); put_usual_list_out("<------------ Procmail - suspicious rc files ----------------->", \%procmail_bad_rc_file_table); ### --- spamassassin reports @Headers = ( "<-------------------------------- Mimedefang ---------------------------------------->", " Can't problems ", " total run warns adding/ <------ special ------> <-filter fails ->", "start msgs. virus about changing <--- mail handling ---> <-- in routine ->", " ups scanned scanner msgs. errors headers Tempfail Discard Bounce sender recipient"); put_unique_table_out( "%5d %7d %7d %5d %5d %5d %6d %6d %6d %6d %6d\n", \@Headers, \@mimedefang_startups, \@mimedefang_mail_in_by_machine_cnt, \@mimedefang_no_virus_sc, \@mimedefang_msg_warn, \@mimedefang_errors, \@mimedefang_smfi_hdr, \@mimedefang_tempfailing, \@mimedefang_discarding, \@mimedefang_bouncing, \@mimedefang_filter_sender, \@mimedefang_filter_recipient); ## -- detailed output of mimedefang_pl MDLOG msgs - virus, spam, etc put_usual_list_out("<------------ mimedefang_pl detailed error msgs -------------------------->", \%mimedefang_pl_err_table); put_usual_list_out("<------------ mimedefang_pl all collected error msgs -------------------------->", \%mimedefang_pl_max_err_table); put_usual_list_out("<------------ mimedefang detected problems/warnings ----------------------->", \%MDLOG_msgs_table); put_usual_list_out("<------------ mimedefang - resolution of problems msgs ----------------------->", \%mimedefang_filter_resolution_table); put_usual_list_out("<------------ mimedefang errors --------------------------------->", \%mimedefang_errors_table); ### -- mimedefang multiplexor output @Headers = ( "<--------------------------------------------- Mimedefang multiplexor ---------------------------------->", " slave still Max. slave slave took too", " died recvd slaves slave all no acti- slaves slaves long to exit file", " check sigterm alive number slaves free vate started killed reap sending signal open", "starts rules stoping SIGTERM seen busy slaves faild -OK-/fail idle /busy errors SIGTERM/SIGKILL fail"); put_unique_table_out( "%6d %5d %7d %7d %5d %6d %6d %5d %4d/%4d %5d/%4d %5d %7d/%7d%5d\n", \@Headers, \@mimedefang_multi_starts, \@mimedefang_slave_died_check_rules, \@mimedefang_multi_sigterm, \@mimedefang_multi_general_send_sigterm, \@mimedefang_multi_max_slave, \@mimedefang_multi_all_slaves_busy, \@mimedefang_multi_no_free_slave, \@mimedefang_multi_slaves_activate_failed, \@mimedefang_multi_slaves_started, \@mimedefang_multi_slaves_fail_to_start, \@mimedefang_multi_kill_busy_slave, \@mimedefang_multi_kill_idle_slave, \@mimedefang_multi_reap_errs, \@mimedefang_multi_send_slave_sigterm, \@mimedefang_multi_send_slave_sigkill, \@mimedefang_multi_open_failure); ## -- detailed output of multiplexor slave stats. put_usual_list_out("<------------- mimedefang multiplexor slave statistics ------------>", \%mimedefang_multi_slave_stats_table); put_usual_list_out("<------------- mimedefang multiplexor error msgs entries ------------>", \%mimedefang_multi_stderr_table); ### --- pmx anti-spam software @Headers = ( "<------------------- PMX software startups --------------->"); put_unique_table_out( "%10d\n", \@Headers, \@Pmx_manager_starts); ### --- pop2 my @local_ipop2_connect, $local_index; for ($local_index=0; $local_index <= $Global_mach_cnt; $local_index++) { $local_ipop2_connect[$local_index] = ($USE_inetd_connection[$local_index] > 0 ? $inetd_conn_pop2[$local_index] : $pop2d_conn_pop2[$local_index] ); } @Headers = ( "<------------------ pop2 ------------------------->", "login bad total conn read", "count passwords conns reset EOFs Autologouts"); put_unique_table_out( "%5d %9d %5d %4d %4d %8d\n", \@Headers, \@ipop2d_login_cnt, \@ipop2d_bad_logins, \@local_ipop2_connect, \@pop2_EOF, \@pop2d_autologout, \@pop2_reset); ### --- pop3 my @local_pop3_connect; for ($local_index=0; $local_index <= $Global_mach_cnt; $local_index++) { $local_ipop3_connect[$local_index] = ($USE_inetd_connection[$local_index] > 0 ? $inetd_conn_pop3[$local_index] : $pop3d_conn_pop3[$local_index] ); } @Headers = ( "<------------------------------------ pop3 -------------------------------------------->", " <-- connection counts --> sevice auto discard", "login bad re- time initialized log- kill read mailbox bogus ", "count pass total fused reset out pop3 SSL out -ed EOF shrank headers"); put_unique_table_out( "%5d %4d %5d %5d %5d %4d %5d %5d %4d %4d %4d %6d %6d\n", \@Headers, \@pop3_login_cnt, \@pop3_bad_logins, \@local_ipop3_connect, \@pop3_refused_mism, \@pop3_reset, \@pop3_timeout, \@pop3_init, \@pop3_init_ssl, \@pop3_autologout, \@pop3_killed, \@pop3_EOF, \@pop3_mailbox_shrank, \@pop3_discard_bogus_header); @Headers = ( "<---------------------------- pop3 --------------------->", "<- get mbox-> seize exceed <- read only ->n", "<- locks -> old disk num of expunge DNS SSL", "Trying Failed lock quota access ignored msgs errs"); put_unique_table_out( "%6d %6d %5d %5d %6d %7d %4d %4d\n", \@Headers, \@pop3_trytoget_lock, \@pop3_locked, \@pop3_seizing_locked_mbox, \@pop3_disk_quota_ex, \@pop3_read_only, \@pop3_expunge_ignored, \@pop3_bad_dns_msgs, \@pop3_SSL_err); ## -- details put_usual_list_out("<------------- SSL error records for pop3 ------------>", \%pop3_SSL_err_table); put_usual_list_out("<------------- Detailed error list of pop3 connections ------------->", \%pop3_max_err_table); put_usual_list_out("<------------- Pop3 logins by users ------------>", \%pop3_login_user_table); put_usual_list_out("<------------- Pop3 failed logins by users ------------>", \%pop3_failed_user_table); #### --- imap my @local_imap_conn; for ($local_index=0; $local_index <= $Global_mach_cnt; $local_index++) { $local_imap_conn[$local_index] = ($USE_inetd_connection[$local_index] > 0 ? $inetd_conn_imap[$local_index] : $imapd_conn_imap[$local_index] ) ; } @Headers = ( "<------------------------ IMAP CONNECTIONS --------------------->", " ENCRYPTED NO ENCRYPT null ", " passwords password Connections cmd file ", " login/ bad log/ bad initialized total # auto befor lock ", " count/ pwd in#/ pwd imap/ SSL conns logout Auth errors"); put_unique_table_out( "%6d/%4d %6d/%4d %6d/%6d %7d %5d %5d %5d\n", \@Headers, \@imapd_encrypt_pwd_login_cnt, \@imapd_encrypt_pwd_bad_logins, \@imapd_login_cnt, \@imapd_bad_logins, \@imapd_init, \@imapd_ssl_init, \@local_imap_conn, \@imapd_autologout, \@imapd_null_cmd, \@imapd_lock_fail); @Headers = ( "<------------------- IMAP CONNECTIONS ERRORS -------------------->", " DNS no no ", "daemon peer lookup time fatal broken such route", "killed EOFs reset err outs err pipe file to host"); put_unique_table_out( "%6d %5d %5d %6d %5d %5d %6d %5d %7d\n", \@Headers, \@imapd_kills, \@imapd_eofs, \@imapd_reset, \@imapd_bad_dns, \@imapd_conn_timeout, \@imapd_fatal, \@imapd_broken_pipe, \@imapd_no_such_file, \@imapd_no_route_2_host); ## -- details for imap put_usual_list_out("<------------- Imapd login and counts --------->", \%imapd_logins_table); put_usual_list_out("<------------- Imapd login/source counts --------->", \%imapd_login_max_table); put_usual_list_out("<------------- Imapd failed login/source counts --------->", \%imapd_fail_login_max_table); put_usual_list_out("<------------- Imapd detail error output --------->", \%imapd_err_max_table); } #END PROCESS_OUTPUT_SERVICES_MAIL sub process_output_root_logins () { ### -- root activity summary my @local_root_ssh, @local_root_ssh_bad;; my @local_root_ftpd, @local_root_ftpd_bad;; my @local_root_rsh, @local_root_rsh_bad;; my @local_root_rexec, @local_root_rexec_bad;; for ($j=0; $j <= $Global_mach_cnt; $j++) { $local_root_ssh[$j] = (defined($USE_audit_ssh[$j]) ? $audit_ssh_login_root[$j] : $sshd_ssh_login_root[$j]) ; $local_root_ssh_bad[$j] = (defined($USE_audit_ssh[$j]) ? $audit_ssh_login_root_bad[$j] : $sshd_ssh_login_root_bad[$j]) ; $local_root_ftpd[$j] = (defined($USE_audit_ftpd[$j]) ? $audit_ftp_login_root[$j] : $ftpd_ftp_login_root[$j]); $local_root_ftpd_bad[$j] = (defined($USE_audit_ftpd[$j]) ? $audit_ftp_login_root_bad[$j] : $ftpd_ftp_login_root_bad[$j]); $local_root_rsh[$j] = (defined ($USE_audit_rsh[$j]) ? $audit_rsh_login_root[$j] : $rshd_rsh_login_root[$j]) ; $local_root_rsh_bad[$j] = (defined ($USE_audit_rsh[$j]) ? $audit_rsh_login_root_bad[$j] : $rshd_rsh_login_root_bad[$j]) ; $local_root_rexec[$j] = (defined ($USE_audit_rexec[$j]) ? $audit_rexec_login_root[$j] : $rexecd_rexec_login_root[$j]) ; $local_root_rexec_bad[$j] = (defined ($USE_audit_rexec[$j]) ? $audit_rexec_login_root_bad[$j] : $rexecd_rexec_login_root_bad[$j]) ; } @Headers = ( "<--------------------------------------------- root activity -------------------------------------------------->", " su - sudo root change <------------------------- login using ------------------------------------------>", " attempts attempts passwd ssh ftp rsh rexec rlogin telnet console admin(smc)", " OK/ bad OK/ bad ok/ bad ok/ bad ok/ bad ok/ bad ok/ bad ok/ bad ok/ bad ok/ bad ok/ bad "); put_unique_table_out( "%4d/%4d %4d/%4d %4d/%4d %4d/%5d %4d/%4d %4d/%4d %4d/%4d %4d/%4d %4d/%4d %4d/%4d %4d/%4d\n", \@Headers, \@su_su_root, \@su_su_root_bad, \@sudo_root, \@sudo_root_bad, \@audit_passwd_change_root, \@audit_passwd_change_root_bad, \@local_root_ssh, \@local_root_ssh_bad, \@local_root_ftpd, \@local_root_ftpd_bad, \@local_root_rsh, \@local_root_rsh_bad, \@local_root_rexec, \@local_root_rexec_bad, \@audit_rlogin_login_root, \@audit_rlogin_login_root_bad, \@audit_telnet_login_root, \@audit_telnet_login_root, \@audit_console_login_root, \@audit_console_login_root_bad, \@audit_admin_login_root, \@admin_bad_root_login); @Headers = ( "<--------------- ROOT LOGINS ------------------>", "<---- pop2 ---> <------------- pop3 ------------>", " <--- SECURE -->", "login/ bad login/ bad login/ bad ", "count/passwords count/passwords count/passwords"); put_unique_table_out( "%5d/%9d %5d/%9d %5d/%9d\n", \@Headers, \@ipop2d_root_login_cnt, \@ipop2d_root_bad_logins, \@pop3_root_login_cnt, \@pop3_root_bad_logins, \@pop3_root_secure_login_cnt, \@pop3_root_secure_bad_logins); @Headers = ( "<- IMAP ROOT LOGINS ->", "ENCRYPT-pwd no-encrypt", " log/ bad log/ bad ", " in#/ pwd in#/ pwd "); put_unique_table_out( "%5d/%5d %5d/%5d \n", \@Headers, \@imapd_root_encrypt_pwd_login_cnt, \@imapd_root_encrypt_pwd_bad_logins, \@imapd_root_login_cnt, \@imapd_root_bad_logins); } # END PROCESS_OUTPUT_ROOT_LOGINS sub process_output_radius_server () { # $m_head_x01 = substr("switch ",0,$OUTPUT_MACHINE_FIELD_SIZE); # $m_head_x02 = substr(" group ",0,$OUTPUT_MACHINE_FIELD_SIZE); my @local_radius_startup; for ($j=0; $j <= $Global_mach_cnt; $j++) { $local_radius_startup[$j] = $radius_ready[$j]>$radius_Ready[$j] ? $radius_ready[$j] : $radius_Ready[$j]; } @Headers = ( "Report on connections to our switches authenticated via radius server daemon.", " attempts radius radius request from", " to connect malformed server server unknown", " OK / bad usernames restart errors client"); put_unique_table_out( "%4d/%4d %3d %7d %6d %6d\n", \@Headers, \@radius_ok_on_server, \@radius_bad_on_server, \@radius_malformed_user_on_server, \@local_radius_startup, \@radius_server_err, \@radius_unknown_client); ## now by client @Headers = ( "<--- Connections to switches for authentication --->", " attempts ", " to connect malformed", " OK / bad usernames"); put_unique_table_out( " %5d/ %5d %5d \n", \@Headers, \@radius_ok, \@radius_bad, \@radius_malformed_user); ## -- if present, we output radius msg table - bad logins, ok logins put_usual_list_out("<------------ OK Logins for all Radius Servers ----------->", \%radius_loginok_table); put_usual_list_out("<------------ Bad Logins for all Radius Servers ----------->", \%radius_inv_table); put_usual_list_out("<------------ Unknown clients for all Radius Servers ----------->", \%radius_unknown_client_table); put_usual_list_out("<------------ Malformed client names for all Radius Servers ----------->", \%radius_malformed_client_table); put_usual_list_out("<------------ Full radius server error messages for all Radius Servers ----------->", \%radius_server_err_table); } #END PROCESS_OUTPUT_RADIUS_SERVER sub process_output_logins_per_hour () { ### ## next section outputs events per 1 hour time period. ### if ($TIMES_OUTPUT) { put_usual_list_out("<------------ Console Logins per Hour Period -------------->", \%Time_audit_console_table); put_usual_list_out("<------------ SSH Logins per Hour Period - per audit daemon -------------->", \%Time_audit_ssh_table); put_usual_list_out("<------------ SSH Logins per Hour Period - per ssh daemon -------------->", \%Time_daemon_ssh_table); put_usual_list_out("<------------ Telnet Logins per Hour Period - per audit daemon -------------->", \%Time_audit_telnet_table); put_usual_list_out("<------------ FTP Logins per Hour Period - per audit daemon -------------->", \%Time_audit_ftp_table); put_usual_list_out("<------------ FTP Logins per Hour Period - per ftpd daemon -------------->", \%Time_daemon_ftp_table); put_usual_list_out("<------------ RSH Logins per Hour Period - per audit daemon -------------->", \%Time_audit_rsh_table); put_usual_list_out("<------------ RSH Logins per Hour Period - per rshd daemon -------------->", \%Time_daemon_rsh_table); put_usual_list_out("<------------ Rlogin Logins per Hour Period - per audit daemon -------------->", \%Time_audit_rlogin_table); put_usual_list_out("<------------ Rexec Logins per Hour Period - per audit daemon -------------->", \%Time_audit_rexec_table); put_usual_list_out("<------------ Rexec Logins per Hour Period - per rexecd daemon -------------->", \%Time_daemon_rexecd_table); put_usual_list_out("<------------ POP2 Logins per Hour Period -------------->", \%Time_daemon_ipop2d_table); put_usual_list_out("<------------ POP3 Logins per Hour Period -------------->", \%Time_daemon_pop3_table); put_usual_list_out("<------------ IMAP Logins per Hour Period - Unencrypted -------------->", \%Time_daemon_imapd_nonencrypted_table); put_usual_list_out("<------------ IMAP Logins per Hour Period - Encrypted -------------->", \%Time_daemon_imapd_encrypted_table); } ## end of Times output } #END PROCESS_OUTPUT_LOGINS_PER_HOUR ########################################################################### # # next sections each deal with a specific entries from the log file. # I put them here to be easy to deal with, and to make the above # mess of ifs readable. This breaks on the 5th field (field 4 in perl) # with each section decoding one type of record. # When a record is recognized (all the rec, not just field 5) the flag # $major_type_found is set to 1. and stats are accumulated, if any. # ############################################################################### sub Decode_mimedefang_init { ## Solaris - sparc $decode_mimedefang_table{"MIMEDefang" } = sub { if ( $syslog_data->[1] eq "alive.") { $mimedefang_startups[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_mimedefang_table{"Error" } = sub { $mimedefang_errors[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_errors_table,0); } $major_type_found=1; return; }; $decode_mimedefang_table{"Multiplexor" } = sub { $major_type_found=1;return; }; $decode_mimedefang_table{"MXCommand:" } = sub { $mimedefang_errors[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_errors_table,0); } $major_type_found=1; return; }; $decode_mimedefang_table{"mfconnect:" } = sub { $mimedefang_errors[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_errors_table,0); } $major_type_found=1; return; }; ## --- second field decode - used if first not matches, as it might be mail msg id $decode_mimedefang_table{"1-Bouncing" } = sub { $mimedefang_bouncing[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_table{"1-Discarding" } = sub { $mimedefang_discarding[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_table{"1-mi_stop=1" } = sub { $major_type_found=1; return; }; $decode_mimedefang_table{"1-Overlong" } = sub { $mimedefang_errors[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_errors_table,1); } $major_type_found=1; return; }; $decode_mimedefang_table{"1-smfi_addheader" } = sub { $mimedefang_smfi_hdr[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_table{"1-smfi_chgheader" } = sub { $mimedefang_smfi_hdr[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_table{"1-smfi_replacebody" } = sub { $mimedefang_smfi_hdr[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_table{"1-Tempfailing" } = sub { $mimedefang_tempfailing[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_table{"1-WARNING:" } = sub { $mimedefang_msg_warn[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_errors_table,1); } $major_type_found=1; return; }; } ## end decode mimedefang_init sub Decode_mimedefang { ## Solaris - sparc if (defined $decode_mimedefang_table{$syslog_data->[0]}) { &{$decode_mimedefang_table{$syslog_data->[0]}}(); if ($major_type_found) {return;} } $thiskey = join("-","1",$syslog_data->[1]); ## second field as key.. if (defined $decode_mimedefang_table{$thiskey}) { &{$decode_mimedefang_table{$thiskey}}(); if ($major_type_found) {return;} } } sub Decode_mimedefang_pl_init { ## Solaris - sparc $decode_mimedefang_pl_table{"..." } = sub { #misc added header to show err if ($STUPID_OUTPUT) { add_usual_list_out(\%mimedefang_pl_max_err_table,0); } $major_type_found=1;return; }; $decode_mimedefang_pl_table{"action_replace_with_warning" } = sub { $major_type_found=1;return; }; #called out of filter context $decode_mimedefang_pl_table{"bad" } = sub { $major_type_found=1;return; }; #bad helo name $decode_mimedefang_pl_table{"IP" } = sub { $major_type_found=1;return; }; #IP instead of named/in rev. lookup of name $decode_mimedefang_pl_table{"HELO" } = sub { $major_type_found=1;return; }; #HELO clains to be us/an IP $decode_mimedefang_pl_table{"filter:" } = sub { if (index($syslog_data->[$#$syslog_data],"=") > 0 ) { $syslog_data->[$#$syslog_data] = substr($syslog_data->[$#$syslog_data],0,index($syslog_data->[$#$syslog_data],"=")) ; } (@line_list) = (@{$syslog_data}[2 .. $#$syslog_data]); $this_field_name = join("-",(@line_list)); add_list_out($this_field_name, $host_index, $EVENT_TIMES, \%mimedefang_filter_resolution_table, (@line_list)); $major_type_found=1; return; }; $decode_mimedefang_pl_table{"filter_sender" } = sub { $mimedefang_filter_sender[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; }; # $decode_mimedefang_pl_table{"filter_recipient" } = sub { $mimedefang_filter_recipient[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; }; # $decode_mimedefang_pl_table{"md_graphdefang_log" } = sub { $major_type_found=1;return; }; # $decode_mimedefang_pl_table{"Message" } = sub { $major_type_found=1;return; }; #Message contains multiplte headers $decode_mimedefang_pl_table{"name" } = sub { $major_type_found=1;return; }; # $decode_mimedefang_pl_table{"Problem" } = sub { if ( $syslog_data->[1] eq "running" && $syslog_data->[2] eq "virus") { $mimedefang_no_virus_sc[$host_index]+=$EVENT_TIMES; } if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_pl_err_table,0); } $major_type_found=1; return; }; $decode_mimedefang_pl_table{"Virus" } = sub { $major_type_found=1;return; }; #Virus delted msg } ## end decode mimedefang_pl_init sub Decode_mimedefang_pl { ## Solaris - sparc if (defined $decode_mimedefang_pl_table{$syslog_data->[0]}) { &{$decode_mimedefang_pl_table{$syslog_data->[0]}}(); if ($major_type_found) {return;} } ### count MDLOG lines, with reject msgs such as spam/virus lines only if present. if ( substr($syslog_data->[0],0,6) eq "MDLOG,"){ ## OK, see what we have here (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $line = join(" ",@line_list); @s_keys = split(/,/,$line); if ( $s_keys[2] eq "mail_in") { # startup - count as per regular mimedefang.pl output $mimedefang_mail_in_by_machine_cnt[$host_index]+=$EVENT_TIMES; # number per each reportable unit $major_type_found=1; return; } ## for anything else we find in parm 2, record counts in varible table. if ( $s_keys[2] ne "") { # gotcha add_var_list_out(\%MDLOG_msgs_table, $s_keys[2] ); $major_type_found=1; return; } $major_type_found=1; return; } } sub Decode_mimedefang_multiplexor_init { ## Solaris - sparc $decode_mimedefang_multiplexor_table{"All" } = sub { if ( $syslog_data->[1] eq "slaves" && $syslog_data->[3] eq "busy") { $mimedefang_multi_all_slaves_busy[$host_index]+=$EVENT_TIMES; } $major_type_found=1; return; }; $decode_mimedefang_multiplexor_table{"Could" } = sub { if ( $syslog_data->[1] eq "not" && $syslog_data->[2] eq "start" && $syslog_data->[3] eq "slave" ) { $mimedefang_multi_slaves_fail_to_start[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_multi_stderr_table,0); } $major_type_found=1; return; } if ( $syslog_data->[1] eq "not" && $syslog_data->[2] eq "open" ) { $mimedefang_multi_open_failure[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out(\%mimedefang_multi_stderr_table,0); } $major_type_found=1; return; } }; $decode_mimedefang_multiplexor_table{"Killing" } = sub { if ( $syslog_data->[2] eq "slave" && $syslog_data->[3] > $mimedefang_multi_max_slave[$host_index]) { $mimedefang_multi_max_slave[$host_index] = $syslog_data->[3]; if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "slave") { $syslog_data->[2] = "-num-"; $syslog_data->[4] = "##)";} if ($syslog_data->[2] eq "slave") { $syslog_data->[3] = "-num-"; $syslog_data->[5] = "##)";} add_usual_list_out(\%mimedefang_multi_stderr_table,0); } } } if ( $syslog_data->[1] eq "busy" && $syslog_data->[2] eq "slave") { $mimedefang_multi_kill_busy_slave[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "slave") { $syslog_data->[2] = "-num-"; $syslog_data->[4] = "##)";} if ($syslog_data->[2] eq "slave") { $syslog_data->[3] = "-num-"; $syslog_data->[5] = "##)";} add_usual_list_out(\%mimedefang_multi_stderr_table,0); } } $major_type_found=1; return; } if ( $syslog_data->[1] eq "idle" && $syslog_data->[2] eq "slave") { $mimedefang_multi_kill_idle_slave[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "slave") { $syslog_data->[2] = "-num-"; $syslog_data->[4] = "##)";} if ($syslog_data->[2] eq "slave") { $syslog_data->[3] = "-num-"; $syslog_data->[5] = "##)";} add_usual_list_out(\%mimedefang_multi_stderr_table,0); } } $major_type_found=1; return; } }; $decode_mimedefang_multiplexor_table{"Killed" } = sub { if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "slave") { $syslog_data->[2] = "-num-"; $syslog_data->[4] = "##)";} if ($syslog_data->[2] eq "slave") { $syslog_data->[3] = "-num-"; $syslog_data->[5] = "##)";} add_usual_list_out(\%mimedefang_multi_stderr_table,0); } } $major_type_found=1; return; }; $decode_mimedefang_multiplexor_table{"No" } = sub { if ( $syslog_data->[1] eq "free" && $syslog_data->[2] eq "slaves") { $mimedefang_multi_no_free_slave[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_mimedefang_multiplexor_table{"Reap:" } = sub { if ( $syslog_data->[2] eq "slave" && $syslog_data->[3] > $mimedefang_multi_max_slave[$host_index]) { $mimedefang_multi_max_slave[$host_index] = $syslog_data->[3]; } if ( $syslog_data->[$#$syslog_data-1] eq "as" && $syslog_data->[$#$syslog_data] eq "expected.") { if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "slave") { $syslog_data->[2] = "-num-"; $syslog_data->[4] = "##)";} if ($syslog_data->[2] eq "slave") { $syslog_data->[3] = "-num-"; $syslog_data->[5] = "##)";} add_usual_list_out(\%mimedefang_multi_stderr_table,0); } } $major_type_found=1; return; } if ( ($syslog_data->[6] eq "exited" && $syslog_data->[7] eq "normally") || ($syslog_data->[5] eq "exited" && $syslog_data->[6] eq "normally")) { if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "slave") { $syslog_data->[2] = "-num-"; $syslog_data->[4] = "##)";} if ($syslog_data->[2] eq "slave") { $syslog_data->[3] = "-num-"; $syslog_data->[5] = "##)";} add_usual_list_out(\%mimedefang_multi_stderr_table,0); } } $major_type_found=1; return; } $mimedefang_multi_reap_errs[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { $i_start=2 ; $i_end = $#$syslog_data-3; for ($i = $i_start; $i <= $i_end; $i++) { if ( $syslog_data->[$i] eq "slave" && $syslog_data->[$i+2] eq "(pid" ) { $i_end = $i+1; $syslog_data->[$i+1]="-slave no-"; $syslog_data->[$i+3]="###)"; last; } } add_usual_list_out(\%mimedefang_multi_stderr_table,0); } $major_type_found=1; return; }; $decode_mimedefang_multiplexor_table{"Received" } = sub { if ( $syslog_data->[1] eq "SIGTERM:" && $syslog_data->[2] eq "Stopping") { $mimedefang_multi_sigterm[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_mimedefang_multiplexor_table{"Slave" } = sub { if ( $syslog_data->[1] > $mimedefang_multi_max_slave[$host_index]) { $mimedefang_multi_max_slave[$host_index] = $syslog_data->[1]; } if ( $syslog_data->[2] eq "died" && $syslog_data->[3] eq "prematurely" && $syslog_data->[5] eq "check" && $syslog_data->[8] eq "rules" ){ $mimedefang_slave_died_check_rules[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[2] eq "resource") { ## resource usage if ($DETAILED_OUTPUT) { for ($i=4; $i <= $#$syslog_data; $i++) { if (substr($syslog_data->[$i],-1,1) eq ",") { $syslog_data->[$i]=substr($syslog_data->[$i],0,length($syslog_data->[$i])-1); } $eq_ptr = index($syslog_data->[$i],"="); if ($eq_ptr > 0){ $this_field_name = substr($syslog_data->[$i],0,$eq_ptr); $this_value = substr($syslog_data->[$i],$eq_ptr+1)+0; add_list_out($this_field_name, $host_index, $this_value, \%mimedefang_multi_slave_stats_table, $this_field_name); } } } $major_type_found=1; return; } if ( $syslog_data->[2] eq "stderr:") { $mimedefang_multi_slave_stderr[$host_index]+=$EVENT_TIMES; ### add detail output here of msgs. Change number strings to ### and ### also strings starting with / following word "file" to be -FILENAME- ### and .. need to drop file name for tempfile for lockfile.. ### and if it starts Slave # stderr: drop slave no. if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out(\%mimedefang_multi_stderr_table,0); } else { if ($DETAILED_OUTPUT) { $syslog_data->[1] = "-num-"; ## slave number $this_key=""; my(@key_list); for ($i=3, $j=0; $i <= $#$syslog_data;$j++, $i++) { $add = $syslog_data->[$i]; $add =~ s/^[.\d]+$/'###'/ge; ## need . for "line 307." if (index($syslog_data->[$i],"/") >= 0) {## use any / as file marker - may be truncated rec. $add = "-FILE-"; } # if ($syslog_data->[$i-1] eq "at" && substr($add,0,1) eq '/'){ # $add = "-FILE-"; # } # if ($syslog_data->[$i-1] eq "file" && substr($add,0,1) eq '/'){ # $add = "-FILE-"; # } # if ($syslog_data->[$i-1] eq "lockfile" && substr($add,0,1) eq '/'){ # $add = "-FILE-"; # } # if ( $syslog_data->[$i-1] eq "for" && ## seeems more than just this$syslog_data->[$i-3] eq "lockfile" && # substr($add,0,1) eq '/'){ # $add = "-FILE-"; # } $key_list[$j]=$add; $this_key=join("-",$this_key, $add); } add_list_out($this_key, $host_index, $EVENT_TIMES, \%mimedefang_multi_stderr_table, (@key_list) ); } } $major_type_found=1; return; } if ( $syslog_data->[4] eq "taking" && $syslog_data->[5] eq "too" ){ ## too long to exit $mimedefang_multi_send_slave_sigterm[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[4] eq "taking" && $syslog_data->[6] eq "too" ){ ## too long to exit $mimedefang_multi_send_slave_sigkill[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_mimedefang_multiplexor_table{"Starting" } = sub { if ($syslog_data->[1] eq "slave" && $syslog_data->[2] > $mimedefang_multi_max_slave[$host_index]) { $mimedefang_multi_max_slave[$host_index] = $syslog_data->[2]; } $mimedefang_multi_slaves_started[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_multiplexor_table{"started;" } = sub { $mimedefang_multi_starts[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; }; $decode_mimedefang_multiplexor_table{"stats" } = sub { $major_type_found=1; return; }; $decode_mimedefang_multiplexor_table{"Still" } = sub { if ( $syslog_data->[1] eq "some" && $syslog_data->[2] eq "slaves") { $mimedefang_multi_general_send_sigterm[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_mimedefang_multiplexor_table{"Unable" } = sub { if ( $syslog_data->[2] eq "activate" && $syslog_data->[3] eq "slave") { $mimedefang_multi_slaves_activate_failed[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; } sub Decode_mimedefang_multiplexor { ## Solaris - sparc if (defined $decode_mimedefang_multiplexor_table{$syslog_data->[0]}) { &{$decode_mimedefang_multiplexor_table{$syslog_data->[0]}}(); if ($major_type_found) {return;} } if ( $syslog_data->[$#$syslog_data-1] eq "timed" && $syslog_data->[$#$syslog_data] eq "out" ) { if ($REAL_DETAILED_OUTPUT) { add_list_out( \%mimedefang_multi_stderr_table, 0); } $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "Broken" && $syslog_data->[$#$syslog_data] eq "pipe" ) { if ($REAL_DETAILED_OUTPUT) { add_usual_list_out( \%mimedefang_multi_stderr_table, 1); } $major_type_found = 1; return; } } sub Decode_procmail { #V2.2 ## Solaris - sparc if ( $syslog_data->[0] eq "Error" && $syslog_data->[1] eq "while" && $syslog_data->[2] eq "writing") { $procmail_write_error[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { add_var_list_out(\%procmail_write_err_table, $syslog_data->[4]); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Renamed" && $syslog_data->[1] eq "bogus") { $procmail_rename_bogus[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { add_var_list_out(\%procmail_bogus_file_table, $syslog_data->[2]); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Suspicious" && $syslog_data->[1] eq "rcfile") { $procmail_suspicious_rc[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { add_var_list_out(\%procmail_bad_rc_file_table, $syslog_data->[2]); } $major_type_found = 1; return; } return; } ## end of decode procmail sub Decode_imapd_init { ## Solaris - sparc ## set flag to show if proccess is secure or not by proc no. ## tell by initd record,what services started. $decode_imapd_table{"authdes_refresh:" } = sub { $major_type_found=1;return; }; $decode_imapd_table{"Authenticated" } = sub { $major_type_found = 1; $rec_pid=substr($syslog_rec->[4],6); $rec_pid = substr($rec_pid,0,length($rec_pid)-2); $imapd_encrypt_pwd_login_cnt[$host_index]+=$EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_imapd_encrypted_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[1] eq "user=root") { $imapd_root_encrypt_pwd_login_cnt[$host_index]+=$EVENT_TIMES; } if ($REAL_REAL_DETAILED_OUTPUT) { $this_key =substr($syslog_data->[1],5); add_list_out($this_key, $host_index, $EVENT_TIMES, \%imapd_logins_table, $this_key ); } if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_login_max_table,1);} return; }; ## small problem as authecated errors give 2 records, one is a regular "Login failure" type, ## second is "AUTHENTICATE LOGIN failure". Subtractr 1 from regular is this happens. $decode_imapd_table{ "AUTHENTICATE" } = sub { if ( $syslog_data->[1] eq "CRAM-MD5" && $syslog_data->[2] eq "invalid" && substr($syslog_data->[3],0,4) eq "host") { $major_type_found = 1; return; } if ( $syslog_data->[2] eq "failure") { $major_type_found = 1; $imapd_encrypt_pwd_bad_logins[$host_index]+=$EVENT_TIMES; $imapd_bad_logins[$host_index]-=$EVENT_TIMES; ## same if ($syslog_data->[1] eq "user=root") { $imapd_root_encrypt_bad_logins[$host_index]+=$EVENT_TIMES; $imapd_root_bad_logins[$host_index]-=$EVENT_TIMES; } if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_fail_login_max_table,0);} return; } }; $decode_imapd_table{ "Autologout" } = sub { $major_type_found = 1; $imapd_autologout[$host_index]+=$EVENT_TIMES; if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} return; }; $decode_imapd_table{ "Broken" } = sub { $major_type_found = 1; if ($syslog_data->[1] eq "pipe," ) { $imapd_broken_pipe[$host_index]+=$EVENT_TIMES; } return; }; $decode_imapd_table{ "Command" } = sub { if ( $syslog_data->[1] eq "stream" && $syslog_data->[2] eq "end" && $syslog_data->[3] eq "of" && $syslog_data->[4] eq "file," ) { if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $imapd_eofs[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_imapd_table{"connect" } = sub { $imapd_conn_imap[$host_index]+=$EVENT_TIMES; if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $major_type_found = 1; return; } ; $decode_imapd_table{"Connection" } = sub { if ( $syslog_data->[1] eq "reset" && $syslog_data->[2] eq "by" && $syslog_data->[3] eq "peer," ) { ##V2.0 if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $imapd_reset[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "timed" && $syslog_data->[2] eq "out," ) { ##V2.0 $imapd_conn_timeout[$host_index]+=$EVENT_TIMES; if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $major_type_found = 1; return; } }; $decode_imapd_table{ "DEBUG"} = sub {$major_type_found = 1;return;}; ## ou special $decode_imapd_table{ "imap"} = sub { if ( $syslog_data->[2] eq "init") { $imapd_init[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_imapd_table{ "Fatal" } = sub { if ($syslog_data->[0] eq "Fatal" && $syslog_data->[1] eq "mailbox" && $syslog_data->[2] eq "error") { if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $imapd_fatal[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } return; }; $decode_imapd_table{"imaps"} = sub { if ($syslog_data->[1] eq "SSL") { $imapd_ssl_init[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_imapd_table{"Killed"} = sub { $imapd_kills[$host_index]+=$EVENT_TIMES; if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $major_type_found = 1; return; }; $decode_imapd_table{"Login"} = sub { ## plaintext login and passwd $major_type_found = 1; if ($syslog_data->[1] eq "failed" ) { if ($BAD_IP_OUT) { add_imapd_bad_ip_out_imap ();} $imapd_bad_logins[$host_index]+=$EVENT_TIMES; ## add 1 to INsecure connection, plain bad passwd if ($syslog_data->[2] eq "user=root") { $imapd_root_bad_logins[$host_index]+=$EVENT_TIMES; } } else { $imapd_login_cnt[$host_index]+=$EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_imapd_nonencrypted_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[1] eq "user=root") { $imapd_root_login_cnt[$host_index]+=$EVENT_TIMES; } } return; }; $decode_imapd_table{"Logout"} = sub {$major_type_found = 1; return; }; $decode_imapd_table{"Mailbox"} = sub {if ($syslog_data->[1] eq "lock" && $syslog_data->[2] eq "file") { $major_type_found = 1;return;} }; $decode_imapd_table{"Missing"} = sub { if ($syslog_data->[1] eq "command" && $syslog_data->[2] eq "before" && $syslog_data->[3] eq "authentication") { $major_type_found = 1;return; } }; $decode_imapd_table{"Moved"} = sub {$major_type_found = 1; return; }; $decode_imapd_table{"No" } = sub { if ($syslog_data->[1] eq "such" && $syslog_data->[2] eq "file" && $syslog_data->[3] eq "or") { if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $imapd_no_such_file[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } if ($syslog_data->[1] eq "route" && $syslog_data->[2] eq "to" && $syslog_data->[3] eq "host,") { ##V2.0 $major_type_found = 1; $imapd_no_route_2_host[$host_index]+=$EVENT_TIMES; } return; }; $decode_imapd_table{"Null"} = sub { if ($syslog_data->[1] eq "command" && $syslog_data->[2] eq "before" && $syslog_data->[3] eq "authentication") { $imapd_null_cmd[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return; } }; $decode_imapd_table{"port"} = sub { $major_type_found = 1;return; }; $decode_imapd_table{"refused"} = sub { if ($syslog_data->[1] eq "connect" && $syslog_data->[2] eq "from" && $syslog_data->[$#syslog_data-1] eq "(name/address") { if ($STUPID_OUTPUT) {add_usual_list_out(\%imapd_err_max_table,0);} $imapd_bad_dns[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } return; }; $decode_imapd_table{"SSL"} = sub { if ($syslog_data->[1] eq "error" && $syslog_data->[2] eq "status") { $major_type_found = 1;return;} if ($syslog_data->[1] eq "error" && $syslog_data->[2] eq "status:") { $major_type_found = 1;return;} }; $decode_imapd_table{"Unable"} = sub { if ( $syslog_data->[1] eq "to" && $syslog_data->[2] eq "accept" && $syslog_data->[3] eq "SSL" && $syslog_data->[4] eq "connection,") { $major_type_found = 1;return;} }; $decode_imapd_table{"Unexpected"} = sub { if ( $syslog_data->[1] eq "file" && $syslog_data->[2] eq "locking" && $syslog_data->[3] eq "failure:" ) { $imapd_lock_fail[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return;} }; $decode_imapd_table{"warning:" } = sub { if ( $syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname:"){ $imapd_bad_dns[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "host" && $syslog_data->[2] eq "name/name" && $syslog_data->[3] eq "mismatch:"){ $imapd_bad_dns[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; } ## end of imap sub Decode_imapd { ## Solaris - sparc if (defined $decode_imapd_table{$syslog_data->[0]}) { &{$decode_imapd_table{$syslog_data->[0]}}(); return; } return; } sub add_imapd_bad_ip_out_imap { my ($i_add); $i_add=$syslog_data->[$#$syslog_data]; if ( substr($i_add,0,1) eq '[') { # last field seems to be ip as in [1.2.3.4] $i_add = substr($i_add,1,length($i_add)-2); } else { if ( substr($i_add,0,5) eq "host=" ) { ## see if last field is nost=... $i_add=substr($i_add,5); } else { $i_add="Not in logfile"; } } $imapd_bad_ip_out_imap{$i_add}++; add_hostvar_list_out ( \%Bad_ip_out_table, $i_add, "imap"); return; } # end of add_imapd_bad_ip_out_imap sub Decode_ipop2d { ## Solaris - sparc if ($syslog_data->[0] eq "Autologout" ) { ## $pop2d_autologout[$host_index]+=$EVENT_TIMES; if ($STUPID_OUTPUT) {add_usual_list_out(\%ipop2d_err_max_table,0);} $major_type_found = 1; return; } if ($syslog_data->[0] eq "Login" ) { ## $major_type_found = 1; if ( $syslog_data->[1] eq "failed" ) { if ($BAD_IP_OUT) { add_ipop2_bad_ip_out_ipop2 ();} $ipop2d_bad_logins[$host_index]+=$EVENT_TIMES; if ($syslog_data->[1] eq "user=root") { $ipop2d_root_bad_logins[$host_index]+=$EVENT_TIMES; } } else { $ipop2d_login_cnt[$host_index]+=$EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_ipop2d_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[1] eq "user=root") { $ipop2d_root_login_cnt[$host_index]+=$EVENT_TIMES; } } return; } if ($syslog_data->[0] eq "Logout" ) { $major_type_found = 1; return; } if ($syslog_data->[0] eq "connect" ) { ## $pop2d_conn_pop2[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[1] eq "from") { $major_type_found = 1; return; } } if ($syslog_data->[0] eq "Command" ) { ## if ( $syslog_data->[1] eq "stream" && $syslog_data->[2] eq "end" && $syslog_data->[3] eq "of"){ $pop2_EOF[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "Connection" ) { ## if ( $syslog_data->[1] eq "reset" && $syslog_data->[2] eq "by" && substr($syslog_data->[3],0,4) eq "peer" ) { $pop2_reset[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } } ## end of ipop2d sub add_ipop2_bad_ip_out_ipop2 { my ($i_add); $i_add=$syslog_data->[$#$syslog_data]; if ( substr($i_add,0,1) eq '[') { # last field seems to be ip as in [1.2.3.4] $i_add = substr($i_add,1,length($i_add)-2); } else { if ( substr($i_add,0,5) eq "host=" ) { ## see if last field is nost=... $i_add=substr($i_add,5); } else { $i_add="Not in logfile"; } } $ipop2_bad_ip_out_ipop2{$i_add}++; add_hostvar_list_out ( \%Bad_ip_out_table, $i_add, "pop2"); return; } # end of add_ipop2_bad_ip_out_ipop2 sub Decode_ipop3d_init { ## Solaris - sparc $decode_pop3_table{"Auth" } = sub { $major_type_found = 1; return; }; $decode_pop3_table{"AUTHENTICATE"} = sub { if ($syslog_data->[1] eq "LOGIN" && $syslog_data->[2] eq "failure") { $major_type_found = 1; return; } }; $decode_pop3_table{"Autologout" } = sub { $pop3_autologout[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_pop3_table{"Command" } = sub { if ( $syslog_data->[1] eq "stream" && $syslog_data->[2] eq "end" && $syslog_data->[3] eq "of"){ $pop3_EOF[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"connect"} = sub { $pop3d_conn_pop3[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[1] eq "from") { $major_type_found = 1; return; } }; $decode_pop3_table{"Connection" } = sub { if ( $syslog_data->[1] eq "reset" && $syslog_data->[2] eq "by" && substr($syslog_data->[3],0,4) eq "peer" ) { $pop3_reset[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "timed" && $syslog_data->[2] eq "out" ) { $pop3_timeout[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"Discarding" } = sub {## OU special debug if ( $syslog_data->[1] eq "bogus" && $syslog_data->[3] eq "header" ) { $pop3_discard_bogus_header[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"DEBUG" } = sub {## OU special debug $major_type_found = 1; return; }; $decode_pop3_table{"Error" } = sub {## should be other msg about mail box locked. Ignore. if ($STUPID_OUTPUT) { add_usual_list_out(\%pop3_max_err_table,0); } if ( $syslog_data->[1] eq "opening" && $syslog_data->[2] eq "or" && $syslog_data->[3] eq "locking" && $syslog_data->[4] eq "INBOX"){ $major_type_found = 1; return; } }; $decode_pop3_table{"Expunge"} = sub { if ( $syslog_data->[1] eq "ignored" && $syslog_data->[2] eq "on" && $syslog_data->[3] eq "readonly") { $pop3_expunge_ignored[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"Killed"} = sub { ##V2.1 if ( $syslog_data->[1] eq "(lost" && $syslog_data->[2] eq "mailbox" && $syslog_data->[3] eq "lock)") { $rec_pid=substr($syslog_rec->[4],7); $rec_pid = substr($rec_pid,0,length($rec_pid)-2); $pop3_killed[$host_index]+=$EVENT_TIMES; if ($STUPID_OUTPUT) { add_usual_list_out(\%pop3_max_err_table,0); } $major_type_found = 1; return; } }; $decode_pop3_table{"Login" } = sub { if ( $syslog_data->[1] eq "failed" ) { if ($BAD_IP_OUT) { add_ipop3_bad_ip_out_ipop3 ();} $pop3_bad_logins[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[2] eq "user=root" ) { $pop3_root_bad_logins[$host_index]+=$EVENT_TIMES;} if ($REAL_REAL_DETAILED_OUTPUT) { add_var_list_out( \%pop3_failed_user_table, substr($syslog_data->[2],5)); } } else { $pop3_login_cnt[$host_index]+=$EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_pop3_table, substr($syslog_rec->[2],0,2)); } if ($REAL_REAL_DETAILED_OUTPUT) {add_var_list_out( \%pop3_login_user_table, substr($syslog_data->[1],5)); } } if ( $syslog_data->[2] eq "user=root" ) { $pop3_root_login_cnt[$host_index]+=$EVENT_TIMES;} $major_type_found = 1; return; }; $decode_pop3_table{"Logout" } = sub { $major_type_found = 1; return; }; $decode_pop3_table{"Mailbox"} = sub { ## Mailbox vulnerable - seizing 28 second old lock if ( $syslog_data->[1] eq "vulnerable" && $syslog_data->[3] eq "seizing") { $pop3_seizing_locked_mbox[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "is" && substr($syslog_data->[3],0,6) eq "locked") { $pop3_locked[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } # is open by another process, access is readonly if ($syslog_data->[2] eq "open" && $syslog_data->[5] eq "process," && $syslog_data->[8] eq "readonly") { ##V2.0 $pop3_read_only[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "shrank" ) { ##V2.0 $pop3_mailbox_shrank[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"Message" } = sub { if ($syslog_data->[2] eq "UID" && $syslog_data->[4] eq "greater" ) { $major_type_found = 1; return; } if ($syslog_data->[2] eq "UID" && $syslog_data->[4] eq "less" ) { $major_type_found = 1; return; } }; $decode_pop3_table{"Moved" } = sub { $major_type_found = 1; return; }; $decode_pop3_table{"pop3" } = sub { ## V2.0 if ($syslog_data->[1] eq "service" && $syslog_data->[2] eq "init" && $syslog_data->[3] eq "from") { $pop3_init[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"pop3s" } = sub { ## V2.0 if ($syslog_data->[1] eq "SSL" && $syslog_data->[2] eq "service" && $syslog_data->[3] eq "init") { $pop3_init_ssl[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"port" } = sub { $major_type_found = 1; return; }; $decode_pop3_table{"refused" } = sub { ##V2.0 if ( $syslog_data->[1] eq "connect" && $syslog_data->[2] eq "from") { $pop3_refused_mism[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"SSL" } = sub { $pop3_SSL_err[$host_index]+=$EVENT_TIMES; $start_parm = 0; for ($i=$#$syslog_data; $i>= 0; $i--) { if (index($syslog_data->[$i],":") >= 0) { if (substr($syslog_data->[$i],-1,1) eq ':') { $start_parm = $i+1; } else { $start_parm = $i; } last; } } if ( $DETAILED_OUTPUT ) { (@key_list) = (@{$syslog_data}[$start_parm .. $#$syslog_data]); if (rindex($key_list[0],":") > -1) { $key_list[0] = substr($key_list[0],rindex($key_list[0],":")+1);} $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%pop3_SSL_err_table, (@key_list) ); } $major_type_found = 1; return; }; $decode_pop3_table{"Trying" } = sub { if ( $syslog_data->[2] eq "get" && $syslog_data->[3] eq "mailbox" && $syslog_data->[4] eq "lock") { $pop3_trytoget_lock[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_pop3_table{"Unable" } = sub { ##V2.0 if ($syslog_data->[1] eq "to" && $syslog_data->[2] eq "accept" && $syslog_data->[3] eq "SSL") { $pop3_SSL_err[$host_index]+=$EVENT_TIMES; if ( $DETAILED_OUTPUT ) { add_usual_list_out(\%pop3_SSL_err_table, 0 ); } $major_type_found = 1; return; } }; $decode_pop3_table{"warning:" } = sub { ##V2.0 if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname:") { $pop3_bad_dns_msgs[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "Connection" && $syslog_data->[$#$syslog_data-2] eq "reset" ) { $pop3_reset[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "host" && $syslog_data->[2] eq "name/address" && $syslog_data->[3] eq "mismatch:") { $pop3_bad_dns_msgs[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; } ## end of pop3 sub Decode_ipop3d { ## Solaris - sparc if (defined $decode_pop3_table{$syslog_data->[0]}) { &{$decode_pop3_table{$syslog_data->[0]}}(); if ( $major_type_found == 1) { return } } if ( $syslog_data->[$#$syslog_data-2] eq "Disc" && $syslog_data->[$#$syslog_data-1] eq "quota" && $syslog_data->[$#$syslog_data] eq "exceeded") { $pop3_disk_quota_ex[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; } sub add_ipop3_bad_ip_out_ipop3 { my ($i_add); $i_add=$syslog_data->[$#$syslog_data]; if ( substr($i_add,0,1) eq '[') { # last field seems to be ip as in [1.2.3.4] $i_add = substr($i_add,1,length($i_add)-2); } else { if ( substr($i_add,0,5) eq "host=" ) { ## see if last field is nost=... $i_add=substr($i_add,5); } else { $i_add="Not in logfile"; } } $ipop3_bad_ip_out_ipop3{$i_add}++; add_hostvar_list_out ( \%Bad_ip_out_table,$i_add, "pop3"); return; } # end of add_ipop3_bad_ip_out_ipop3 sub Decode_inetd_init { ## Solaris - sparc - special handling for certain daemons that require logging on. $decode_inetd_table{"dtspc" } = sub { if ($syslog_data->[1] eq "from") { $inetd_conn_dtspc[$host_index]+=$EVENT_TIMES ; return;}}; $decode_inetd_table{"ftp" } = sub { if ($syslog_data->[1] eq "from") { $inetd_conn_[$host_index]+=$EVENT_TIMES ; return;}}; $decode_inetd_table{"imap" } = sub { if ($syslog_data->[1] eq "from") { $rec_pid=substr($syslog_data->[0],5); $rec_pid = substr($rec_pid,0,length($rec_pid)-1); $secure_con_flag{$rec_pid}=0; $inetd_conn_imap[$host_index]+=$EVENT_TIMES ; } return; }; $decode_inetd_table{"imaps" } = sub { if ($syslog_data->[1] eq "from") { $rec_pid=substr($syslog_data->[0],6); $rec_pid = substr($rec_pid,0,length($rec_pid)-1); $secure_con_flag{$rec_pid}=1; $inetd_conn_imaps[$host_index]+=$EVENT_TIMES ; } return; }; $decode_inetd_table{"login" } = sub { $inetd_conn_rlogin[$host_index]+=$EVENT_TIMES; return;}; $decode_inetd_table{"pop2" } = sub { if ($syslog_data->[1] eq "from") { $inetd_conn_pop2[$host_index]+=$EVENT_TIMES ; return;}}; $decode_inetd_table{"pop3" } = sub { if ($syslog_data->[1] eq "from") { $rec_pid=substr($syslog_data->[0],5); $rec_pid = substr($rec_pid,0,length($rec_pid)-1); $inetd_conn_pop3[$host_index]+=$EVENT_TIMES; } return; }; $decode_inetd_table{"pop3s" } = sub { if ($syslog_data->[1] eq "from") { $rec_pid=substr($syslog_data->[0],6); $rec_pid = substr($rec_pid,0,length($rec_pid)-1); $inetd_conn_pop3s[$host_index]+=$EVENT_TIMES ; } return; }; ## special - we log incoming print requests, not out going, so we have to decode the incoming ## ip to see who done it $decode_inetd_table{"printer" } = sub { if ( $syslog_data->[1] eq "from") { $inetd_conn_lp_to[$host_index]+=$EVENT_TIMES; ## we are the server use Socket; $my_ipaddr = inet_aton($syslog_data->[2]); if ( ! ($host_name = gethostbyaddr($my_ipaddr, AF_INET) ) ) { $host_name = $syslog_data->[2]; } $host2_index = &Get_Table_Entry ($host_name); ## entry into table of counters $inetd_conn_lp_from[$host2_index]+=$EVENT_TIMES; ## we are the server return; } }; $decode_inetd_table{"shell" } = sub { # rsh if ($syslog_data->[1] eq "from") { $inetd_conn_rsh[$host_index]+=$EVENT_TIMES ; return;}}; $decode_inetd_table{"telnet" } = sub { if ($syslog_data->[1] eq "from") { $inetd_conn_telnet[$host_index]+=$EVENT_TIMES ; return;}}; } sub Decode_inetd { ## Solaris - sparc $USE_inetd_connection[$host_index]++ if $syslog_data->[1] eq "from"; ##we have connect records for this mach. $sub_name=$syslog_data->[0]; if (index($sub_name, '[') >= 0 ) { $sub_name=substr($sub_name,0,index($sub_name, '[') ); } if (defined $decode_inetd_table{$sub_name}) { &{$decode_inetd_table{$sub_name}}(); } if ($syslog_data->[1] eq "from") { if ($sub_name eq "shell") { add_list_out("rsh", $host_index, $EVENT_TIMES, \%inetd_connection_table,"rsh"); } else { add_list_out($sub_name, $host_index, $EVENT_TIMES, \%inetd_connection_table,$sub_name); } $major_type_found = 1; return; } if ($syslog_data->[0] eq "Configuration" ) { if ($syslog_data->[1] eq "file" && $syslog_data->[5] eq "modified") { add_list_out("configureationfile", $host_index, $EVENT_TIMES, \%inetd_warn_err_table, "Configuration","file","modified"); if ($DETAILED_OUTPUT) { add_usual_list_out(\%inetd_full_err_table,0); } $major_type_found = 1; return; } } if ($syslog_data->[1] eq "Killed" ) { $this_key=join("-","Processes","killed"); add_list_out($this_key, $host_index, $EVENT_TIMES, \%inetd_warn_err_table, "Processes","killed" ); if ($DETAILED_OUTPUT) { add_usual_list_out(\%inetd_full_err_table,0); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "Hangup" ) { $this_key=join("-","Processes", "generating", "hangup"); add_list_out($this_key, $host_index, $EVENT_TIMES, \%inetd_warn_err_table, "Processes", "generating", "hangup"); if ($DETAILED_OUTPUT) { add_usual_list_out(\%inetd_full_err_table,0); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "server" && $syslog_data->[2] eq "failing" && $syslog_data->[5] eq "terminated") { $this_key=join("-","Services", "terminated"); add_list_out($this_key, $host_index, $EVENT_TIMES, \%inetd_warn_err_table, "Services", "terminated"); if ($DETAILED_OUTPUT) { add_usual_list_out(\%inetd_full_err_table,0); } $major_type_found = 1; return; } add_list_out("other",$host_index, $EVENT_TIMES, \%inetd_warn_err_table, "Other", "errors"); if ($DETAILED_OUTPUT) { add_usual_list_out(\%inetd_full_err_table,0); } $major_type_found = 1; return; } ## end of inetd. sub Decode_audit_init { ## Solaris - sparc $decode_audit_table{"admin" } = sub { $USE_audit_admin_login[$host_index]++; if ($syslog_data->[1] eq "login") { if ($syslog_data->[2] eq "ok") { $audit_admin_login[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[3] eq "as" && ($syslog_data->[4] eq "root" || $syslog_data->[4] eq "root:")) { $audit_admin_login_root[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%audit_admin_OK_user_table, $syslog_data->[4]); } $major_type_found = 1; return; } if ($syslog_data->[2] eq "failed") { $audit_admin_bad_login[$host_index]+=$EVENT_TIMES ; if ( $syslog_data->[3] eq "as" && ( $syslog_data->[4] eq "root" || $syslog_data->[4] eq "root:")) { $audit_admin_bad_login_root[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%audit_admin_failed_user_table, $syslog_data->[4]); } $major_type_found = 1; return; } } if ($syslog_data->[1] eq "logout") { $major_type_found = 1; return; } }; $decode_audit_table{"authdes_refresh:"} = sub { $major_type_found = 1; return;}; $decode_audit_table{"ftp"} = sub { ##V2.0 $USE_audit_ftpd[$host_index]++; if ($syslog_data->[1] eq "access") { if ($syslog_data->[2] eq "ok" ) { $audit_ftp_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_ftp_table, substr($syslog_rec->[2],0,2)); } if ( $syslog_data->[6] eq "root" || $syslog_data->[6] eq "root:") { $audit_ftp_login_root[$host_index]+=$EVENT_TIMES ;} if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_ftpd_OK_user_table, $syslog_data->[6]); } $major_type_found = 1; return; } if ($syslog_data->[2] eq "failed" ) { $audit_ftp_login_bad[$host_index]+=$EVENT_TIMES ; if ( $syslog_data->[6] eq "root" ) { $audit_ftp_login_bad_root[$host_index]+=$EVENT_TIMES ; } if ($BAD_IP_OUT) { if ($syslog_data->[$#$syslog_data-1] ne "misc" && $syslog_data->[$#$syslog_data] ne "failure") { add_audit_bad_ip_out_ftpd (); } } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[6] eq "-1") { add_var_list_out(\%audit_ftpd_failed_user_table, "UNKNOWN"); } else { add_var_list_out(\%audit_ftpd_failed_user_table, $syslog_data->[6]); } } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","Ftp",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "FTP",(@key_list) ); } $major_type_found = 1; return; } } if ($syslog_data->[1] eq "logout") {$major_type_found = 1; return;} }; $decode_audit_table{"invalid"} = sub { if ($syslog_data->[1] eq "event" && $syslog_data->[2] eq "number" && $syslog_data->[3] eq "ok" ) { $audit_unknown[$host_index]+=$EVENT_TIMES ; ## we currently ignore this.. if ($REAL_DETAILED_OUTPUT) { add_list_out("Audit-unknown", $host_index, $EVENT_TIMES, \%audit_failure_table, "Audit","invalid", "event", "number" ); } $major_type_found = 1; return; } }; $decode_audit_table{"login"} = sub { if ($syslog_data->[2] eq "local") { $USE_audit_console_login[$host_index]++; if ($syslog_data->[3] eq "ok") { ## actually ok session $audit_console_login[$host_index]+=$EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_console_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[7] eq "root") { $audit_console_login_root[$host_index]+=$EVENT_TIMES ;} if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_console_OK_user_table, $syslog_data->[7]); } $major_type_found = 1; return; } if ($syslog_data->[3] eq "failed") { ## actually failed session if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","console",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "console",(@key_list) ); } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[7] eq "-1") { add_var_list_out(\%audit_console_failed_user_table, "UNKNOWN"); } else { add_var_list_out(\%audit_console_failed_user_table, $syslog_data->[7]); } } $audit_console_login_bad[$host_index]+=$EVENT_TIMES; if ($syslog_data->[7] eq "root") { $audit_console_login_root_bad[$host_index]+=$EVENT_TIMES ; } $major_type_found = 1; return; } } if ($syslog_data->[2] eq "rlogin") { $USE_audit_rlogin_login[$host_index]++; if ($syslog_data->[3] eq "ok") { $audit_rlogin_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_rlogin_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[7] eq "root") { $audit_rlogin_login_root[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_rlogin_OK_user_table, $syslog_data->[7]); } $major_type_found = 1; return; } if ($syslog_data->[3] eq "failed") { $audit_rlogin_login_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[7] eq "root") { $audit_rlogin_login_root_bad[$host_index]+=$EVENT_TIMES ; } if ($BAD_IP_OUT) { if ($syslog_data->[$#$syslog_data-1] ne "misc" && $syslog_data->[$#$syslog_data] ne "failure") { add_audit_bad_ip_out_rlogin (); } } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[7] eq "-1") { add_var_list_out(\%audit_rlogin_failed_user_table, "unknown"); } else { add_var_list_out(\%audit_rlogin_failed_user_table, $syslog_data->[7]); } } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","rlogin",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "rlogin",(@key_list) ); } $major_type_found = 1; return; } } if ($syslog_data->[2] eq "ssh") { $USE_audit_ssh[$host_index]++; if ($syslog_data->[3] eq "ok") { $audit_ssh_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_ssh_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[7] eq "root" ) { $audit_ssh_login_root[$host_index]+=$EVENT_TIMES ;} if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_ssh_OK_user_table, $syslog_data->[7]); } $major_type_found = 1; return;} if ($syslog_data->[3] eq "failed") { $audit_ssh_login_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[7] eq "root") { $audit_ssh_login_root_bad[$host_index]+=$EVENT_TIMES ;} if ($BAD_IP_OUT) { if ($syslog_data->[$#$syslog_data-1] ne "misc" && $syslog_data->[$#$syslog_data] ne "failure") { add_audit_bad_ip_out_ssh (); } } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[7] eq "-1") { add_var_list_out(\%audit_ssh_failed_user_table, "UNKNOWN"); } else { add_var_list_out(\%audit_ssh_failed_user_table, $syslog_data->[7]); } } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","ssh",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "ssh",(@key_list) ); } $major_type_found = 1; return; } } if ($syslog_data->[2] eq "telnet") { $USE_audit_telnet_login[$host_index]++; if ($syslog_data->[3] eq "ok") { $audit_telnet_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_telnet_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[7] eq "root") { $audit_telnet_login_root[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_telnet_OK_user_table, $syslog_data->[7]); } $major_type_found = 1; return; } if ($syslog_data->[3] eq "failed") { $audit_telnet_login_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[7] eq "root") { $audit_telnet_login_root_bad[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[7] eq "-1") { add_var_list_out(\%audit_telnet_failed_user_table, "UNKNOWN"); } else { add_var_list_out(\%audit_telnet_failed_user_table, $syslog_data->[7]); } } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","telnet",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "telnet",(@key_list) ); } if ($BAD_IP_OUT) { if ($syslog_data->[$#$syslog_data-1] ne "misc" && $syslog_data->[$#$syslog_data] ne "failure") { add_audit_bad_ip_out_telnet (); } } $major_type_found = 1; return; } } }; $decode_audit_table{"logout"} = sub {$major_type_found = 1; return; }; $decode_audit_table{"passwd"} = sub { $USE_audit_passwd[$host_index]++; if ($syslog_data->[1] eq "failed" ){ $audit_passwd_change_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[5] eq "root") { $audit_passwd_change_root_bad[$host_index]+=$EVENT_TIMES ;} ## bad passwd change if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_passwd_failed_user_table, $syslog_data->[5]); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "ok" ){ $audit_passwd_change[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[5] eq "root") { $audit_passwd_change_root[$host_index]+=$EVENT_TIMES ;} ## ok passwd change if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_passwd_OK_user_table, $syslog_data->[5]); } $major_type_found = 1; return; } }; $decode_audit_table{"rexecd"} = sub { $USE_audit_rexec[$host_index]++; if ($syslog_data->[1] eq "ok" ) { $audit_rexec_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_ftp_table, substr($syslog_rec->[2],0,2)); } if ( substr($syslog_data->[7],0,5) eq "root:" ) { $audit_rexec_login_root[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_rexec_OK_user_table, $syslog_data->[7]); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "failed" ) { $audit_rexec_login_bad[$host_index]+=$EVENT_TIMES ; if (substr($syslog_data->[7],0,5) eq "root:" ) { $audit_rexec_login_root_bad[$host_index]+=$EVENT_TIMES ; } if ($BAD_IP_OUT) { add_audit_bad_ip_out_rexec (); } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[6] eq "-1") { add_var_list_out(\%audit_rsh_failed_user_table, "UNKNOWN"); } else { add_var_list_out(\%audit_rexec_failed_user_table, $syslog_data->[7]); } } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","rexec",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "rexec",(@key_list) ); } $major_type_found = 1; return; } }; $decode_audit_table{"rsh"} = sub { $USE_audit_rsh[$host_index]++; if ($syslog_data->[1] eq "access") { if ($syslog_data->[2] eq "ok" ) { $audit_rsh_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_audit_rsh_table, substr($syslog_rec->[2],0,2)); } if ( $syslog_data->[6] eq "root" ) { $audit_rsh_login_root[$host_index]+=$EVENT_TIMES ; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_rsh_OK_user_table, $syslog_data->[6]); } $major_type_found = 1; return; } if ($syslog_data->[2] eq "failed" ) { $audit_rsh_login_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[6] eq "root" ) { $audit_rsh_login_root_bad[$host_index]+=$EVENT_TIMES ; } if ($BAD_IP_OUT) { if ($syslog_data->[$#$syslog_data-1] ne "misc" && $syslog_data->[$#$syslog_data] ne "failure") { add_audit_bad_ip_out_rsh (); } } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[6] eq "-1") { add_var_list_out(\%audit_rsh_failed_user_table, "UNKNOWN"); } else { add_var_list_out(\%audit_rsh_failed_user_table, $syslog_data->[6]); } } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # no text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","rsh",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "rsh",(@key_list) ); } $major_type_found = 1; return; } } }; $decode_audit_table{"screenlock" } = sub { $USE_audit_screenlock[$host_index]++; if ($syslog_data->[2] eq "unlock"){ if ($syslog_data->[3] eq "failed" ){ $audit_lock_unlock_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[6] eq "by" && $syslog_data->[7] eq "root") { $audit_lock_unlock_root_bad[$host_index]+=$EVENT_TIMES ;} ## if ( $DETAILED_OUTPUT ) { add_var_list_out(\%audit_screenlock_failed_user_table, $syslog_data->[7]); } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","screen","unlock",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "screen","unlock",(@key_list) ); } $major_type_found = 1; return; } if ($syslog_data->[3] eq "ok" ){ $audit_lock_unlock[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[6] eq "by" && $syslog_data->[7] eq "root") { $audit_lock_unlock_root[$host_index]+=$EVENT_TIMES ;} ## ok $major_type_found = 1; return; } } if ($syslog_data->[2] eq "lock") { if ($syslog_data->[3] eq "ok" ){ $audit_lock_lock[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[6] eq "by" && $syslog_data->[7] eq "root") { $audit_lock_lock_root[$host_index]+=$EVENT_TIMES ;} ## ok passwd change if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_screenlock_OK_user_table, $syslog_data->[7]); } $major_type_found = 1; return; } } }; $decode_audit_table{"su"} = sub { ## count numbers on logged su command $USE_audit_su[$host_index]++; if ($syslog_data->[1] eq "ok" ){ $audit_su[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[2] eq "session") { if ($syslog_data->[$#$syslog_data] eq "root") { if ($syslog_data->[$#$syslog_data] eq "root") { $audit_su_root[$host_index]+=$EVENT_TIMES ; } } } $major_type_found = 1; return; } if ($syslog_data->[1] eq "failed"){ $audit_su_bad[$host_index]+=$EVENT_TIMES ; if ($syslog_data->[2] eq "session") { if ($syslog_data->[$#$syslog_data] eq "root") { if ($syslog_data->[$#$syslog_data] eq "root") { $audit_su_root_bad[$host_index]+=$EVENT_TIMES ; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%audit_su_failed_user_table, $syslog_data->[5]); } if ($REAL_DETAILED_OUTPUT) { my @key_list, $my_i, $my_j ; $key_list[0]=""; $my_j=1; if ( $syslog_data->[$#$syslog_data-1] ne "from") { # text msg telling why for ($my_i = $#$syslog_data; ($my_i >= 0 && $syslog_data->[$my_i] ne "text") ; $my_i--) { $my_i; } if ($my_i > 0) { (@key_list) = (@{$syslog_data}[$my_i+1 .. $#$syslog_data]); } else { $key_list[0]=""; } } $this_key= join("-","su",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%audit_failure_table, "su",(@key_list) ); } } $major_type_found = 1; return; } }; $decode_audit_table{"system"} = sub { ##V2.1 if ($syslog_data->[1] eq "booted") { ## only for sol 10.. $audit_sys_boots[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } }; } ## end Decode_audit_init sub Decode_audit { ## Solaris - sparc if (defined $decode_audit_table{$syslog_data->[0]}) { &{$decode_audit_table{$syslog_data->[0]}}(); return } return; } ## end Decode_audit sub add_audit_bad_ip_out_telnet { ## add to optional bad ip out table. my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "telnet"); $audit_bad_ip_out_telnet{$syslog_data->[$i_add+1]}++; return; } } } # end of add_audit_bad_ip_out_telnet sub add_audit_bad_ip_out_rlogin { ## add to optional bad ip out table. my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "rlogin"); $audit_bad_ip_out_rlogin{$syslog_data->[$i_add+1]}++; return; } } } # end of add_audit_bad_ip_out_rlogin sub add_audit_bad_ip_out_ssh { ## add to optional bad ip out table. my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "ssh"); $audit_bad_ip_out_ssh{$syslog_data->[$i_add+1]}++; return; } } } # end of add_audit_bad_ip_out_ssh sub add_audit_bad_ip_out_rexec { ## add to optional bad ip out table. my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "rexec"); $audit_bad_ip_out_rexec{$syslog_data->[$i_add+1]}++; return; } } } # end of add_audit_bad_ip_out_rsh sub add_audit_bad_ip_out_rsh { ## add to optional bad ip out table. my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "rsh"); $audit_bad_ip_out_rsh{$syslog_data->[$i_add+1]}++; return; } } } # end of add_audit_bad_ip_out_rsh sub add_audit_bad_ip_out_ftpd { ## add to optional bad ip out table. my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "ftp"); $audit_bad_ip_out_ftpd{$syslog_data->[$i_add+1]}++; return; } } } # end of add_audit_bad_ip_out_ sub Decode_unix_init { # V2.2 ## Solaris - sparc $decode_unix_table{"BAD"} = sub { #V2.2 if ( $syslog_data->[1] eq "TRAP:" ) { $unix_bad_trap_err[$host_index]+=$EVENT_TIMES; if ( $DETAILED_OUTPUT ) { $this_key= join("-","BAD_TRAP", $syslog_data->[2]); add_list_out($this_key, $host_index, $EVENT_TIMES, \%unix_bad_trap_err_table, $syslog_data->[0], $syslog_data->[1], $syslog_data->[2] ); } $major_type_found = 1; return; } }; $decode_unix_table{"Fatal"} = sub { #V2.2 if ( $syslog_data->[1] eq "System" && $syslog_data->[2] eq "Port" && $syslog_data->[3] eq "Error" && $syslog_data->[5] eq "occurred" ) { $unix_fatal_port_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_unix_table{"NOTICE:"} = sub { #V2.2 if ( $syslog_data->[1] eq "Kernel" && $syslog_data->[2] eq "Cage" && $syslog_data->[4] eq "ENABLED" ) { $unix_card_cage_ok[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ##Jul 3 03:32:33 unix.page.removed unix: [ID 693633 kern.notice] NOTICE: Page 0x00000000.037b2000 removed from service if ( $syslog_data->[1] eq "Page" && $syslog_data->[3] eq "removed" && $syslog_data->[5] eq "service") { $unix_removed_page[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "Scheduling" && $syslog_data->[2] eq "removal" && $syslog_data->[4] eq "page" ) { $unix_sched_remove_page[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_unix_table{"WARNING:"} = sub { #V2.2 if ( $syslog_data->[1] eq "interrupt" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "serviced") { $unix_interrupt_not_serv[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_unix_table{"avail"} = sub { ##V2.2 if ( $syslog_data->[1] eq "mem" && $syslog_data->[2] eq "=" ) { $unix_avail_mem[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_unix_table{"cpuX"} = sub { #V2.2 if (($syslog_data->[1] eq "initialization" && $syslog_data->[2] eq "complete" && $syslog_data->[4] eq "online") || ($syslog_data->[2] eq "initialization" && $syslog_data->[3] eq "complete" && $syslog_data->[5] eq "online")) { $unix_cpu_init_online[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; #Jul 31 13:22:19 unix.free.free unix: [ID 137713 kern.notice] free: freeing free frag, dev:0x2000000013, blk:11368, cg:1, ino:10210, fs:/var $decode_unix_table{"cpuX:"} = sub { #V2.2 ## just id the cpu $unix_cpu_id[$host_index]+=$EVENT_TIMES; if ( $REAL_REAL_DETAILED_OUTPUT ) { my(@key_list,$my_i, $my_s); for ($my_i=0,$my_s=1; substr($syslog_data->[$my_s],0,1) ne "("; $my_i++,$my_s++) { $key_list[$my_i] = $syslog_data->[$my_s]; } if ($syslog_data->[$#$syslog_data-2] eq "clock") { $key_list[$my_i] = join ("", "(", $syslog_data->[$#$syslog_data-1], $syslog_data->[$#$syslog_data] ); } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%unix_cpu_table, (@key_list) ); } $major_type_found = 1; return; }; $decode_unix_table{"expr:"} = sub { #V2.2 $major_type_found = 1; return; }; $decode_unix_table{"free:"} = sub { #V2.2 if ($syslog_data->[1] eq "freeing" && $syslog_data->[2] eq "free" && $syslog_data->[3] eq "frag,") { $unix_free_free_frag[$host_index]+=$EVENT_TIMES; if ( $DETAILED_OUTPUT ) { $this_key= join("-","freeing free frag,", $syslog_data->[$#$syslog_data]); add_list_out($this_key, $host_index, $EVENT_TIMES, \%ufs_warning_table, $syslog_data->[1], $syslog_data->[2], $syslog_data->[3], $syslog_data->[$#$syslog_data] ); } $major_type_found = 1; return; } }; $decode_unix_table{"g1-g7:"} = sub { #V2.2 $major_type_found = 1; return; }; $decode_unix_table{"mem"} = sub { ##V2.2 if ( $syslog_data->[1] eq "=" ) { $unix_mem_equals[$host_index]+=$EVENT_TIMES; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%unix_mem_table, $syslog_data->[2] ); } $major_type_found = 1; return; } }; $decode_unix_table{"trap"} = sub { ##V2.2 if ( $syslog_data->[1] eq "type" ) { $major_type_found = 1; return; } }; } ## end of Decode_unix_init sub Decode_unix { #V2.2 ## Solaris - sparc if (substr($syslog_data->[0],0,3) eq "cpu" ) { ## maybe 1, maybe 4, maybe 20 or more if (substr($syslog_data->[0],-1,1) eq ":") { &{$decode_unix_table{"cpuX:"}}(); return; } else { &{$decode_unix_table{"cpuX"}}(); return; } } if (defined $decode_unix_table{$syslog_data->[0]}) { &{$decode_unix_table{$syslog_data->[0]}}(); return } if (substr($syslog_data->[0],0,5) eq "addr=" || substr($syslog_data->[0],0,9) eq "vmem_hash" || substr($syslog_data->[0],0,4) eq "pid=" ) { $major_type_found = 1; return; } if ( ! $DETAILED_OUTPUT ) { $major_type_found = 1; } return; } ## end Decode_unix sub Decode_sshd_init { ## based on OU ssh, modified to show connect from early ## Solaris - sparc $decode_sshd_table{"Accepted"} = sub { $sshd_ssh_login[$host_index]+=$EVENT_TIMES ; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_ssh_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[3] eq "root") { $sshd_ssh_login_root[$host_index]+=$EVENT_TIMES ;} if ( $REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[1], $host_index, $EVENT_TIMES, \%sshd_accept_type_table, $syslog_data->[1]); } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[3], $host_index, $EVENT_TIMES, \%sshd_accept_user_table, $syslog_data->[3]); } $major_type_found = 1; }; $decode_sshd_table{"Auditing"} = sub { ### NOTE - probably no real record - should start with fatal; if ($syslog_data->[1] eq "of" && $syslog_data->[2] eq "login" && $syslog_data->[3] eq "failed") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1; return; } }; $decode_sshd_table{"Authentication"} = sub { if ($syslog_data->[1] eq "failed") { $major_type_found=1;return;} ## caught in other ssh records if ($syslog_data->[1] eq "refused:" && $syslog_data->[2] eq "bad" && $syslog_data->[3] eq "ownership") { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if ( !$STUPID_OUTPUT) { ## get rid of acutal file name if (substr($key_list[$#key_list],0,1) eq "/") { $key_list[$#key_list] = "-file-";} } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sshd_errs_table, (@key_list) ); $major_type_found=1;return; } if ($syslog_data->[1] eq "tried" && $syslog_data->[2] eq "for" && $syslog_data->[5] eq "correct" && $syslog_data->[6] eq "key" && $syslog_data->[8] eq "not" && $syslog_data->[11] eq "permitted") { if ( !$STUPID_OUTPUT) { ## get rid of acutal file name (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data-2]); $key_list[3] = "-login-"; ## drop user name if (substr($key_list[$#key_list],0,1) eq "/") { $key_list[$#key_list] = "-file-";} } else { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sshd_errs_table, (@key_list) ); $major_type_found=1;return; } }; $decode_sshd_table{"Bad"} = sub { ## assume bad protocol ver (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if ( ! $STUPID_OUTPUT && $key_list[$#key_list-1] eq "from"){ $key_list[$#key_list] = "-host-";} $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sshd_errs_table, (@key_list) ); $major_type_found=1; return; }; $decode_sshd_table{"Cannot"} = sub { if ($syslog_data->[1] eq "bind") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return;} }; $decode_sshd_table{"Channel"} = sub { if ($syslog_data->[1] eq "open") { if ($STUPID_OUTPUT) { add_usual_list_out(\%sshd_stupid_output_table,0);} $major_type_found=1;return;} }; $decode_sshd_table{"Could"} = sub { if ( $syslog_data->[1] eq "not" ) { if ( $syslog_data->[2] eq "reverse" && $syslog_data->[3] eq "map") { if ($STUPID_OUTPUT) { add_usual_list_out(\%sshd_stupid_output_table,0); } $major_type_found=1;return;} if ( $syslog_data->[2] eq "write" && $syslog_data->[3] eq "ident") { if ($STUPID_OUTPUT) { add_usual_list_out(\%sshd_stupid_output_table,0); } $major_type_found=1;return;} } }; $decode_sshd_table{"Connection"} = sub { if ( $syslog_data->[1] eq "from") { $conn_ssh[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } ## only for our own special ssh if ( $syslog_data->[1] eq "closed") { if ($syslog_data->[2] eq "by") { $major_type_found=1;return;} ## closed by 2nd rec of close $conn_ssh[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } }; $decode_sshd_table{"Did"} = sub { if ( $syslog_data->[1] eq "not" && $syslog_data->[2] eq "receive") { if ($syslog_data->[3] eq "ident" || $syslog_data->[3] eq "identification") { $sshd_no_ident_id[$host_index] += $EVENT_TIMES; $major_type_found=1;return; } ## just connected for a quick scan } }; $decode_sshd_table{ "Disconnecting:"} = sub { if ( $syslog_data->[2] eq "many" && $syslog_data->[3] eq "authentication" && $syslog_data->[4] eq "failures") { $sshd_too_many_authen_fail[$host_index] += $EVENT_TIMES; $major_type_found=1;return;} add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1; return; }; $decode_sshd_table{"Error"} = sub { if ( $syslog_data->[1] eq "in" && $syslog_data->[2] eq "accessing" && $syslog_data->[3] eq "NIS") { add_usual_list_out(\%sshd_stupid_output_table,0); $major_type_found=1; return; } ## just connected for a quick scan }; $decode_sshd_table{"Failed"} = sub { ##V2.0 if ( $syslog_data->[1] eq "none") { if ( $STUPID_OUTPUT ) { add_usual_list_out(\%sshd_stupid_output_table,0); } $major_type_found=1;return;} $sshd_ssh_login_bad[$host_index]+=$EVENT_TIMES ; $major_type_found=1; if ($syslog_data->[3] eq "root") { $sshd_ssh_login_root_bad[$host_index]+=$EVENT_TIMES ;} if ($BAD_IP_OUT) { add_bad_ip_out_ssh (); } if ( $REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[1], $host_index, $EVENT_TIMES, \%sshd_failed_type_table, $syslog_data->[1]); } if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[3] eq "invalid" ) { add_list_out($syslog_data->[5], $host_index, $EVENT_TIMES, \%sshd_I_failed_user_table, $syslog_data->[5]); } else { add_list_out($syslog_data->[3], $host_index, $EVENT_TIMES, \%sshd_failed_user_table, $syslog_data->[3]); } } }; $decode_sshd_table{"Found"} = sub { ##V2.0 if ($syslog_data->[1] eq "matching") { #Found matching DSA key $major_type_found=1; return; } }; $decode_sshd_table{"Illegal"} = sub { ##V2.0 if ($syslog_data->[1] eq "user") { $sshd_ssh_login_bad[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } }; $decode_sshd_table{"Invalid"} = sub { ##V2.0 if ($syslog_data->[1] eq "user") { $sshd_ssh_login_bad[$host_index]+=$EVENT_TIMES; if ($BAD_IP_OUT) { add_bad_ip_out_ssh (); } $major_type_found=1; return; } }; $decode_sshd_table{"Keyboard-interactive"} = sub { ##V2.0 if ($syslog_data->[$#$syslog_data-1] eq "Authentication" && $syslog_data->[$#$syslog_data] eq "failed") { ### do we need this for login fails if no auth daemon or is it in other recs also? $major_type_found=1; return; } if ($syslog_data->[$#$syslog_data-4] eq "No" && $syslog_data->[$#$syslog_data-3] eq "account") { $major_type_found=1; return; } }; $decode_sshd_table{"Monitor"} = sub { ##V2.0 if ($syslog_data->[1] eq "killed;") { $sshd_monitor_killed[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sshd_table{"POSSIBLE"} = sub { if ($syslog_data->[1] eq "BREAKIN") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return;} }; $decode_sshd_table{"Protocol"} = sub { if ($syslog_data->[1] eq "major" && $syslog_data->[2] eq "versions") { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if ( ! $STUPID_OUTPUT) { if ($key_list[4] eq "for") {$key_list[5]="-host-";} } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sshd_errs_table, (@key_list) ); $major_type_found=1;return;} }; $decode_sshd_table{"Postponed"} = sub { if ($syslog_data->[2] eq "for") { $major_type_found=1;return;} # Keybaord-intereactive, etc }; $decode_sshd_table{"Read"} = sub { if ($syslog_data->[1] eq "from" && $syslog_data->[2] eq "socket") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return;} ## just connected for a quick scan }; $decode_sshd_table{"Received"} = sub { if ($syslog_data->[1] eq "SIGHUP" || $syslog_data->[1] eq "disconnect" || $syslog_data->[1] eq "disconnect:" || $syslog_data->[1] eq "signal") { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if ( ! $STUPID_OUTPUT && $key_list[2] eq "from"){ $key_list[3] = "-host-";} $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sshd_errs_table, (@key_list) ); $major_type_found=1;return;} }; $decode_sshd_table{"ROOT"} = sub { ##V2.0 if ( $syslog_data->[1] eq "LOGIN" && $syslog_data->[2] eq "REFUSED") { $sshd_ssh_login_bad[$host_index]+=$EVENT_TIMES ; $major_type_found=1; $sshd_ssh_login_root_bad[$host_index]+=$EVENT_TIMES ; if ($BAD_IP_OUT) { add_bad_ip_out_ssh (); } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[0], $host_index, $EVENT_TIMES, \%sshd_failed_user_table, $syslog_data->[0]); } } }; $decode_sshd_table{ "Server"} = sub { if ( $syslog_data->[1] eq "listening") { $sshd_server_listening[$host_index] += $EVENT_TIMES; $major_type_found=1;return;} }; $decode_sshd_table{ "Solaris_audit"} = sub {$major_type_found=1;return;}; ## user .. password expired.. $decode_sshd_table{ "Timeout"} = sub { if ( $syslog_data->[1] eq "before" && $syslog_data->[2] eq "authentication") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return;} }; $decode_sshd_table{ "User"} = sub {$major_type_found=1;return;}; ## user .. password expired.. $decode_sshd_table{ "at"} = sub {$major_type_found=1;return;}; ## at eval)user or rfc or ... $decode_sshd_table{ "authdes_refresh:"} = sub {$major_type_found=1;return;}; $decode_sshd_table{ "authdes_seccreate"} = sub {$major_type_found=1;return;}; $decode_sshd_table{ "authdes_validate:"} = sub {$major_type_found=1;return;}; $decode_sshd_table{"channel"} = sub { if ($syslog_data->[2] eq "open"&& $syslog_data->[3] eq "failed:") { $sshd_channel_open_fail[$host_index] += $EVENT_TIMES; $major_type_found=1;return;} }; $decode_sshd_table{ "channel_lookup:"} = sub { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1; return; }; $decode_sshd_table{ "channel_open_failure:"} = sub { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1; return; }; $decode_sshd_table{ "error."} = sub { if ( $syslog_data->[1] eq "Bind" && $syslog_data->[2] eq "to" && $syslog_data->[3] eq "port") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return;} }; $decode_sshd_table{ "error:"} = sub { if ( $syslog_data->[1] eq "PAM:" && $syslog_data->[2] eq "Authentication" && $syslog_data->[3] eq "failed") { $major_type_found=1;return; } if ( $syslog_data->[1] eq "PAM:" && $syslog_data->[2] eq "No" && $syslog_data->[3] eq "account") { $major_type_found=1;return; } add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1; return; }; $decode_sshd_table{"fatal:"} = sub { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if ( ! $STUPID_OUTPUT) { if ($key_list[$#key_list-1] eq "for") {$key_list[$#key_list]="-host-";} } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sshd_errs_table, (@key_list) ); $major_type_found=1;return; }; $decode_sshd_table{ "gethostbyaddr:"} = sub { $major_type_found=1; return; }; ## now in ... $decode_sshd_table{ "input_userauth_request:"} = sub { $major_type_found=1;return;}; $decode_sshd_table{ "now"} = sub { $major_type_found=1; return; }; ## now in ... $decode_sshd_table{ "option:"} = sub { $major_type_found=1; return; }; ## option: AllOW or DENY or ... $decode_sshd_table{ "pam_unix_auth:"} = sub { $major_type_found=1;return;}; $decode_sshd_table{ "pam_authtok_get:pam_sm_authenticate:"} = sub { $major_type_found=1;return;}; $decode_sshd_table{ "refused"} = sub { if ( $syslog_data->[1] eq "connection" && $syslog_data->[2] eq "from") { if ($BAD_IP_OUT) { add_bad_ip_out_ssh (); } $conn_ssh[$host_index]+=$EVENT_TIMES ; $major_type_found=1;return; ## excluded by hosts.allow } if ( $syslog_data->[1] eq "connect" && $syslog_data->[2] eq "from") { if ($BAD_IP_OUT) { add_bad_ip_out_ssh (); } $conn_ssh[$host_index]+=$EVENT_TIMES ; $major_type_found=1;return; ## excluded by hosts.allow } }; $decode_sshd_table{ "reverse"} = sub { if ( $syslog_data->[1] eq "mapping") { $major_type_found=1;return;} }; $decode_sshd_table{ "rfc931"} = sub { $major_type_found=1; return; }; $decode_sshd_table{ "roles"} = sub { if ( $syslog_data->[1] eq "pam_sm_authenticate,") { $major_type_found=1;return;} }; $decode_sshd_table{ "scanned"} = sub { ## scanned by version mapper - yawn $sshd_scanned_ver_map[$host_index] += $EVENT_TIMES; $major_type_found=1; return; }; $decode_sshd_table{ "session_input_channel_req:"} = sub { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1; return; }; $decode_sshd_table{ "subsystem"} = sub { if ( $syslog_data->[1] eq "request") { $sshd_subsystem_req[$host_index] += $EVENT_TIMES; $major_type_found=1;return;} }; $decode_sshd_table{ "twist"} = sub { $sshd_twist[$host_index] += $EVENT_TIMES; $major_type_found=1; return; }; $decode_sshd_table{ "unable"} = sub { if ( $syslog_data->[1] eq "to") { if ( $syslog_data->[2] eq "encrypt" && $syslog_data->[3] eq "session") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return; } if ( $syslog_data->[2] eq "synchronize" && $syslog_data->[3] eq "clock") { add_usual_list_out(\%sshd_errs_table,0); $major_type_found=1;return; } } }; $decode_sshd_table{ "user2netname:"} = sub { $major_type_found=1;return; }; ##V2.0 $decode_sshd_table{ "user"} = sub { ##V2.0 if ( $syslog_data->[1] eq "is") { if ( $REAL_REAL_DETAILED_OUTPUT ) { if (substr($syslog_data->[2],0,1) eq '[') { add_list_out('[encrypted]', $host_index, $EVENT_TIMES, \%sshd_rfc931_user_table, '[encrypted]'); } else { add_list_out($syslog_data->[2], $host_index, $EVENT_TIMES, \%sshd_rfc931_user_table, $syslog_data->[2]); } } $major_type_found=1; return; } }; $decode_sshd_table{ "userauth"} = sub { if ( $syslog_data->[1] eq "failed.") { $major_type_found=1;return;} }; $decode_sshd_table{ "warning:"} = sub { ## assume hosts.allow $major_type_found=1; return; }; } ## end of Decode sshd init sub Decode_sshd { ## based on OU ssh, modified to show connect from early ## Solaris - sparc if (defined $decode_sshd_table{$syslog_data->[0]}) { &{$decode_sshd_table{$syslog_data->[0]}}(); return } if ($syslog_data->[3] eq "Deprecated") {$major_type_found=1; return; } } ## end of Decode sshd sub add_bad_ip_out_ssh { ## add to optional bad ip out table. if ($USE_audit_ssh[$host_index]) {return;} ## counted here instead my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "ssh"); $bad_ip_out_ssh{$syslog_data->[$i_add+1]}++; return; } } } # end of add_bad_ip_out_ssh sub Decode_ftpd_init { ## Solaris - sparc $decode_ftpd_table{"cmd"} = sub { if ($syslog_data->[1] eq "failure" && $syslog_data->[3] eq "not" && $syslog_data->[4] eq "logged") { $ftpd_cmd_no_login[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_ftpd_table{"connect"} = sub { ## same as connect from if ($syslog_data->[1] eq "from") { $ftpd_conn_ftpd[$host_index] += $EVENT_TIMES; add_var_list_out(\%daemon_connection_table, "ftpd"); $major_type_found = 1; return; } }; $decode_ftpd_table{"connection"} = sub { if ($syslog_data->[1] eq "from") { $ftpd_conn_ftpd[$host_index] += $EVENT_TIMES; add_var_list_out( \%daemon_connection_table, "ftpd"); $major_type_found = 1; return; } }; $decode_ftpd_table{"failed"} = sub { if ($syslog_data->[1] eq "login" && $syslog_data->[2] eq "from") { $ftpd_ftp_login_bad[$host_index]+=$EVENT_TIMES; if ($BAD_IP_OUT) { add_bad_ip_out_ftpd() ;} if ( $syslog_data->[$#$syslog_data] eq "root") { $ftpd_ftp_login_bad_root[$host_index]+=$EVENT_TIMES; } if ( $REAL_REAL_DETAILED_OUTPUT ) { if (substr($syslog_data->[$#$syslog_data-1],-1,1) eq "," ){ add_var_list_out(\%ftpd_ftp_failed_user_table, $syslog_data->[$#$syslog_data]); } else { add_var_list_out( \%ftpd_ftp_failed_user_table, "-no login-"); } } $major_type_found = 1; return; } }; $decode_ftpd_table{"fcntl"} = sub { add_var_list_out( \%ftpd_errs_table, "fcntl"); if ($DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } $major_type_found = 1; return; }; $decode_ftpd_table{"ftp"} = sub { if ($syslog_data->[1] eq "logout") { $major_type_found = 1; return; } }; $decode_ftpd_table{"getpeername:"} = sub { add_var_list_out(\%ftpd_errs_table, "getpeername"); if ($DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } $major_type_found = 1; return; }; $decode_ftpd_table{"lost"} = sub { if ($syslog_data->[1] eq "connection"){ add_list_out("lost conn", $host_index, $EVENT_TIMES, \%ftpd_errs_table,"lost","connection"); if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } else { if ($DETAILED_OUTPUT) { $syslog_data->[3]= "-HOST-"; if ($#$syslog_data gt 3) { $syslog_data->[4] = "-IP-"; } add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } } $major_type_found = 1; return; } }; $decode_ftpd_table{"pam_unix_auth:"} = sub { $major_type_found = 1; return; }; $decode_ftpd_table{"pid"} = sub { add_list_out("pid count err", $host_index, $EVENT_TIMES, \%ftpd_detail_errs_table, "pid" , "file","header","count","corrected" ); if ($DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } $major_type_found = 1; return; }; $decode_ftpd_table{"refused"} = sub { if ($syslog_data->[1] eq "connect"){ $ftpd_dns_err[$host_index] += $EVENT_TIMES; # $major_type_found = 1; return; } if ($syslog_data->[1] eq "PORT"){ add_list_out("refusedport", $host_index, $EVENT_TIMES, \%ftpd_errs_table, "refused","PORT","command"); if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } else { if ($DETAILED_OUTPUT) { $syslog_data->[2] = "-IP,port-"; $syslog_data->[4] = "-HOST-"; if ($#$syslog_data gt 4) { $syslog_data->[5] = "-IP-";} add_usual_list_out( \%ftpd_detail_errs_table, 0 ); } } $major_type_found = 1; return; } }; $decode_ftpd_table{"setsockopt"} = sub { add_var_list_out(\%ftpd_errs_table, "setsockopt"); if ($DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0); } $major_type_found = 1; return; }; $decode_ftpd_table{"user2netname:"} = sub { $major_type_found = 1; return; }; $decode_ftpd_table{"User"} = sub { if ($syslog_data->[2] eq "timed" && $syslog_data->[3] eq "out") { add_var_list_out( \%ftpd_errs_table, "timeout"); if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out( \%ftpd_detail_errs_table, 0); } else { if ($DETAILED_OUTPUT) { add_list_out("usertimeout", $host_index, $EVENT_TIMES, \%ftpd_detail_errs_table, "user","timed","out" ); } } $major_type_found = 1; return; } }; $decode_ftpd_table{"warning:"} = sub { if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "get" && $syslog_data->[3] eq "client" && $syslog_data->[4] eq "address:") { $ftpd_dns_err[$host_index] += $EVENT_TIMES; # $major_type_found = 1; return; } if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname:") { $ftpd_dns_err[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "host" && $syslog_data->[2] eq "name/name" && $syslog_data->[3] eq "mismatch:") { $ftpd_dns_err[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } }; $decode_ftpd_table{"xferlog"} = sub { if ( $syslog_data->[1] eq "(recv):" ) { $ftpd_xfer_recv_cnt[$host_index]+=$syslog_data->[2]; $ftpd_xfer_recv_bytes[$host_index]+=$syslog_data->[4]; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "(send):" ) { $ftpd_xfer_send_cnt[$host_index]+=$syslog_data->[2]; $ftpd_xfer_send_bytes[$host_index]+=$syslog_data->[4]; $major_type_found = 1; return; } }; $decode_ftpd_table{"FTP"} = sub { if ($syslog_data->[1] eq "LOGIN" && $syslog_data->[2] eq "FROM") { $ftpd_ftp_login[$host_index]+=$EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_ftp_table, substr($syslog_rec->[2],0,2)); } if ( $syslog_data->[$#$syslog_data] eq "root") { $ftpd_ftp_login_root[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } if ($syslog_data->[1] eq "LOGIN" && $syslog_data->[2] eq "FAILED") { $ftpd_ftp_login_bad[$host_index]+=$EVENT_TIMES; if ($BAD_IP_OUT) { add_bad_ip_out_ftpd() ;} if ( $syslog_data->[$#$syslog_data] eq "root") { $ftpd_ftp_login_root_bad[$host_index]+=$EVENT_TIMES; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%ftpd_ftp_failed_user_table, $syslog_data->[$#$syslog_data]); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "LOGIN" && $syslog_data->[2] eq "REFUSED") { $ftpd_ftp_login_bad[$host_index]+=$EVENT_TIMES; if ($BAD_IP_OUT) { add_bad_ip_out_ftpd() ;} if ( $syslog_data->[$#$syslog_data] eq "root") { $ftpd_ftp_login_root_bad[$host_index]+=$EVENT_TIMES; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out(\%ftpd_ftp_failed_user_table, $syslog_data->[$#$syslog_data]); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "session" && $syslog_data->[2] eq "closed") { $major_type_found = 1; return; } }; # if ( $syslog_data->[0] eq "CDUP") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "CWD") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "DELE") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "LIST") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "MDTM") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "MKD") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "NOOP") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "PASS") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "PASV") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "PORT") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "PWD") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "QUIT") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "REST") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "RETR") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "RMD") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "RNFR") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "RNTO") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "SIZE") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "STOR") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "SYST") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "TYPE") {$major_type_found = 1; return; } ##V2.0 # if ( $syslog_data->[0] eq "USER") {$major_type_found = 1; return; } ##V2.0 } ## end of ftpd_init sub Decode_ftpd { #V2.4 ## Solaris - sparc if (defined $decode_ftpd_table{$syslog_data->[0]}) { &{$decode_ftpd_table{$syslog_data->[0]}}(); return } ## some data is user of host did_something to a file if ( $syslog_data->[1] eq "of") { if ( $syslog_data->[4] eq "changed" && $syslog_data->[5] eq "permissions" ) { $ftpd_ok_change_perm[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "created" && $syslog_data->[5] eq "directory" ) { $ftpd_ok_mkdir[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "deleted" ) { if ( $syslog_data->[5] eq "directory" && $#$syslog_data >= 6) { $ftpd_ok_del_dir[$host_index]++; } else { $ftpd_ok_del_file[$host_index]++; } $major_type_found = 1; return; } if ( $syslog_data->[4] eq "renamed" ) { $ftpd_ok_renamed[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "change" ) { ##permissions ?? $ftpd_bad_change_perm[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "create" ) { ##dir $ftpd_bad_mkdir[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "delete" ) { ##file $ftpd_bad_del_file[$host_index]++; $major_type_found = 1; return } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "download" ) { $ftpd_bad_download[$host_index]++; $major_type_found = 1; return } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "rename" ) { $ftpd_bad_renamed[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "remove" && $syslog_data->[7] eq "directory" ) { $ftpd_bad_del_dir[$host_index]++; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "tried" && $syslog_data->[6] eq "upload" ) { $ftpd_bad_upload[$host_index]++; $major_type_found = 1; return; } } ## anything else assume it is a command.... if ($DETAILED_OUTPUT) { add_var_list_out(\%ftpd_cmds_table, $syslog_data->[0]); } if ($syslog_data->[0] eq "SITE" ) { if ($REAL_DETAILED_OUTPUT) { add_usual_list_out(\%ftpd_SITE_cmds_table, 0); } } if ($STUPID_OUTPUT) { add_usual_list_out(\%ftpd_total_cmds_table, 0); } $major_type_found = 1; return; } ## end of decode ftpd sub add_bad_ip_out_ftpd { ## add to optional bad ip out table. if ($USE_audit_ftpd[$host_index]) {return;} ## counted here instead my ($i_add); for ( $i_add=0; $i_add < $#$syslog_data; $i_add++) { #step thru all but last fields looking for from if ( $syslog_data->[$i_add] eq "from" || $syslog_data->[$i_add] eq "From" || $syslog_data->[$i_add] eq "FROM" ){ add_hostvar_list_out ( \%Bad_ip_out_table, $syslog_data->[$i_add+1], "ftp"); $audit_bad_ip_out_ftpd{$syslog_data->[$i_add+1]}++; return; } } } # end of add_bad_ip_out_ftpd sub Decode_nfs { ## Solaris - sparc ### this code assumes mount points and file named have no white space in name.. if ($syslog_data->[0] eq "NOTICE:") { ##V2.1 if ( $syslog_data->[1] eq "NFS4" && $syslog_data->[2] eq "FACT") { $nfs_detail_fact_sheets[$host_index]+=$EVENT_TIMES; $nfs_err_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%NFS4_errs_table, 4); } $major_type_found=1; return; } if ( $syslog_data->[1] eq "[NFS4][Server:") { $nfs_host = substr($syslog_data->[2], 0, index($syslog_data->[2],']')); $nfs_host_index = &Get_Table_Entry ($nfs_host); ## stil trying if ($syslog_data->[$#$syslog_data-3] eq "not" && $syslog_data->[$#$syslog_data-2] eq "responding;" && $syslog_data->[$#$syslog_data-1] eq "still" && $syslog_data->[$#$syslog_data] eq "trying") { $nsf_client_svr_no_rsponse_still[$host_index]+=$EVENT_TIMES; $nfs_host_index = &Get_Table_Entry ($syslog_data->[2]); $nsf_server_client_svr_no_rsponse_still[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } ## mount pt ok if ($syslog_data->[4] eq "server" && $syslog_data->[6] eq "ok" ) { $nfs_mount_pt_ok[$host_index]+=$EVENT_TIMES; $nfs_server_mount_pt_ok[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } ##recovery if ($syslog_data->[4] eq "Starting" && $syslog_data->[5] eq "recovery") { $nfs_start_recovery[$host_index]+=$EVENT_TIMES; $nfs_server_start_recovery[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[4] eq "Recovery" && $syslog_data->[5] eq "done") { $nfs_end_recovery[$host_index]+=$EVENT_TIMES; $nfs_server_end_recovery[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } ##locking if ($syslog_data->[4] eq "reclaim" && $syslog_data->[5] eq "lock" && substr($syslog_data->[3],-8,8) eq "Couldn't") { $nfs_no_reclaim_lock[$host_index]+=$EVENT_TIMES; $nfs_server_no_reclaim_lock[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[5] eq "lost" && $syslog_data->[6] eq "its" && $syslog_data->[7] eq "locks" && $syslog_data->[9] eq "file" && $syslog_data->[$#$syslog_data-8] eq "due" && $syslog_data->[$#$syslog_data-6] eq "NFS" && $syslog_data->[$#$syslog_data-5] eq "recovery" && $syslog_data->[$#$syslog_data-4] eq "error") { $nfs_lost_lock_recov_err[$host_index]+=$EVENT_TIMES; $nfs_server_lost_lock_recov_err[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } ##op - delmap if ($syslog_data->[4] eq "op" && $syslog_data->[6] eq "got" && $syslog_data->[7] eq "error" && $syslog_data->[$#$syslog_data] eq "delmap.") { $nfs_error_on_delmap_cmd[$host_index]+=$EVENT_TIMES; $nfs_server_error_on_delmap_cmd[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } ## request lost if ($syslog_data->[5] eq "request" && substr($syslog_data->[3],-4,4) eq "Lost" ){ if ($syslog_data->[4] eq "OP_CLOSE") { $nfs_lost_close_req[$host_index]+=$EVENT_TIMES; $nfs_server_lost_close_req[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[4] eq "OP_OPEN") { $nfs_lost_open_req[$host_index]+=$EVENT_TIMES; $nfs_server_lost_open_req[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[4] eq "OP_DELEGRETURN") { $nfs_lost_op_deleg_req[$host_index]+=$EVENT_TIMES; $nfs_server_op_deleg_open_req[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } ##file closed if(($syslog_data->[7] eq "was" && $syslog_data->[8] eq "closed" && $syslog_data->[9] eq "due" && $syslog_data->[11] eq "NFS" && $syslog_data->[12] eq "recovery" && $syslog_data->[13] eq "error") || ($syslog_data->[8] eq "was" && $syslog_data->[9] eq "closed" && $syslog_data->[10] eq "due" && $syslog_data->[12] eq "NFS" && $syslog_data->[13] eq "recovery" && $syslog_data->[14] eq "error")){ $nfs_closed_recov_err[$host_index]+=$EVENT_TIMES; $nfs_server_closed_recov_err[$nfs_host_index]+=$EVENT_TIMES; if ($syslog_data->[$#$syslog_data-3] eq "recover" && $syslog_data->[$#$syslog_data-2] eq "from" && $syslog_data->[$#$syslog_data-1] eq "NFS4ERR_STALE" && $syslog_data->[$#$syslog_data] eq "NFS4ERR_STALE)" ) { $nfs_detailed_closed_stale[$host_index]+=$EVENT_TIMES; $nfs_server_detailed_closed_stale[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[$#$syslog_data-4] eq "Persistent" && $syslog_data->[$#$syslog_data-3] eq "file" && $syslog_data->[$#$syslog_data-2] eq "handle" && $syslog_data->[$#$syslog_data-1] eq "changed" ) { $nfs_detailed_closed_fh_change[$host_index]+=$EVENT_TIMES; $nfs_server_detailed_closed_fh_change[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[$#$syslog_data-2] eq "NFSv4" && $syslog_data->[$#$syslog_data-1] eq "error" && $syslog_data->[$#$syslog_data] eq "NFS4ERR_INVAL)" ) { $nfs_detailed_closed_inval[$host_index]+=$EVENT_TIMES; $nfs_server_detailed_closed_inval[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[$#$syslog_data] eq "NFS4ERR_BAD_STATEID)" ) { $nfs_detailed_closed_bad_state_id[$host_index]+=$EVENT_TIMES; $nfs_server_detailed_closed_bad_state_id[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } $major_type_found=1; return; } ## NFS op ... got error ... causing recovery action ... if ($syslog_data->[6] eq "got" && $syslog_data->[7] eq "error" ) { if( $syslog_data->[9] eq "causing" && $syslog_data->[10] eq "recovery" && $syslog_data->[11] eq "action" ) { $nfs_causing_recovery[$host_index]+=$EVENT_TIMES; $nfs_server_causing_recovery[$nfs_host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_list_out($syslog_data->[5], $host_index, $EVENT_TIMES, \%nfs_err_op_table, $syslog_data->[5] ); add_list_out($syslog_data->[5], $nfs_host_index, $EVENT_TIMES, \%nfs_server_err_op_table, $syslog_data->[5] ); add_list_out($syslog_data->[8], $host_index, $EVENT_TIMES, \%nfs_recovery_action_table, $syslog_data->[8] ); add_list_out($syslog_data->[8], $nfs_host_index, $EVENT_TIMES, \%nfs_server_recovery_action_table, $syslog_data->[8] ); } $major_type_found=1; return; } if ($syslog_data->[$#$syslog_data-3] eq "causing" && $syslog_data->[$#$syslog_data-2] eq "recovery" && $syslog_data->[$#$syslog_data-1] eq "action" ) { $nfs_causing_recovery[$host_index]+=$EVENT_TIMES; $nfs_server_causing_recovery[$nfs_host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_list_out($syslog_data->[$#$syslog_data-4], $host_index, $EVENT_TIMES, \%nfs_err_op_table, $syslog_data->[$#$syslog_data-4] ); add_list_out($syslog_data->[$#$syslog_data-4], $nfs_host_index, $EVENT_TIMES, \%nfs_server_err_op_table, $syslog_data->[$#$syslog_data-4] ); add_list_out($syslog_data->[8], $host_index, $EVENT_TIMES, \%nfs_recovery_action_table, $syslog_data->[$#$syslog_data] ); add_list_out($syslog_data->[8], $nfs_host_index, $EVENT_TIMES, \%nfs_server_recovery_action_table, $syslog_data->[$#$syslog_data] ); } $major_type_found=1; return; } } } } if ($syslog_data->[0] eq "WARNING:") { if ( $syslog_data->[3] eq "initial" && $syslog_data->[4] eq "call") { $nfs_init_call_failed[$host_index]+=$EVENT_TIMES; $nfs_host_index = &Get_Table_Entry ($syslog_data->[6]); $nfs_server_init_call_failed[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[2] eq "Can't" && $syslog_data->[3] eq "communicate" && $syslog_data->[5] eq "mapping" && $syslog_data->[6] eq "daemon") { $nfs_cant_get_nfsmapid[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[1] eq "NFSMAPID_DOMAIN" && $syslog_data->[3] eq "not" && $syslog_data->[4] eq "match" && $syslog_data->[6] eq "server:") { $nfs_domain_not_matching[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } if ($syslog_data->[0] eq "file" ) { if ( $syslog_data->[1] eq "temporarily" && $syslog_data->[2] eq "unavailable") { $nfs_file_temp_unavail[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } if ($syslog_data->[0] eq "NFS" ) { if ($syslog_data->[1] eq "compound" && $syslog_data->[2] eq "failed" && $syslog_data->[3] eq "for" && $syslog_data->[4] eq "server" && $syslog_data->[8] eq "(RPC:" && $syslog_data->[9] eq "Timed") { ##V2.1 - timed out $nsf_client_compound_rpc_timeout[$host_index]+=$EVENT_TIMES; chop($syslog_data->[5]); $nfs_host_index = &Get_Table_Entry ($syslog_data->[5]); $nsf_server_client_compound_rpc_timeout[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[1] eq "server" && $syslog_data->[3] eq "ok") { $nfs_server_ok[$host_index]+=$EVENT_TIMES; $nfs_host_index = &Get_Table_Entry ($syslog_data->[2]); $nfs_server_server_ok[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[1] eq "server" && $syslog_data->[3] eq "not" && $syslog_data->[4] eq "responding") { ##V2.1 $nsf_client_svr_no_rsponse[$host_index]+=$EVENT_TIMES; $nfs_host_index = &Get_Table_Entry ($syslog_data->[2]); $nsf_server_client_svr_no_rsponse[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[1] eq "server" && $syslog_data->[3] eq "volume" && $syslog_data->[4] eq "management" && $syslog_data->[5] eq "(/vol)" ) { if ($syslog_data->[6] eq "not" && $syslog_data->[7] eq "responding" ) { $nsf_client_vold_not_resp[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[6] eq "ok" ) { $nsf_client_vold_ok_resp[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } if ($syslog_data->[1] eq "write" && $syslog_data->[2] eq "error" && $syslog_data->[3] eq "on" && $syslog_data->[4] eq "host" ) { $nsf_client_write_error[$host_index]+=$EVENT_TIMES; $nfs_host_index = &Get_Table_Entry (substr($syslog_data->[6],0,length($syslog_data->[6])-1)); $nsf_server_write_error[$nfs_host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } if ($syslog_data->[0] eq "(file" ) { if ($syslog_data->[1] eq "handle:") { $major_type_found=1; return; } } } ## end of nfs sub Decode_nfsmapid { ##V2.1 ## Solaris - sparc ## These have priority (for now anyway) over nfs: records as there is 1 rec here ## for multiple nfs: recs (as in 1 stale err on a dir, multiple recovery fails for file within. if ($syslog_data->[0] eq "nfsmapid" && $syslog_data->[1] eq "domain" || $syslog_data->[2] eq "=") { $nfsmapid_startup[$host_index]+=$EVENT_TIMES; if ($REAL_DETAILED_OUTPUT) { add_var_list_out(\%nfsmapid_domain_table, $syslog_data->[3]); } $major_type_found=1; return; } } ## end of nfsmapid sub Decode_vold { ##V2.1 ## Solaris - sparc ## errs listed by vold if ($syslog_data->[0] eq "cdrom" && $syslog_data->[1] eq "named" && $syslog_data->[3] eq "already" && $syslog_data->[4] eq "inserted") { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if (!$DETAILED_OUTPUT) { $key_list[2] = "==vol name=="; } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%vold_errs_table, (@key_list) ); $major_type_found=1; return; } if ($syslog_data->[0] eq "mounting" && $syslog_data->[1] eq "of" && $syslog_data->[3] eq "failed") { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if (!$DETAILED_OUTPUT) { $key_list[2] = "==vol name=="; } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%vold_errs_table, (@key_list) ); $major_type_found=1; return; } ### RANDOM ERROR MSGS...just add to table for now... - what a cheep way to do this... add_usual_list_out( \%vold_errs_table, (@key_list) ); $major_type_found=1; return; } ## end of vold sub Decode_nfssrv { ## Solaris - sparc if ($syslog_data->[0] eq "NOTICE:" && $syslog_data->[1] eq "nfs_server:" && $syslog_data->[2] eq "bad" && $syslog_data->[3] eq "getargs" ) { $nfssrv_bad_getargs[$host_index]+=$EVENT_TIMES; ## assum RPC: operation in progress $major_type_found=1; return; } if ($syslog_data->[0] eq "WARNING:" && $syslog_data->[1] eq "nfsauth" && $syslog_data->[2] eq "upcall" && $syslog_data->[3] eq "failed:" ) { $nfssrv_upcall_fail[$host_index]+=$EVENT_TIMES; ## assum RPC: operation in progress $major_type_found=1; return; } if ($syslog_data->[0] eq "WARNING:" && $syslog_data->[1] eq "nfsauth:" && $syslog_data->[2] eq "mountd" && $syslog_data->[3] eq "not" && $syslog_data->[4] eq "responding" ) { $nfssrv_mountd_no_respond[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } ## end of nfssrv sub Decode_slash_nfsd { ##V2.1 ## Solaris - sparc if ( $syslog_data->[0] eq "RDMA") { $major_type_found = 1; return; } } ## end slash_nfsd ## kernal load errs - solaris sub Decode_krtld { ## Solaris - sparc add_usual_list_out(\%Machine_errs_table, (@key_list) ); $major_type_found = 1; } ## end of krtld sub Decode_savecore { ##most likely an err... ## Solaris - sparc (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $this_key= join("-",@key_list); add_usual_list_out(\%Machine_errs_table, (@key_list) ); $major_type_found = 1; } ## end of savecore sub Decode_fd { ##most likely an err... ## Solaris - sparc if ( $syslog_data->[1] eq "unformatted" && $syslog_data->[2] eq "diskette" && $syslog_data->[4] eq "no" && $syslog_data->[5] eq "diskette" ){ add_usual_list_out(\%Machine_errs_table, (@key_list) ); $major_type_found = 1; return; } } ## end of fd sub Decode_ip { ## ## Solaris - sparc if ( $syslog_data->[0] eq "WARNING:" && $syslog_data->[1] eq "IP:" && $syslog_data->[2] eq "Hardware" && $syslog_data->[5] eq "trying" && $syslog_data->[6] eq "to" && $syslog_data->[7] eq "be" && $syslog_data->[8] eq "our" && $syslog_data->[9] eq "address" ){ (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%Machine_errs_table, (@key_list) ); $major_type_found = 1; return; } if ( $syslog_data->[0] eq "WARNING:" && $syslog_data->[1] eq "IP:" && $syslog_data->[2] eq "Proxy" && $syslog_data->[3] eq "ARP" && $syslog_data->[4] eq "problem?" ){ (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%Machine_errs_table, (@key_list) ); $major_type_found = 1; return; } } ## end of ip sub Decode_ge { ## ## Solaris - sparc if ( $syslog_data->[1] eq "Using" ) { ## startup msg $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "Link" && $syslog_data->[$#$syslog_data] eq "Up" ) { ## if ( $syslog_data->[$#$syslog_data-4] eq "10" && $syslog_data->[$#$syslog_data-2] eq "Half-Duplex" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "10" && $syslog_data->[$#$syslog_data-2] eq "Full-Duplex" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "100" && $syslog_data->[$#$syslog_data-2] eq "Half-Duplex" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "100" && $syslog_data->[$#$syslog_data-2] eq "Full-Duplex" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "1000" && $syslog_data->[$#$syslog_data-2] eq "Half-Duplex" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "1000" && $syslog_data->[$#$syslog_data-2] eq "Full-Duplex" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } $major_type_found = 1; return; } ## end of ge sub Decode_qfe { ## ## Solaris - sparc if ( $syslog_data->[5] eq "link" && $syslog_data->[6] eq "up" ) { ## if ( $syslog_data->[1] eq "10" && $syslog_data->[3] eq "half" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "10" && $syslog_data->[3] eq "full" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "100" && $syslog_data->[3] eq "half" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "100" && $syslog_data->[3] eq "full" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "1000" && $syslog_data->[3] eq "half" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "1000" && $syslog_data->[3] eq "full" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } $major_type_found = 1; return; } ## end of qfe sub Decode_bge { ## ## Solaris - sparc if ( $syslog_data->[0] eq "NOTICE:" && substr($syslog_data->[1],0,3) eq "bge" ) { if ( $syslog_data->[2] eq "link" && $syslog_data->[3] eq "up" ) { ## if ( $syslog_data->[4] eq "10Mbps" && $syslog_data->[5] eq "Half-Duplex" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "10Mbps" && $syslog_data->[5] eq "Full-Duplex" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "100Mbps" && $syslog_data->[5] eq "Half-Duplex" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "100Mbps" && $syslog_data->[5] eq "Full-Duplex" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "1000Mbps" && $syslog_data->[5] eq "Half-Duplex" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[4] eq "1000Mbps" && $syslog_data->[5] eq "Full-Duplex" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "link" && $syslog_data->[3] eq "down" ) { $global_network_down[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } $major_type_found = 1; return; } ## end of bge sub Decode_hme { ## ## Solaris - sparc if ( $syslog_data->[5] eq "Link" && $syslog_data->[6] eq "Up" ) { ## if ( $syslog_data->[2] eq "10" && $syslog_data->[4] eq "Half-Duplex" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "10" && $syslog_data->[4] eq "Full-Duplex" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "100" && $syslog_data->[4] eq "Half-Duplex" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "100" && $syslog_data->[4] eq "Full-Duplex" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "1000" && $syslog_data->[4] eq "Half-Duplex" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "1000" && $syslog_data->[4] eq "Full-Duplex" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } $major_type_found = 1; return; } ## end of hme sub Decode_eri { ## ## Solaris - sparc if ( $syslog_data->[6] eq "link" && $syslog_data->[7] eq "up" ) { ## if ( $syslog_data->[2] eq "10" && $syslog_data->[4] eq "half" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "10" && $syslog_data->[4] eq "full" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "100" && $syslog_data->[4] eq "half" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "100" && $syslog_data->[4] eq "full" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "1000" && $syslog_data->[4] eq "half" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "1000" && $syslog_data->[4] eq "full" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } $major_type_found = 1; return; } ## end of eri sub Decode_nge { ## ## Solaris - sparc if ( $syslog_data->[6] eq "link" && $syslog_data->[7] eq "up" ) { ## if ( $syslog_data->[2] eq "10" && $syslog_data->[4] eq "half" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "10" && $syslog_data->[4] eq "full" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "100" && $syslog_data->[4] eq "half" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "100" && $syslog_data->[4] eq "full" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "1000" && $syslog_data->[4] eq "half" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "1000" && $syslog_data->[4] eq "full" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } $major_type_found = 1; return; } ## end of nge sub Decode_gld { ## ## Solaris - sparc if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%network_dev_msg_table, 0 ); } else { if ( $REAL_DETAILED_OUTPUT ) { if ( $syslog_data->[$#$syslog_data-1] eq "address" ) { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data-2]); } else { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%network_dev_msg_table, (@key_list) ); } } $major_type_found = 1; return; } ## end of gld sub Decode_mac { ## ## Solaris - sparc if ( $REAL_REAL_DETAILED_OUTPUT ) { if ( $syslog_data->[0] eq "NOTICE:" && $syslog_data->[2] eq "registered" ) { add_usual_list_out( \%network_dev_msg_table, 1); } else { add_usual_list_out( \%network_dev_msg_table, 0); } } $major_type_found = 1; return; } ## end of mac sub Decode_sd { ## ## Solaris - sparc if ( $syslog_data->[0] eq "sd_media_watch_cb:" && $syslog_data->[1] eq "dev" && $syslog_data->[2] eq "gone") { $major_type_found = 1; return; } } ## end of sd sub Decode_graphics_generic { ## ## Solaris - sparc - graphics card add_usual_list_out(\%graphics_msg_table, 0 ); $major_type_found = 1; return; } ## end of graphics_generic sub Decode_daemon_generic { ## ## Solaris - sparc - ## give list of counts per daemon, unless really verbose, then just all msgs. if ( $syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from" ) { add_var_list_out(\%generic_deamon_connect_table, $pname ); $major_type_found = 1; return; } add_var_list_out(\%generic_deamon_msg_table, $pname ); if ( $DETAILED_OUTPUT ) { if ( $REAL_REAL_DETAILED_OUTPUT){ ##OK, for these people, show addresses and such also (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); } else { $i_start=1 ; $i_end = $#$syslog_data; for ($i = $i_start; $i <= $i_end; $i++) { if ( $syslog_data->[$i] eq "from") { $i_end = $i+1; $syslog_data->[$i+1]="-host-"; last; } if ($syslog_data->[$i] eq "hostname:") { $syslog_data->[$i+1]="-host-"; $i_end = $i+1; last; } } (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); } $this_key= join("-",$pname, @key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%generic_deamon_verbose_msg_table, $pname, (@key_list) ); } $major_type_found = 1; return; } ## end of daemon_generic sub Decode_nis_cachemgr { ## ## Solaris - sparc if ( $syslog_data->[1] eq "server" && $syslog_data->[2] eq "not" && $syslog_data->[3] eq "responding") { $niscachemgr_server_response_problem[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "server" && $syslog_data->[2] eq "could" && $syslog_data->[3] eq "not" && $syslog_data->[5] eq "contacted:") { $niscachemgr_server_response_problem[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } ## end of nis_cachemgr sub Decode_bootparam_prot { ## ## Solaris - sparc if ( $syslog_data->[0] eq "_svcauth_des:" ) { $major_type_found = 1; return; } } ## end of bootparam_prot sub Decode_inetadm { ## solaris ## Solaris - sparc add_usual_list_out(\%inetadm_msg_table, (@key_list) ); $major_type_found = 1; return; } ## end of inetadm sub Decode_power { ## solaris ## Solaris - sparc if ( $syslog_data->[0] eq "WARNING:" && $syslog_data->[1] eq "Power" && $syslog_data->[2] eq "off" && $syslog_data->[3] eq "requested" && $syslog_data->[5] eq "power" && $syslog_data->[6] eq "button" && $syslog_data->[7] eq "or" && $syslog_data->[8] eq "SC," ) { $power_button_off[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "WARNING:" && $syslog_data->[1] eq "Failed" && $syslog_data->[2] eq "to" && $syslog_data->[3] eq "shut" ){ $power_button_off_fail[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of power sub Decode_powerd { ## solaris ## Solaris - sparc if ( $syslog_data->[0] eq "Autoshutdown" ) { $powerd_authshutdown[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of power sub Decode_sys_suspend { ## solaris ## Solaris - sparc if ( $syslog_data->[0] eq "System" && $syslog_data->[1] eq "is" && $syslog_data->[2] eq "being" && $syslog_data->[3] eq "shut") { $sys_suspend_shut[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of sys_suspend sub Decode_ipf { ## solaris ## Solaris - sparc if ( $syslog_data->[$#$syslog_data] eq "running.") { $ipf_running[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of ipf sub Decode_Periodic{ ## solaris - Periodic head cleaning required ## Solaris - sparc if ( $syslog_data->[0] eq "head" && $syslog_data->[1] eq "cleaning" && $syslog_data->[2] eq "required" ) { $Periodic_head_clean[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of Periodic sub Decode_sendmail_init { ## Solaris - sparc $decode_sendmail_table{"accepting"} = sub { ##V2.1 if ($syslog_data->[1] eq "connections") { $major_type_found=1;return; } if ($syslog_data->[1] eq "new" && $syslog_data->[2] eq "messages") { $major_type_found=1;return; } }; $decode_sendmail_table{"alias"} = sub { if ($syslog_data->[1] eq "database") { $sendmail_aliase_DB_rebuild[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_table{"authdes_seccreate:" } = sub { $major_type_found=1;return; }; $decode_sendmail_table{"authdes_refresh:" } = sub { $major_type_found=1;return; }; $decode_sendmail_table{"AUTH:"} = sub { $major_type_found=1;return; }; $decode_sendmail_table{"AUTH=client," } = sub { $major_type_found=1;return; }; $decode_sendmail_table{"AUTH=server," } = sub { if ($REAL_REAL_DETAILED_OUTPUT) { for ($i=1; $i++; $i<$#$syslog_data) { if (substr($syslog_data->[$i],0,7) eq "authid=") { add_list_out( substr($syslog_data->[$i],7), $host_index, $EVENT_TIMES, \%sendmail_login_table, substr($syslog_data->[$i],7)); $major_type_found=1;return; } } } $major_type_found=1;return; }; $decode_sendmail_table{"AUTH" } = sub { if ( $syslog_data->[1] eq "warning:" && $syslog_data->[3] eq "mechanisms") { $major_type_found=1;return; } if ( $syslog_data->[1] eq "failure" && $syslog_data->[3] eq "authentication") { $major_type_found=1;return; } }; $decode_sendmail_table{"Bad"} = sub { if ( $syslog_data->[1] eq "IPREMOTEPORT" ) { ## part of bad password $major_type_found=1;return; } }; $decode_sendmail_table{"Could"} = sub { if ( $syslog_data->[1] eq "not" && $syslog_data->[2] eq "find" && $syslog_data->[4] eq "dlname") { ## just skip.. $major_type_found=1;return; } }; $decode_sendmail_table{"daemon" } = sub { if ($syslog_data->[2] eq "problem" && $syslog_data->[3] eq "creating" && $syslog_data->[4] eq "SMTP" && $syslog_data->[5] eq "socket") { $sendmail_SMTP_sock_prob[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"deferring" } = sub { ##V2.0 if ( $syslog_data->[1] eq "connections" && $syslog_data->[2] eq "on" && $syslog_data->[3] eq "daemon" && $syslog_data->[4] eq "MTA:") { $sendmail_defer_con_deamon_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[1] eq "connections:" ){ $sendmail_defer_con_deamon_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"delaying" } = sub { ##V2.0 ## some sendmails use delaying instead of rejecting if ($syslog_data->[1] eq "connections") { if ($syslog_data->[$#$syslog_data-2] eq "children," ) { $sendmail_max_children_cnt[$host_index]+=$EVENT_TIMES; } else { ## assume must be load avg. $sendmail_load_avg_cnt[$host_index]+=$EVENT_TIMES; } $major_type_found=1; return; } }; $decode_sendmail_table{"error:"} = sub { if (substr($syslog_data->[1],0,8) eq "safesasl") {$major_type_found=1;return;}}; ##V2.0 notes - if the SIZE= parm is given by sender on MAIL command, no line seems to be written ## to syslog that the message is too big - it is just rejected with the line: ## --- 552 5.2.3 Message size exceeds fixed maximum message size (1000000) ## ## BUT, it no SIZE= parm is given, we go around the bush and get the reject ## message (possibly more than once based upon RCPT TO: and DATA commands ## and also get the j66IqeJE005493: message size (33642591) exceeds maximum (20000000) message. ## the 2 messages that are sent back are: ## j66Fx6Jp010285: --- 552 5.2.3 Message exceeds maximum fixed size (1000000) (hold) ## j66Fx6Jp010285: --- 552 5.2.3 Message exceeds maximum fixed size (1000000) (held) ## note hold and held.... so we count in --- section and only count holds. ## $decode_sendmail_table{"File"} = sub { ##V2.0 if ($syslog_data->[1] eq "descriptors" && $syslog_data->[2] eq "missing") { $major_type_found=1;return; } }; $decode_sendmail_table{"grew" } = sub { # if ($syslog_data->[1] eq "WorkList") { $sendmail_grew_worklist_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"My"} = sub { ##V2.0 if ($syslog_data->[1] eq "unqualified" && $syslog_data->[2] eq "host") { $major_type_found=1;return; } }; $decode_sendmail_table{"NOQUEUE:" } = sub { if ($syslog_data->[1] eq "connect" && $syslog_data->[2] eq "from") { $conn_sendmail[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[3] eq "localhost" && $syslog_data->[4] eq '[127.0.0.1]' ) { $conn_sendmail_local[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( substr($syslog_data->[3],-10) eq '@localhost') { $conn_sendmail_local[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } $conn_sendmail_foreign[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "dropenvelope," ) { $major_type_found=1;return; ## log level > 15 } if ( $syslog_data->[1] eq "finis," ) { $major_type_found=1;return; ## log level > 15 } if (substr($syslog_data->[1],0,7) eq "SYSERR(") { ## ignore.. $major_type_found = 1; $sendmail_NOQUEUE_syserr_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { if ( $REAL_REAL_DETAILED_OUTPUT){ ##OK, for these people, show addresses and such also @key_list = (@{$syslog_data}[2 .. $#$syslog_data]); } else { $i_start=2 ; $i_end = $#$syslog_data; for ($i = $i_start; $i <= $i_end; $i++) { if ( $syslog_data->[$i] eq "from" ) { $i_end = $i+1; $syslog_data->[$i+1]="-host-"; last; } if ( $syslog_data->[$i] eq "for" ) { $i_end = $i+1; $syslog_data->[$i+1]="-addr-"; last; } if (substr($syslog_data->[$i],0,2) eq "./") { $syslog_data->[$i]="*FILE*"; } if (substr($syslog_data->[$i],0,9) eq "rename(./") { $syslog_data->[$i]="rename(*FILE*"; } if (substr($syslog_data->[$i],-1,1) eq ".") { $syslog_data->[$i]="-host-";} ## skip domainname } @key_list = (@{$syslog_data}[$i_start .. $i_end ]); } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_SYSERR_tablr, (@key_list) ); } return; } if ($syslog_data->[1] eq "timeout") { ## ignore.. $major_type_found = 1; $sendmail_timeouts[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { my(@key_list) = (@{$syslog_data}[$istart .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out('NOQUEUE timeout', $host_index, $EVENT_TIMES, \%sendmail_timeout_table, "timeout","before","issueing","any","commands" ); } return; } if ($syslog_data->[1] eq "stopping") { ## ignore.. $major_type_found = 1; return; } } ; $decode_sendmail_table{"Password"} = sub { if ($syslog_data->[1] eq "verification" && $syslog_data->[2] eq "failed") { $sendmail_bad_passwords[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"poststats:" } = sub { $major_type_found=1;return; }; $decode_sendmail_table{"proc_list_probe:"} = sub { if ($syslog_data->[1] eq "found" && $syslog_data->[3] eq "children,") { ## found xx expected xx $sendmail_proc_list_probe_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"rejecting" } = sub { ##V2.0 if ($syslog_data->[1] eq "connections") { if ($syslog_data->[$#$syslog_data-2] eq "children," ) { $sendmail_max_children_cnt[$host_index]+=$EVENT_TIMES; } else { ## assume must be load avg. $sendmail_load_avg_cnt[$host_index]+=$EVENT_TIMES; } $major_type_found=1; return; } if ($syslog_data->[1] eq "new" && $syslog_data->[2] eq "messages:" && $syslog_data->[3] eq "min" && $syslog_data->[4] eq "free:") { $sendmail_out_of_disk_space_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"ruleset=trust_auth," } = sub { $major_type_found=1;return;}; ## hmm... requires more study $decode_sendmail_table{"ruleset=tls_server," } = sub { ##V2.1 $major_type_found=1;return; }; $decode_sendmail_table{"runqueue:" } = sub { $major_type_found=1;return; }; $decode_sendmail_table{"runqueue"} = sub { $major_type_found=1;return; }; ## log level > 15 $decode_sendmail_table{"started" } = sub { if ( $syslog_data->[1] eq "as:" ) { $sendmail_startup[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; ## startup msg. $decode_sendmail_table{"starting" } = sub { if ( $syslog_data->[1] eq "daemon" ) { $sendmail_daemon_startup[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; ## startup msg. $decode_sendmail_table{"STARTTLS=client,"} = sub { if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} if ($syslog_data->[1] eq "SSL_shutdown" && $syslog_data->[2] eq "not" ) { $major_type_found = 1;return;} ## log level > 15 if ($syslog_data->[1] eq "start=ok" ) { $conn_sendmail_tls_client[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } $sendmail_subtest = substr( $syslog_data->[1],0,6); if ( $sendmail_subtest eq "init=1") { $major_type_found=1;return;} if ( $sendmail_subtest eq "get_ve") { $major_type_found=1;return;} ## get_verify: if ( $sendmail_subtest eq "relay=") { $major_type_found=1;return;} ## relay=HOSTNAME if ( $sendmail_subtest eq "cert-s") { $major_type_found=1;return;} ## cert-subject= if ( $sendmail_subtest eq "cert-i") { $major_type_found=1;return;} ## cert-issuer= if ( $sendmail_subtest eq "error:") { if ( $syslog_data->[2] eq "connect" && substr($syslog_data->[4],0,9) eq "SSL_error" ) { $major_type_found=1;return; ## error: connect failed=-1, SSL_error=5, } } }; $decode_sendmail_table{"STARTTLS=client:"} = sub { if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} if ( $syslog_data->[1] =~/error.*SSL/) { $sendmail_client_SSL_err[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[1] =~"error" && $syslog_data->[1] =~"asn1" && $syslog_data->[2] eq "encoding") { $sendmail_asn1_err[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { my $uns =join(":",(@{$syslog_data}[1 .. $#$syslog_data])); my(@split_key_list)=split(":",$uns); if ($REAL_REAL_DETAILED_OUTPUT) { $this_key= join("-",@split_key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_client_errs_table, (@split_key_list) ); } else { for ($i=3, $j=0; $i <= $#split_key_list;$j++, $i++) { $add = $split_key_list[$i]; $add =~ s/^\d+$/'###'/ge; $key_list[$j]=$add; $this_key=join("-",$this_key, $add); } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_client_errs_table, (@key_list) ); } } $major_type_found=1; return; } }; $decode_sendmail_table{"STARTTLS=server," } = sub { ##V2.0 if ($syslog_data->[1] eq "get_verify:" ) { ## dont seem to have a start=ok on server end. $conn_sendmail_tls_server[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} if ($syslog_data->[1] eq "SSL_shutdown" ) {$major_type_found = 1;return;} ## log level >15 $sendmail_subtest = substr( $syslog_data->[1],0,6); if ( $sendmail_subtest eq "get_ve") { $major_type_found=1;return;} ## get_verify: if ( $sendmail_subtest eq "relay=") { $major_type_found=1;return;} ## relay=HOSTNAME if ( $sendmail_subtest eq "cert-s") { $major_type_found=1;return;} ## cert-subject= if ( $sendmail_subtest eq "init=1") { $major_type_found=1;return;} ## cert-subject= if ( $sendmail_subtest eq "Diffie") { $major_type_found=1;return;} ## cert-subject= if ( $sendmail_subtest eq "error:") { $conn_sendmail_tls_server_fail[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_table{"STARTTLS=server:" } = sub { if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} $major_type_found=1;return;}; ## prorably err msg reports.. $decode_sendmail_table{"STARTTLS=read," } = sub { if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} }; $decode_sendmail_table{"STARTTLS=read:" } = sub { $sendmail_client_SSL_err[$host_index]+=$EVENT_TIMES; $major_type_found=1;return;}; ## prorably err msg reports.. $decode_sendmail_table{"STARTTLS=write," } = sub { if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} }; $decode_sendmail_table{"STARTTLS=write:" } = sub { $sendmail_client_SSL_err[$host_index]+=$EVENT_TIMES; $major_type_found=1;return;}; ## prorably err msg reports.. $decode_sendmail_table{"STARTTLS:" } = sub { $major_type_found=1;return; }; ## other STARTTLS msgs if ($syslog_data->[1] eq "info:" ) {$major_type_found = 1;return;} $decode_sendmail_table{"unable"} = sub { if ($syslog_data->[1] eq "to" && $syslog_data->[2] eq "qualify" && $syslog_data->[3] eq "my" && $syslog_data->[4] eq "own" && $syslog_data->[5] eq "domain" && $syslog_data->[6] eq "name") { $major_type_found=1;return; } if ($syslog_data->[1] eq "to" && $syslog_data->[2] eq "write" && $syslog_data->[3] eq "pid") { $sendmail_unable_write_pid[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_table{"Warning:" } = sub { if ($syslog_data->[1] eq "regex" ) { $sendmail_regex_warning_cnt[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } }; # ### -- this is to key on field 9 of sendmail records, as field 8 will be a mail msg number. # $decode_sendmail_f9_table{"?" } = sub { $major_type_found = 1; return; } ; $decode_sendmail_f9_table{"---"} = sub { ##V2.4 $major_type_found=1; return; }; $decode_sendmail_f9_table{"<--" } = sub { ##V2.4 $major_type_found=1; return; }; $decode_sendmail_f9_table{"0:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"1:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"2:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"3:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"4:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"5:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"6:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"7:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"8:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"9:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"10:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"11:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"12:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"13:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"14:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"15:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"16:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"17:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"18:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"19:" } = sub { $major_type_found = 1; return; } ; ##high log level $decode_sendmail_f9_table{"alias" } = sub { $sendmail_alias_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; }; $decode_sendmail_f9_table{"assigned" } = sub { if ($syslog_data->[2] eq "id" ) { $major_type_found=1;return; ## log level > 15 } }; $decode_sendmail_f9_table{"AUTH"} = sub { $major_type_found=1;return; }; ## may add count of entry with ntries gt 1 $decode_sendmail_f9_table{"Authentication-Warning:"} = sub { $major_type_found=1;return; }; $decode_sendmail_f9_table{"collect:"} = sub { $major_type_found=1;return; }; $decode_sendmail_f9_table{'"debug"' } = sub { if ($syslog_data->[2] eq "command" ) { $sendmail_debug_command_cnt[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } }; $decode_sendmail_f9_table{"discarded"} = sub { $major_type_found=1;return; }; ## discarded by some milters $decode_sendmail_f9_table{"disconnect" } = sub { if ($syslog_data->[2] eq "level" ) { $major_type_found=1;return; ## log level > 15 } }; $decode_sendmail_f9_table{"done;"} = sub { $major_type_found=1;return; }; ## may add count of entry with ntries gt 1 $decode_sendmail_f9_table{"doworklist," } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"dowork," } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"dropenvelope," } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"Dropped"} = sub { ##V2.0 if ($syslog_data->[2] eq "invalid" && $syslog_data->[3] eq "comments" && $syslog_data->[5] eq "header" && $syslog_data->[6] eq "address" ) {##V2.0 $sendmail_header_problem[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[1 .. 5]); $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_header_err_table, (@key_list) ); } $major_type_found=1; return; } }; $decode_sendmail_f9_table{"finis,"} = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"Fixed" } = sub { if ($syslog_data->[2] eq "MIME") { $sendmail_header_problem[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out( \%sendmail_header_err_table, 1 ); } $major_type_found=1; return; } }; $decode_sendmail_f9_table{"forward"} = sub { if ($syslog_data->[3] eq "=>" ) { $sendmail_forward_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } $sendmail_forward_err_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $i_start=2; $i_end = $#$syslog_data; for ($i=2; $i<=$#$syslog_data;$i++) { if (substr($syslog_data->[$i],-1,1) eq ':') {$i_start = $i+1;last;} } my(@key_list) = (@{$syslog_data}[$i_start .. $i_end]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_forward_err_table, (@key_list) ); } $major_type_found=1; return; }; $decode_sendmail_f9_table{"headers"} = sub { $sendmail_header_problem[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[1 .. 3]); $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_header_err_table, (@key_list) ); } $major_type_found=1;return; }; $decode_sendmail_f9_table{"in"} = sub { if ($syslog_data->[2] eq "background," ) { $major_type_found=1;return; ## log level > 15 } }; $decode_sendmail_f9_table{"invalid"} = sub { if ($syslog_data->[2] eq "domain" && $syslog_data->[3] eq "name" ) { $sendmail_invalid_domain_name[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_f9_table{"locked"} = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"Losing"} = sub { ##v2.1 if ( $syslog_data->[3] eq "savemail" && $syslog_data->[4] eq "panic" ) { $sendmail_lost_files_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_f9_table{"lost"} = sub { if ($syslog_data->[2] eq "input" && $syslog_data->[3] eq "channel" && $syslog_data->[4] eq "from" ) { $major_type_found=1;return; } }; $decode_sendmail_f9_table{"low"} = sub { if ( $syslog_data->[3] eq "space" ) { $sendmail_low_on_space_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_f9_table{"makeconnection"} = sub { ##V2.0 if( $syslog_data->[$#$syslog_data-3] eq "Connection" && $syslog_data->[$#$syslog_data-2] eq "refused" && $syslog_data->[$#$syslog_data-1] eq "by") { $sendmail_make_outgoing_refused[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } if( $syslog_data->[$#$syslog_data-4] eq "Connection" && $syslog_data->[$#$syslog_data-3] eq "times" && $syslog_data->[$#$syslog_data-2] eq "out") { $sendmail_make_outgoing_timeout[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } if( $syslog_data->[$#$syslog_data-3] eq "failed:" ) { $sendmail_make_outgoing_failed[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } $sendmail_make_outgoing_other[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; }; $decode_sendmail_f9_table{"message" } = sub { ##V2.0 if ( $syslog_data->[2] eq "size" ) { ## process with --- records instead $major_type_found=1;return; } }; $decode_sendmail_f9_table{"Milter" } = sub { $major_type_found=1;return; }; $decode_sendmail_f9_table{"Milter:" } = sub { $major_type_found=1;return; }; $decode_sendmail_f9_table{"milter_data(mimedefang):" } = sub { $major_type_found=1;return; }; $decode_sendmail_f9_table{"Please" } = sub { if ( $syslog_data->[2] eq "try" && $syslog_data->[3] eq "again" && $syslog_data->[4] eq "later" ) { $major_type_found=1;return; } }; $decode_sendmail_f9_table{"queueup" } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"rejecting" } = sub { ## if ($syslog_data->[2] eq "commands" && $syslog_data->[$#$syslog_data-1] eq "pre-greeting" && $syslog_data->[$#$syslog_data] eq "traffic" ) { $sendmail_pre_greeting_traffic_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_f9_table{"queueup:" } = sub { ## if ($syslog_data->[2] eq "cannot" && $syslog_data->[3] eq "create" ) { $sendmail_cannot_create_file_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_f9_table{"sendenvelope," } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"setsender:" } = sub { ## $sendmail_delivery_err[$host_index] +=$EVENT_TIMES; if ($DETAILED_OUTPUT) { if ( $STUPID_OUTPUT){ ##OK, for these people, show addresses to and from @key_list = (@{$syslog_data}[1 .. $#$syslog_data]); } else { # skip from addr, then drop from machine $i_start=2 ; $i_end = $#$syslog_data; for ($i = $i_start; $i <= $i_end; $i++) { if ( substr ($syslog_data->[$i],-1,1) eq ":") { $i_start = $i+1; last; } } $i_end = $#$syslog_data; for ($i = $i_start; $i <= $i_end; $i++) { if ( $syslog_data->[$i] eq "from") { $i_end = $i; } } @key_list = ("setsender:", @{$syslog_data}[$i_start .. $i_end ]); } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_delivery_table, (@key_list) ); } $major_type_found=1;return; }; $decode_sendmail_f9_table{"smfi_addheader" } = sub { $major_type_found=1;return; }; ## milter err $decode_sendmail_f9_table{"smfi_chgheader" } = sub { $major_type_found=1;return; }; ## milter err $decode_sendmail_f9_table{"SMTP"} = sub { if ( $syslog_data->[2] eq "MAIL" || $syslog_data->[2] eq "STARTTLS" ) { if ($syslog_data->[$#$syslog_data-3] eq "(due" && $syslog_data->[$#$syslog_data-2] eq "to" && $syslog_data->[$#$syslog_data-1] eq "previous" && $syslog_data->[1] eq "checks)") { $major_type_found=1;return; } } if ( $syslog_data->[2] eq "outgoing" && $syslog_data->[3] eq "connect" ) { $conn_sendmail_out[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } if ( $syslog_data->[2] eq "tempfailed" ) { $sendmail_tempfailed_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } if ( $syslog_data->[$#$syslog_data-4] eq "tempfailed" ) { ##V2.0 #tempfailed (due to previous checks) $sendmail_tempfailed_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; $decode_sendmail_f9_table{"STARTTLS=client,"} = sub { ##V2.1 if ($syslog_data->[2] eq "error:" && $syslog_data->[3] eq "connect" && substr( $syslog_data->[4],0,6) eq "failed") { $major_type_found=1;return; } }; $decode_sendmail_f9_table{"Syntax"} = sub { $major_type_found=1; return; }; $decode_sendmail_f9_table{"timeout"} = sub { if ( $syslog_data->[2] eq "waiting" && $syslog_data->[3] eq "for" && $syslog_data->[4] eq "input" ) { ##V2.5 $sendmail_timeouts[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $istart=0; for ($i=5; $i<=$#$syslog_data; $i++) { if ($syslog_data->[$i] eq "during"){ $istart=$i; } } if ( ! $istart ){ $istart = ($syslog_data->[5] eq "from") ? 7 : 5; } my(@key_list) = (@{$syslog_data}[$istart .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_timeout_table, (@key_list) ); } $major_type_found = 1; return; } }; $decode_sendmail_f9_table{"Truncated"} = sub { for ($i=1; $i< $#$syslog_data; $i++) { if ( $syslog_data->[$i] eq "header" ) { $sendmail_header_problem[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%sendmail_header_err_table,1 ); } $major_type_found=1; return; } } }; $decode_sendmail_f9_table{"unlink" } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"unlock" } = sub { $major_type_found=1;return; ## log level > 15 }; $decode_sendmail_f9_table{"\"wiz\"" } = sub { if ($syslog_data->[2] eq "command" ) { $sendmail_wiz_command_cnt[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } }; ##field 10 for msgs with current/next msg id in it $decode_sendmail_f10_table{ "aliases," } = sub { ## read aliases table $sendmail_read_aliases[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; }; $decode_sendmail_f10_table{ "clone:" } = sub { $major_type_found=1;return; }; $decode_sendmail_f10_table{ "Cannot" } = sub { ##V2.1 if ( $syslog_data->[3] eq "mail" && $syslog_data->[4] eq "directly" && $syslog_data->[5] eq "to" && $syslog_data->[6] eq "files") { $sendmail_bad_mail_to_files+=$EVENT_TIMES; $major_type_found=1; return; } }; $decode_sendmail_f10_table{ "DSN:"} = sub { if ( $syslog_data->[3] eq "Return" && $syslog_data->[4] eq "receipt" ) { $sendmail_return_receipt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } $sendmail_delivery_err[$host_index] +=$EVENT_TIMES; if ($DETAILED_OUTPUT) { if ($STUPID_OUTPUT) { (@key_list) = (@{$syslog_data}[3 .. $#$syslog_data]); } else { $i_start=3; $i_end = $#$syslog_data; for ( $i = 3; $i<=$#$syslog_data; $i++) { if (substr($syslog_data->[$i],-3,3) eq "...") { $i_start = $i+1;} if (substr($syslog_data->[$i],0,1) eq "(") { $i_end = $i-1;} } (@key_list) = (@{$syslog_data}[$i_start .. $i_end]); if ( $key_list[0] eq "MX" && $key_list[4] eq "points") { $key_list[3] = "..."; $key_list[7] = "machine"; } } decode_sendmail_clean_key_list (); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_delivery_table, (@key_list) ); } $major_type_found=1; return; } ; $decode_sendmail_f10_table{ "NULL"} = sub { ## stupid verizon stuff $major_type_found=1; return; } ; $decode_sendmail_f10_table{ "postmaster"} = sub { if ( $syslog_data->[3] eq 'notify:') { $sendmail_postmaster_notify_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT && $#$syslog_data > 3) { if ($STUPID_OUTPUT) { (@key_list) = (@{$syslog_data}[3 .. $#$syslog_data]); } else { (@key_list) = (@{$syslog_data}[3 .. $#$syslog_data]); if ($key_list[1] eq "Host" && $key_list[2] eq "unknown" && $key_list[3] eq "(Name" && $key_list[4] eq "server:"){ $key_list[5] = "-host-"; } } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_notify_reason_table, (@key_list) ); } $major_type_found=1;return; } }; $decode_sendmail_f10_table{ "return"} = sub { ##V2.0 if ( $syslog_data->[3] eq "to" && $syslog_data->[4] eq "sender:") { $sendmail_return_to_sender_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT && $#$syslog_data > 4) { if ($STUPID_OUTPUT) { (@key_list) = (@{$syslog_data}[2 .. $#$syslog_data]); } else { (@key_list) = (@{$syslog_data}[2 .. $#$syslog_data]); if ($key_list[3] eq "Host" && $key_list[4] eq "unknown" && $key_list[5] eq "(Name" && $key_list[6] eq "server:"){ $key_list[7] = "-host-"; } } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_return_reason_table, (@key_list) ); } $major_type_found=1; return; } if ( $syslog_data->[3] eq "to" && $syslog_data->[4] eq "sender." ) { $sendmail_return_to_sender_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT && $#$syslog_data > 4) { add_usual_list_out( \%sendmail_return_reason_table,2 ); } $major_type_found=1; return; } }; $decode_sendmail_f10_table{ "sender"} = sub { if ( $syslog_data->[3] eq 'notify:') { $sendmail_sender_notify_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT && $#$syslog_data > 3) { if ($STUPID_OUTPUT) { (@key_list) = (@{$syslog_data}[2 .. $#$syslog_data]); } else { (@key_list) = (@{$syslog_data}[2 .. $#$syslog_data]); if ($key_list[2] eq "Host" && $key_list[3] eq "unknown" && $key_list[4] eq "(Name" && $key_list[5] eq "server:"){ $key_list[6] = "-host-"; } } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_notify_reason_table, (@key_list) ); } $major_type_found=1;return; } }; $decode_sendmail_f10_table{ "SMTP" } = sub { ##V2.0 if ($syslog_data->[4] eq "protocol" && $syslog_data->[5] eq "error:") { $major_type_found=1;return; } }; $decode_sendmail_f10_table{ "truncated"} = sub { ##V2.0 if ( $syslog_data->[3] eq "header" ) { $sendmail_header_problem[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[1 .. 2]); $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_header_err_table, (@key_list) ); } $major_type_found=1; return; } }; $decode_sendmail_f10_table{ "unlink-fail" } = sub { $major_type_found=1;return; }; ## log level > 15 $decode_sendmail_f10_table{ "unsafe" } = sub { ##V2.0 if ($syslog_data->[3] eq "directory" && $syslog_data->[4] eq "path," ) { $sendmail_unsafe_dir_path_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1;return; } }; } sub Decode_sendmail { ## Solaris - sparc if (defined $decode_sendmail_table{$syslog_data->[0]}) { &{$decode_sendmail_table{$syslog_data->[0]}}(); return if $major_type_found; } ## partial of field 8 if (substr($syslog_data->[0],0,14) eq "ruleset=check_") { decode_sendmail_check_rules(); $major_type_found=1;return; }; if (substr($syslog_data->[0],0,13) eq "ruleset=Check" || substr($syslog_data->[1],0,13) eq "ruleset=Check") { decode_sendmail_check_rules(); $major_type_found=1;return; }; ## decode starting at parm 9 - basic msgs put after email msg id number if (defined $decode_sendmail_f9_table{$syslog_data->[1]}) { &{$decode_sendmail_f9_table{$syslog_data->[1]}}(); return if $major_type_found; } ## partial of field 9 if ( substr($syslog_data->[1],0,7) eq "milter=" ) { ## detailed milter data if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out ( \%sendmail_milter_actions_table,1); } else { @key_list = (@{$syslog_data}[1 .. 3]); $milter_name=substr($syslog_data->[1],7); $milter_name=substr($milter_name,0,-1);; if (substr($syslog_data->[2],0,7) eq "action=") { $action=substr($syslog_data->[2],7); $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_milter_actions_table, (@key_list) ); } } $major_type_found=1;return; } if ( substr($syslog_data->[1],0,7) eq "milter_" ) { ## detailed milter errors.. my $cmd = substr($syslog_data->[1],7); #drop milter_ my $point = index($cmd,"("); # see if shows filter name. if yes, split. if no, use full. my $filter = " "; if ($point > 0 ) { $filter = substr($cmd, $point+1); if (substr($filter,-2) eq "):" ){ $filter = substr($filter,0,-2);} #drop endind paren $cmd = substr($cmd,0,$point); } if ($REAL_REAL_DETAILED_OUTPUT) { @key_list = ($filter, $cmd, @{$syslog_data}[2 .. $#$syslog_data]); } else { @key_list = ($filter, $cmd); } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_milter_err_table, (@key_list) ); $major_type_found=1;return; } if (substr($syslog_data->[1],0,14) eq "ruleset=check_") { decode_sendmail_check_rules(); $major_type_found=1;return; }; if ( substr($syslog_data->[1],0,7) eq "SYSERR(" ) { $sendmail_NOQUEUE_syserr_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { if ( $STUPID_OUTPUT){ ##OK, for these people, show addresses and such also @key_list = (@{$syslog_data}[2 .. $#$syslog_data]); } else { $i_start=2 ; $i_end = $#$syslog_data; for ($i = $i_start; $i <= $i_end; $i++) { if ( $syslog_data->[$i] eq "from") { $i_end = $i+1; $syslog_data->[$i+1]="-host-"; last; } if ( $syslog_data->[$i] eq "for") { $i_end = $i+1; $syslog_data->[$i+1]="-ADDR-"; last; } if ( $syslog_data->[$i] eq "to") { $i_end = $i+1; $syslog_data->[$i+1]="-ADDR-"; last; } if (substr($syslog_data->[$i],0,2) eq "./") { $syslog_data->[$i]="*FILE*"; } if (substr($syslog_data->[$i],0,9) eq "rename(./") { $syslog_data->[$i]="rename(*FILE*"; } if (substr($syslog_data->[$i],-1,1) eq ".") { $syslog_data->[$i]="-host-";} ## skip domainname } @key_list = (@{$syslog_data}[$i_start .. $i_end ]); } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_SYSERR_table, (@key_list) ); } $major_type_found=1;return; } if ( substr($syslog_data->[1],0,9) eq "delaying=" ) { $major_type_found=1;return; } ## delay this msg machine overload if ( substr($syslog_data->[1],0,3) eq "to=" ) { for ($i=2; $i<=$#$syslog_data; $i++) { # get stat= msg... if (substr($syslog_data->[$i],0,5) eq "stat=" || substr($syslog_data->[$i],0,5) eq "Stat=" ) { if ($DETAILED_OUTPUT) { $sent_key = substr($syslog_data->[$i],5); my(@key_list) = ($sent_key); if ( $STUPID_OUTPUT){ ##OK, for these people, show addresses and such also if ( $#$syslog_data > ($i+1)) { my($key_list_cnt) = 1; for ($j=$i+1; $j<=$#$syslog_data; $j++) { $key_list[$key_list_cnt++]=$syslog_data->[$j]; } } }else{ if ( substr($sent_key,0,1) eq '<') {$i++; $sent_key=$syslog_data->[$i];} #skip addrss (@key_list) = ($sent_key); if ( $sent_key ne "stat=Sent" ) { my($key_list_cnt) = 1; for ($j=$i+1; $j<=$#$syslog_data; $j++) { if (substr($sent_key,-1,1) eq ":" ) {last;} ##stat=Deferred: - to many choices if ($syslog_data->[$j] eq 'by' ) {last;} #drop target mach name if (substr($syslog_data->[$j],0,1) eq '(' ) {$j--; last;} #drop target mach name if ($syslog_data->[$j] eq 'with' ) {last;} #drop target mach name $key_list[$key_list_cnt++]=$syslog_data->[$j]; } if ( $key_list[0] eq "Virus") { (@key_list) = ("Virus","found","in","mail" ); } if ( $key_list[0] eq "Anti-spam" && $key_list[1] eq "block") { (@key_list) = ("Spam","blocked" ); } } } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_status_table, (@key_list) ); } if ( $syslog_data->[$i] eq "stat=Sent" ) { if ( $syslog_data->[$i-3] eq "mailer=local,") { $sendmail_sent_local[$host_index]+=$EVENT_TIMES ; } else { $sendmail_sent_nonlocal[$host_index]+=$EVENT_TIMES ; } $major_type_found = 1; return; } last; ## last to check for stat= } } $major_type_found = 1; return; } if ( substr($syslog_data->[1],0,5) eq "from=" ) { $major_type_found=1;return; } ### field 10 if (defined $decode_sendmail_f10_table{$syslog_data->[2]}) { &{$decode_sendmail_f10_table{$syslog_data->[2]}}(); if ( $major_type_found ) {return } } ### some syslog entries have the address, and maybe other info, in the first 1,2,3 fields. ### but the last field before the acutal err msg ends in ... for ($i=0; $i<$#$syslog_data; $i++) { if (substr($syslog_data->[$i],-3,3) eq "...") { $sendmail_delivery_err[$host_index] +=$EVENT_TIMES; if ($DETAILED_OUTPUT) { @key_list = (@{$syslog_data}[$i+1 .. $#$syslog_data]); $this_key= join("-",(@key_list)); decode_sendmail_clean_key_list (); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_delivery_table, (@key_list) ); $major_type_found = 1; return } $major_type_found = 1; return } } ## msgs with variable parms that make us check last parm to see what is what. First parms after ## msg ID might or might not include emailaddree, ip number, domain name, forged messages, etc ## not from a to= or from= or anything like that, so this check GOES LAST|| ##ideally, we should be able to do away with this... $$syslog_data_last_field = $syslog_data->[$#$syslog_data]; $$syslog_data_last_field_1 = $syslog_data->[$#$syslog_data-1]; $$syslog_data_last_field_2 = $syslog_data->[$#$syslog_data-2]; $$syslog_data_last_field_3 = $syslog_data->[$#$syslog_data-3]; if ($$syslog_data_last_field eq "unknown") { ## for return msg logging.should change it. if ($$syslog_data_last_field_1 eq "User" && $$syslog_data_last_field_2 eq "notify:") {#return msg $major_type_found=1;return; } } if (substr($syslog_data->[$#$syslog_data-4],0,8) eq "lastuse=") { ## beats me, but I think we can ignor it. $major_type_found=1;return; } #can end in NOQUEUE or regular conn.. if($syslog_data->[$#$syslog_data-7] eq "did" && $syslog_data->[$#$syslog_data-6] eq "not" && $syslog_data->[$#$syslog_data-5] eq "issue" && $syslog_data->[$#$syslog_data-4] eq "MAIL/EXPN/VRFY/ETRN" ) { $sendmail_no_issue_cnt[$host_index]+=$EVENT_TIMES ; $major_type_found=1; return; } if ( $$syslog_data_last_field eq "throttling."){ if ($syslog_data->[$#$syslog_data-3] eq "SMTP" && $syslog_data->[$#$syslog_data-2] eq "RCPT" && $syslog_data->[$#$syslog_data-1] eq "flood,") { $sendmail_throttle_cnt[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } } ## Ok, so loop thru the stuff looking for things that mayh be in random places ## Apr 8 21:19:32 boss.cs.ohiou.edu sendmail[4463]: [ID 801593 mail.info] j391JV5U004463: [80.96.109.138]: EXPN roo for ($i=2; $i<=$#$syslog_data; $i++) { ##V2.0 if ($syslog_data->[$i] eq "EXPN" || $syslog_data->[$i] eq "expn" ) { if (substr($syslog_data->[$#$syslog_data],0,1) eq '[') { $conn_sendmail_expn_bad[$host_index]+=$EVENT_TIMES; } else { $conn_sendmail_expn[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } if ($syslog_data->[$i] eq "VRFY" || $syslog_data->[$i] eq "vrfy" ) { if (substr($syslog_data->[$#$syslog_data],0,1) eq '[') { $conn_sendmail_verify_bad[$host_index]+=$EVENT_TIMES; } else { $conn_sendmail_verify[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } if ($syslog_data->[$i] eq "ETRN" || $syslog_data->[$i] eq "etrn") { if (substr($syslog_data->[$#$syslog_data],0,1) eq '[') { $conn_sendmail_etrn_bad[$host_index]+=$EVENT_TIMES; } else { $conn_sendmail_etrn[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } if ($syslog_data->[$i] eq "possible" && $syslog_data->[$i+1] eq "SMTP" && $syslog_data->[$i+2] eq "attack:" ) { $sendmail_smtp_attack[$host_index]+=$EVENT_TIMES; $major_type_found=1; return; } # if ($syslog_data->[$i] eq "rstatus=(null)," ) { ## weird error return from verizon, skippable} if ($syslog_data->[$i] eq "errno=0," ) { ## ok, so if all is ok, probably an intermediate msg??-verizon $major_type_found=1; return; } } } ## end sendmail sub decode_sendmail_check_rules { ## sendmail sub-function $sendmail_check_rules_errs[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $i_start=1 ; $i_end=$#$syslog_data; for ($i=$i_start; $i <= $i_end; $i++) { if (substr($syslog_data->[$i],0,3) eq "arg") {$i_start=$i+1;} if (substr($syslog_data->[$i],0,6) eq "relay=") {$i_start=$i+1;} if (substr($syslog_data->[$i],0,7) eq "reject=") {$i_start=$i+2;}#skp errno if (substr($syslog_data->[$i],-3,3) eq "...") {$i_start=$i+1;} } if ($STUPID_OUTPUT) { (@key_list) = (@{$syslog_data}[$i_start .. $i_end]); } else { (@key_list) = (@{$syslog_data}[$i_start .. $i_end]); decode_sendmail_clean_key_list(); } $this_key= join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sendmail_check_rules_table, (@key_list) ); } } ## end sendmail util routine for check_ ruleset sub decode_sendmail_clean_key_list { ## sendmail sub-function for ($i=0; $i <= $#key_list; $i++) { if ( $key_list[$i] eq "address" ) { $key_list[$i+1]="--host--"; } if ($key_list[$i] eq "for") { $key_list[$i+1]="--name--";} if ($key_list[$i] eq "on") { $key_list[$i+1]="--name--";} if (substr($key_list[$i],0,1) eq "[") { $key_list[$i]="--IP--";} } } ## end decode_sendmail_clean_key_list sub Decode_pmx_manager { ## Solaris - sparc if ( $syslog_data->[0] eq "Successful" ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Pmx-manager" && $syslog_data->[1] eq "starting" ) { $Pmx_manager_starts[$host_index]++; $major_type_found = 1; return; } } ## end decode_pmx_manager sub Decode_pmx_milter { ## Solaris - sparc if ( $syslog_data->[2] eq "exited" && $syslog_data->[3] eq "normally") { ##V2.0 $major_type_found = 1; } if ( $syslog_data->[0] eq "EOF" ) { ##V2.0 $major_type_found = 1; } if ( substr($syslog_data->[1],0,8) eq "mi_stop=" ) { ##V2.0 $major_type_found = 1; } if ($syslog_data->[2] eq "returned" && $syslog_data->[3] eq "EOF" ) { ##V2.0 $major_type_found = 1; } } sub Decode_sm_queue { ## Solaris - sparc if ( $syslog_data->[0] eq "exited" && $syslog_data->[1] eq "normally") { ##V2.0 $major_type_found = 1; return; } if ( $syslog_data->[0] eq "starting" && $syslog_data->[1] eq "daemon") { ##V2.0 $major_type_found = 1; return; } } sub Decode_ufs { ##V2.1 ## Solaris - sparc if ($syslog_data->[0] eq "NOTICE:") { ## probably bad err... if ( $syslog_data->[2] eq "not" && $syslog_data->[4] eq "UFS" && $syslog_data->[5] eq "magic" && $syslog_data->[6] eq "number") { $ufs_mount_not_magik[$host_index] = $EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "unexpected" && $syslog_data->[3] eq "free" && $syslog_data->[4] eq "inode" ) { $ufs_unexpected_free_inode[$host_index] = $EVENT_TIMES; add_usual_list_out(\%ufs_warning_table, 1 ); $major_type_found = 1; return; } } if ($syslog_data->[0] eq "WARNING:") { ## probably bad err... $ufs_warning_cnt[$host_index]+=$EVENT_TIMES; add_usual_list_out(\%ufs_warning_table, 1); $major_type_found = 1; return; } ## warning over disk limit if ($syslog_data->[0] eq "quota_ufs:") { ## if ( $syslog_data->[1] eq "Warning:" && $syslog_data->[2] eq "over" && $syslog_data->[3] eq "disk" && $syslog_data->[4] eq "limit") { ##V2.1 $major_type_found = 1; $over_soft_quota_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $syslog_data->[$#$syslog_data-2] = "####"; $syslog_data->[$#$syslog_data-6] = "####"; if ( !$REAL_REAL_DETAILED_OUTPUT) {$syslog_data->[$#$syslog_data-4] = "####";} add_usual_list_out(\%ufs_over_quota_table, 1); } return; } if ( $syslog_data->[1] eq "Warning:" && $syslog_data->[2] eq "too" && $syslog_data->[3] eq "many" && $syslog_data->[4] eq "files") { ##V2.1 $major_type_found = 1; $over_soft_file_quota_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $syslog_data->[$#$syslog_data-4] = "####"; if ( !$REAL_REAL_DETAILED_OUTPUT) {$syslog_data->[$#$syslog_data-2] = "####";} add_usual_list_out(\%ufs_over_quota_table, 1); } return; } ## disk hard quota if ( $syslog_data->[1] eq "over" && $syslog_data->[2] eq "hard" && $syslog_data->[3] eq "disk" && $syslog_data->[4] eq "limit") { ##V2.1 $major_type_found = 1; $over_hard_quota_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $syslog_data->[$#$syslog_data-2] = "####"; $syslog_data->[$#$syslog_data-6] = "####"; if ( !$REAL_REAL_DETAILED_OUTPUT) {$syslog_data->[$#$syslog_data-4] = "####";} add_usual_list_out(\%ufs_over_quota_table, 1); } return; } if ( $syslog_data->[1] eq "over" && $syslog_data->[2] eq "file" && $syslog_data->[3] eq "hard" && $syslog_data->[4] eq "limit") { ##V2.1 $major_type_found = 1; $over_hard_file_quota_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $syslog_data->[$#$syslog_data-4] = "####"; if ( !$REAL_REAL_DETAILED_OUTPUT) {$syslog_data->[$#$syslog_data-2] = "####";} add_usual_list_out(\%ufs_over_quota_table, 1); } return; } ## quota and time if ( $syslog_data->[1] eq "over" && $syslog_data->[2] eq "disk" && $syslog_data->[4] eq "time" && $syslog_data->[5] eq "limit") { ##V2.1 $major_type_found = 1; $over_disk_time_quota_cnt[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $syslog_data->[$#$syslog_data-2] = "####"; $syslog_data->[$#$syslog_data-6] = "####"; if ( !$REAL_REAL_DETAILED_OUTPUT) {$syslog_data->[$#$syslog_data-4] = "####";} add_usual_list_out(\%ufs_over_quota_table, 1); } return; } } if ($syslog_data->[1] eq "alloc:" && $syslog_data->[3] eq "file" && $syslog_data->[4] eq "system" && $syslog_data->[5] eq "full") { if ($DETAILED_OUTPUT) { add_var_list_out(\%ufs_fs_full_table, $syslog_data->[2]); } $major_type_found = 1; $disk_full_cnt[$host_index]+=$EVENT_TIMES; } if ($syslog_data->[1] eq "realloccg" && $syslog_data->[3] eq "file" && $syslog_data->[4] eq "system" && $syslog_data->[5] eq "full") { $major_type_found = 1; if ($DETAILED_OUTPUT) { add_var_list_out(\%ufs_fs_full_table, $syslog_data->[2]); } $disk_full_cnt[$host_index]+=$EVENT_TIMES; return; } } ## end decode ufs sub Decode_su { ##V2.1 ## Solaris - sparc, osx if ( $syslog_data->[0] eq "pam_unix_auth:") { $major_type_found = 1;return;} if ( $syslog_data->[2] eq "succeeded") { ## sparc if ($DETAILED_OUTPUT ) { add_var_list_out(\%su_ok_to_table, substr($syslog_data->[1],0,-1)); add_var_list_out(\%su_ok_from_table, $syslog_data->[4]); } $su_su[$host_index]+=$EVENT_TIMES; if ($syslog_data->[1] eq "root'") { $su_su_root[$host_index]+=$EVENT_TIMES ; } $major_type_found = 1; } if ( $syslog_data->[1] eq "to" && $syslog_data->[3] eq "on") { ## osx $su_su[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_var_list_out(\%su_ok_to_table, $syslog_data->[2]); add_var_list_out(\%su_ok_from_table, $syslog_data->[r]); } if ($syslog_data->[2] eq "root") { $su_su_root[$host_index]+=$EVENT_TIMES ; } $major_type_found = 1; } if ( $syslog_data->[2] eq "failed") { ## sparc $su_su_bad[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_var_list_out(\%su_bad_to_table, substr($syslog_data->[1],0,-1)); add_var_list_out(\%su_bad_from_table, $syslog_data->[4]); } if ($syslog_data->[1] eq "root'") { $su_su_root_bad[$host_index]+=$EVENT_TIMES ; } $major_type_found = 1; } if ( $syslog_data->[0] eq "pam_authenticate:" ) { if ( $syslog_data->[2] eq "failure") { ## osx $su_su_bad[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "User" && $syslog_data->[2] eq "not") { ## osx - user unknown $su_su_bad[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ## cant tell failures with osx ## if ($syslog_data->[1] eq "root'") { ## $su_su_root_bad[$host_index]+=$EVENT_TIMES ; ## $major_type_found = 1; return; ## } } if ( $syslog_data->[0] eq "pam_authenticate:" && $syslog_data->[2] eq "failure") { ## osx $su_su_bad[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } } ## end decode su sub Decode_sudo { ##V2.1 ## osx, should also be Solaris - sparc but untested if ( $syslog_data->[3] eq "incorrect" && $syslog_data->[4] eq "password") { ## sparc $sudo_bad[$host_index]+=$EVENT_TIMES; $sudo_root_bad[$host_index]+=$EVENT_TIMES if /USER=root/; $major_type_found = 1; return; } if ( substr($syslog_data->[2],0,3) eq "TTY") { ## assume sudo ok if we see TTY= whatever in this position $sudo[$host_index]+=$EVENT_TIMES; $sudo_root[$host_index]+=$EVENT_TIMES if /USER=root/;; $major_type_found = 1; return; } } ## end decode sudo sub Decode_xlock { ## Solaris - sparc if ( $syslog_data->[0] eq "Access" && $syslog_data->[1] eq "control" && $syslog_data->[2] eq "list" && $syslog_data->[3] eq "restored.") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Start:") { $xlock_cnt[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { add_var_list_out(\%xlock_user_table, $syslog_data->[1] ); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Stop:") { $xlock_stops[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "caught" && $syslog_data->[1] eq "signal" && $syslog_data->[2] eq "1" ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "pam_unix_cred:" && $syslog_data->[1] eq "cannot" && $syslog_data->[2] eq "create" && $syslog_data->[3] eq "start") { ## start audit session.... $major_type_found = 1; return; } if ( $syslog_data->[0] eq "xlock:") { if ( $syslog_data->[1] eq "can" && $syslog_data->[2] eq "not" && $syslog_data->[3] eq "lock" && $syslog_data->[5] eq "display") { $xlock_cannot_lock_disp[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "unable" && $syslog_data->[3] eq "open" && $syslog_data->[4] eq "display") { ## start audit session.... $xlock_failed_open_display[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "xio_error") { $xlock_xio_error[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( substr($syslog_data->[0],0,17) eq "adt_start_session") { $major_type_found = 1; return; } if ( $syslog_data->[1] eq "failed") { if ( $syslog_data->[2] eq "unlock") { $xlock_failed_unlock_cnt[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { add_var_list_out( \%xlock_failed_user_table, $syslog_data->[6] ); } $major_type_found = 1; return; } if ( $syslog_data->[3] eq "exit") { $xlock_failed_exit_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[1] eq "could" && $syslog_data->[2] eq "not" && $syslog_data->[3] eq "grab" ) { ## lets just assume this...&& $syslog_data->[4] eq "pointer!") $xlock_no_grab_keybd[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "expired.") { $xlock_expired_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } # if ( /could not grab keyboard/) { $xlock_no_grab_keybd[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } ## end decode xlock sub Decode_snmpd { ## Solaris - sparc if ( $syslog_data->[0] eq "Received" && $syslog_data->[1] eq "SNMP" ) { # $conn_snmp[$host_index]+=$EVENT_TIMES; add_var_list_out(\%snmp_table, "connections"); if ($STUPID_OUTPUT) { add_usual_list_out(\%snmp_conn_xref_table, $#$syslog_data) ; } $major_type_found = 1; return; } add_usual_list_out (\%snmp_msg_table, 0); # if ( $syslog_data->[0] eq "Received" && $syslog_data->[1] eq "TERM") { $major_type_found = 1; return; } # if ( $syslog_data->[0] eq "Received" && $syslog_data->[1] eq "signal") { $major_type_found = 1; return; } # if ( $syslog_data->[0] eq "seaproxy_sendReq:" ) { $major_type_found = 1; return; } ## solaris... # if ( $syslog_data->[0] eq "NET-SNMP") { $major_type_found = 1; return; } # if ( $syslog_data->[0] eq "unsupported") { $major_type_found = 1; return; } # .. mode for proxy called.. } ## end decode snmpd sub Decode_bootpd { ## Solaris - sparc if ( $syslog_data->[0] eq "exiting") { $bootpd_exit[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "bootpd") { $bootpd_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "reading") { $bootpd_reading[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "read") { $bootpd_read[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "IP" && $syslog_data->[1] eq "address" && $syslog_data->[2] eq "not" && $syslog_data->[3] eq "found:") {##V2.0 $bootpd_ip_not_found[$host_index]+=$EVENT_TIMES; if ($REAL_DETAILED_OUTPUT ) { add_var_list_out( \%bootpd_bad_ip_table, $syslog_data->[$#$syslog_data]); } $major_type_found = 1; return; } } ## end deocode bootpd sub Decode_automountd { ##V2.1 ## Solaris - sparc if ( $syslog_data->[0] eq "server" && $syslog_data->[2] eq "not" && $syslog_data->[3] eq "responding") { $automountd_svr_no_respond[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "self_check:" && $syslog_data->[1] eq "unknown" && $syslog_data->[2] eq "host:") { $automountd_unknown_host[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "No" && $syslog_data->[$#$syslog_data-3] eq "such" && $syslog_data->[$#$syslog_data-2] eq "file" && $syslog_data->[$#$syslog_data-1] eq "or" && $syslog_data->[$#$syslog_data] eq "directory" ) { $automountd_nosuch_cnt[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data-5]); # mount err msg $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%mount_msg_err_table, (@line_list)); } $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "Permission" && $syslog_data->[$#$syslog_data] eq "denied") { $major_type_found = 1; $automountd_perm_denied[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data-2]); # mount err msg $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%mount_msg_err_table, (@line_list)); } return; } if ($syslog_data->[1] eq "no" && $syslog_data->[2] eq "NFS" && $syslog_data->[3] eq "service") { $automound_no_nfs_service[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out(\%mount_msg_err_table,,0); } $major_type_found = 1; return; } } ## end decode automountd sub Decode_genunix { ## Solaris - sparc if ( $syslog_data->[0] eq "WARNING:" ) { # if ( $syslog_data->[1] eq "add_spec:" ) { ## dont know what this is, but I suspect harmless # $major_type_found = 1; return; # } if ( $syslog_data->[1] eq "Device" && $syslog_data->[3] eq "failed" && $syslog_data->[4] eq "to" && $syslog_data->[5] eq "power" && substr($syslog_data->[6],0,2) eq "up") { ## up may end in . as in up. $genunix_dev_no_power_up[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} } if ( $syslog_data->[1] eq "forceload" && $syslog_data->[2] eq "of" && $syslog_data->[4] eq "failed") { $genunix_forceload_fail[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[1] eq "init" && $syslog_data->[2] eq "core" && $syslog_data->[3] eq "dumped") { if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[1] eq "Last" && $syslog_data->[2] eq "shutdown" && $syslog_data->[3] eq "is" && $syslog_data->[4] eq "later" && $syslog_data->[6] eq "time" && $syslog_data->[8] eq "time-of-day" ) { $genunix_TOD_clock_err[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[1] eq "out" && $syslog_data->[2] eq "of" && $syslog_data->[3] eq "processes") { $genunix_out_of_all_proc[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; } if ( $syslog_data->[1] eq "Sorry," && $syslog_data->[2] eq "no" && $syslog_data->[3] eq "swap" && $syslog_data->[4] eq "space" && $syslog_data->[6] eq "grow" && $syslog_data->[7] eq "stack") { $genunix_no_swap_4_stack[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} } if ( $syslog_data->[1] eq "Time" && $syslog_data->[2] eq "of" && $syslog_data->[3] eq "Day" && $syslog_data->[4] eq "clock" && $syslog_data->[5] eq "error:" ) { $genunix_TOD_clock_err[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} $major_type_found = 1; return; } ## next for devices ce0; as it turns out, only reports on local systems so just report link ups. if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "detected" && $syslog_data->[4] eq "external" && $syslog_data->[5] eq "to" && $syslog_data->[6] eq "device;" && $syslog_data->[7] eq "service" && $syslog_data->[8] eq "degraded") { $genunix_dev_degraded[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } ## next few for hme devs. if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "detected" && $syslog_data->[4] eq "in" && $syslog_data->[5] eq "device;" && $syslog_data->[6] eq "service" && $syslog_data->[7] eq "degraded" ) { #net dev $genunix_dev_degraded[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "detected" && $syslog_data->[4] eq "in" && $syslog_data->[5] eq "device;" && $syslog_data->[6] eq "service" && $syslog_data->[7] eq "unavailable") { ## MPT not net $genunix_dev_unavailable[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( substr($syslog_data->[2],-8,8) eq "ioc_init" && $syslog_data->[3] eq "failed") { $genunix_ioc_failure[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( substr($syslog_data->[2],-11,11) eq "restart_ioc" && $syslog_data->[3] eq "failed") { $genunix_ioc_failure[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "link" && $syslog_data->[$#$syslog_data] eq "down" ) { #net dev $global_network_down[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "Link" && $syslog_data->[$#$syslog_data-3] eq "down" && $syslog_data->[$#$syslog_data-1] eq "cable" && $syslog_data->[$#$syslog_data] eq "problem?" ) { $global_network_down[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "NOTICE:" ) { if ( $syslog_data->[1] eq "out" && $syslog_data->[2] eq "of" && $syslog_data->[3] eq "per-user" && $syslog_data->[4] eq "processes") { $genunix_out_per_user_proc[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_dev_errs_table,0);} } if ($syslog_data->[2] eq "attempt" && $syslog_data->[3] eq "to" && $syslog_data->[4] eq "execute" && $syslog_data->[5] eq "code" && $syslog_data->[6] eq "on" && $syslog_data->[7] eq "stack") { $genunix_exec_stack_code[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; } if ($syslog_data->[2] eq "Disconnected" && $syslog_data->[3] eq "command" && $syslog_data->[4] eq "timeout" ) { $genunix_disc_cmd_timeout[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[1] eq "Power" && $syslog_data->[2] eq "Button" && $syslog_data->[3] eq "pressed" && $syslog_data->[4] eq "2") { $genunix_power_button_2[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; } if ( $syslog_data->[1] eq "Power" && $syslog_data->[2] eq "Button" && $syslog_data->[3] eq "pressed" ) { ## ok, more than 2 times $genunix_power_button_3[$host_index]+=$EVENT_TIMES;$major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-4] eq "Link" && $syslog_data->[$#$syslog_data-3] eq "down" && $syslog_data->[$#$syslog_data-1] eq "cable" && $syslog_data->[$#$syslog_data] eq "problem?" ) { $genunix_dev_cable_down[$host_index]+=$EVENT_TIMES; $global_network_down[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "cleared" && $syslog_data->[$#$syslog_data-1] eq "service" && $syslog_data->[$#$syslog_data] eq "available") { $genunix_dev_now_available[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "detected" && $syslog_data->[4] eq "in" && $syslog_data->[5] eq "device;" && $syslog_data->[6] eq "service" && $syslog_data->[7] eq "still" && $syslog_data->[8] eq "degraded") { ## NET DEV $genunix_dev_still_degraded[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_netdev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "detected" && $syslog_data->[4] eq "in" && $syslog_data->[5] eq "device;" && $syslog_data->[6] eq "service" && $syslog_data->[7] eq "still" && $syslog_data->[8] eq "available" ) { ## MPT - NOT NET DEV $genunix_dev_still_available[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[2] eq "fault" && $syslog_data->[3] eq "detected" && $syslog_data->[4] eq "in" && $syslog_data->[5] eq "device;" && $syslog_data->[6] eq "service" && $syslog_data->[7] eq "still" && $syslog_data->[8] eq "unavailable" ) { ## MPT - NOT NET DEV $genunix_dev_still_unavailable[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( substr($syslog_data->[2],-8,8) eq "ioc_init" && $syslog_data->[3] eq "failed") { $genunix_ioc_failure[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( substr($syslog_data->[2],-11,11) eq "restart_ioc" && $syslog_data->[3] eq "failed") { $genunix_ioc_failure[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_explain_scsidev_errs_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "link" && $syslog_data->[$#$syslog_data] eq "up" ) { if ( $syslog_data->[$#$syslog_data-5] eq "10" && $syslog_data->[$#$syslog_data-3] eq "half" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-5] eq "10" && $syslog_data->[$#$syslog_data-3] eq "full" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-5] eq "100" && $syslog_data->[$#$syslog_data-3] eq "half" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-5] eq "100" && $syslog_data->[$#$syslog_data-3] eq "full" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-5] eq "1000" && $syslog_data->[$#$syslog_data-3] eq "half" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-5] eq "1000" && $syslog_data->[$#$syslog_data-3] eq "full" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[1] eq "SUNW-MSG-ID:" ) { $genunix_SUNW_msgs[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_sunw_msg_id_table,1);} $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "Transceiver" && $syslog_data->[$#$syslog_data] eq "Selected." ) { $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "service" && $syslog_data->[$#$syslog_data] eq "available" ) { $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data] eq "duplex" ) { if ( $syslog_data->[$#$syslog_data-3] eq "10" && $syslog_data->[$#$syslog_data-1] eq "half" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-3] eq "10" && $syslog_data->[$#$syslog_data-1] eq "full" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-3] eq "100" && $syslog_data->[$#$syslog_data-1] eq "half" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-3] eq "100" && $syslog_data->[$#$syslog_data-1] eq "full" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-3] eq "1000" && $syslog_data->[$#$syslog_data-1] eq "half" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-3] eq "1000" && $syslog_data->[$#$syslog_data-1] eq "full" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } } if ( $syslog_data->[0] eq "%l0-3:") { #register dump of core dump $major_type_found = 1; return; } if ( $syslog_data->[0] eq "[1]") { #maybe register dump of core dump $major_type_found = 1; return; } if ( $syslog_data->[0] eq "dump") { ## dumping done msg. if ( $syslog_data->[1] eq "succeeded") { $genunix_dumping_ok[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "dumping") { $genunix_dumping[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "syncing") { ## no details in rec if ( $syslog_data->[1] eq "file") { $genunix_sync_recs[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( substr($syslog_data->[0],0,1) eq "/") { if ( $syslog_data->[$#$syslog_data] eq "offline" ) { $genunix_device_offline[$host_index]+=$EVENT_TIMES; } if ( $syslog_data->[$#$syslog_data] eq "online" ) { $genunix_device_online[$host_index]+=$EVENT_TIMES; } if ( $syslog_data->[$#$syslog_data] eq "down" ) { $genunix_device_down[$host_index]+=$EVENT_TIMES; } if ( $syslog_data->[$#$syslog_data] eq "offline" || $syslog_data->[$#$syslog_data] eq "down" || $syslog_data->[$#$syslog_data] eq "online" ) { if ($REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_offline_table,0);} else { if ($DETAILED_OUTPUT) { add_usual_list_out(\%genunix_offline_table,2); } } $major_type_found = 1; return; } } if ( $syslog_data->[0] =~ /^[0-9a-f]*$/ && $syslog_data->[1] =~ /[A-Za-z0-9]*:[A-Za-z0-9_]*\+/) { ## sys-crash - thread defs. if ($REAL_REAL_DETAILED_OUTPUT) { add_list_out($syslog_data->[1], $host_index, $EVENT_TIMES, \%genunix_crash_proc_table, $syslog_data->[1]); } $major_type_found = 1; return; } if ( $#$syslog_data == 0 && $syslog_data->[0] =~ /^[0-9]*$/) { ## system crash - files synced $major_type_found = 1; return; } if ( ! $DETAILED_OUTPUT) { $major_type_found = 1; return; } ## assume ok- ie boot recs if not detailed out. if ( $syslog_data->[0] eq "done") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "dump") { if ( $syslog_data->[1] eq "on") { $major_type_found = 1; } return; } if ( $syslog_data->[0] eq "Ethernet") { if ( $syslog_data->[1] eq "address") { $major_type_found = 1; } return; } if ( $syslog_data->[0] eq "Copyright") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Creating") { if ( $syslog_data->[1] eq "/etc/devices/devid_cache" ) { $major_type_found = 1; return; } } if ( $syslog_data->[1] eq "done:") { ## dumping done msg. if ( $syslog_data->[4] eq "dumped,") { $major_type_found = 1; return; } } if ( $syslog_data->[1] eq "rctl") { $genunix_rctl_condition_err[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { $genunixkey = join(" ", $syslog_data->[2], $syslog_data->[0]); $genunix_detail_rctl_counts[$host_index]->[$genunix_detail_key_i] +=$EVENT_TIMES; $temp_i = index($syslog_data->[2], '.'); add_list_out($genunixkey, $host_index, $EVENT_TIMES, \%genunix_detail_rctl_counts_table, $syslog_data->[0], substr($syslog_data->[2],0,$temp_i), substr($syslog_data->[2],$temp_i+1)); } $major_type_found = 1; return; } if ( $syslog_data->[1] eq "Release") { $major_type_found = 1; return; } if ( $syslog_data->[1] eq "is") { if ( substr($syslog_data->[2],0,1) eq "/") { if ($REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%genunix_scsi_dev_table,0);} else { if ($REAL_DETAILED_OUTPUT ) { $syslog_data->[2] = "-device-"; add_usual_list_out(\%genunix_scsi_dev_table,0);} } $major_type_found = 1; return; } } } ## end decode genunix sub Decode_inrexecd { ## Solaris - sparc if ( $syslog_data->[0] eq "connect" ) {$inrexecd_connect[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "now" && $syslog_data->[2] eq "rfc931") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "rfc931" && $syslog_data->[3] eq "handshake") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "twist") { $major_type_found = 1; return; } ## use wrappers to twist cmd to other if ( $syslog_data->[0] eq "LOGIN" && $syslog_data->[1] eq "FAILURE") { $rexecd_rsh_login_bad[$host_index] += $EVENT_TIMES; if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_rexecd_table, substr($syslog_rec->[2],0,2)); } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%rexec_bad_login_table, $syslog_data->[2]); } $major_type_found = 1; return; } } ## end decode inrexecd sub Decode_stfontserverd { #V2.2 ## Solaris - sparc if (! $DETAILED_OUTPUT ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Terminating" && $syslog_data->[3] eq "signal") { $stfontserverd_signal[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Terminating.") { $stfontserverd_terminating[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "stfontserverd" && $syslog_data->[2] eq "started.") { $stfontserverd_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; } ## end of decode stfontserverd sub Decode_ntpd_init { ##V2.2 ## Mac OsX # USE Decode_ntpd but use xntpd vars to output to same output table as xntpd $decode_ntpd_table{"Connection"} = sub { if ( $syslog_data->[1] eq "re-established" ) { $xntpd_conn_re_estab[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_ntpd_table{"precision"} = sub { $xntpd_precision_msg[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_ntpd_table{"synchronisation"} = sub { if ($syslog_data->[1] eq "lost") { $xntpd_sync_lost_msg[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } return; }; $decode_ntpd_table{"time"} = sub { if ($syslog_data->[1] eq "reset" ) { $xntpd_resets[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "set" ) { $xntpd_sets[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_ntpd_table{"ntpd" } = sub { #boot/exit msg if ( $syslog_data->[1] eq "exiting" && $syslog_data->[3] eq "signal") { $major_type_found = 1; $xntpd_exiting[$host_index]+=$EVENT_TIMES; return; } $xntpd_startup[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; } ## end of decode ntpd init sub Decode_ntpd { ## OSX if (defined $decode_ntpd_table{$syslog_data->[0]}) { &{$decode_ntpd_table{$syslog_data->[0]}}(); if ($major_type_found == 1) {return; } } if (substr($syslog_data->[0],0,7) eq "sendto(") { $xntpd_network_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; } ## end of decode ntpd sub Decode_xntpd_init { ##V2.2 ## Solaris - sparc $decode_xntpd_table{"couldn't" } = sub { if ( $syslog_data->[1] eq "resolve") { $xntpd_count_not_resolv[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%xntpd_errors_table,2); } $major_type_found = 1; return; } }; $decode_xntpd_table{"offset" } = sub { $xntpd_offset_msg[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_xntpd_table{"peer" } = sub { $xntpd_peer_msg[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { add_var_list_out( \%xntpd_peer_table, $syslog_data->[1] ) ; } $major_type_found = 1; return; }; $decode_xntpd_table{"precision"} = sub { $xntpd_precision_msg[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_xntpd_table{"signal_no_reset:"} = sub { $xntpd_signal_no_reset[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_xntpd_table{"synchronized"} = sub { if ( $syslog_data->[1] eq "to") { $xntpd_resyncs[$host_index]+=$EVENT_TIMES; if ($REAL_DETAILED_OUTPUT) { add_usual_list_out(\%xntpd_sync_to_table,2); } $major_type_found = 1; return; } }; $decode_xntpd_table{"synchronisation"} = sub { if ($syslog_data->[1] eq "lost") { $xntpd_sync_lost_msg[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } return; }; $decode_xntpd_table{"system" } = sub { if ( $syslog_data->[1] eq "event") { $major_type_found = 1; $xntpd_sys_event[$host_index]+=$EVENT_TIMES; return; } return; }; $decode_xntpd_table{"tickadj" } = sub { $xntpd_tickadj_msg[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_xntpd_table{"time"} = sub { if ($syslog_data->[1] eq "reset" && $syslog_data->[2] eq "(step)") { $xntpd_resets[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } return; }; $decode_xntpd_table{"unknown" } = sub { if ($syslog_data->[1] eq "filegen") { $xntpd_unknown_filegen_msg[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%xntpd_errors_table,2); } $major_type_found = 1; return; } }; $decode_xntpd_table{"using" } = sub { if ( $syslog_data->[1] eq "kernel" && $syslog_data->[2] eq "phase-lock") { $major_type_found = 1; $xntpd_use_phaselock[$host_index]+=$EVENT_TIMES; return; } return; }; $decode_xntpd_table{"xntpd" } = sub { #boot/exit msg if ( $syslog_data->[1] eq "exiting" && $syslog_data->[3] eq "signal") { $major_type_found = 1; $xntpd_exiting[$host_index]+=$EVENT_TIMES; return; } $xntpd_startup[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; } ## end of decode xntpd init sub Decode_xntpd { ## Solaris - sparc if (defined $decode_xntpd_table{$syslog_data->[0]}) { &{$decode_xntpd_table{$syslog_data->[0]}}(); return } return; } ## end of decode xntpd sub Decode_ntpdate {##v2.1 ## Solaris - sparc, OsX if ( $syslog_data->[0] eq "step") { ##V2.1 if ( $REAL_REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[3],$host_index, $EVENT_TIMES, \%ntpdate_ip_sync_to_table, $syslog_data->[3]); } $major_type_found = 1; $ntpdate_steps[$host_index]+=$EVENT_TIMES; return;} if ( $syslog_data->[0] eq "adjust") { ##V2.1 if ( $REAL_REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[3],$host_index, $EVENT_TIMES, \%ntpdate_ip_sync_to_table, $syslog_data->[3]); } $major_type_found = 1; $ntpdate_adjusts[$host_index]+=$EVENT_TIMES; return;} if ( $syslog_data->[0] eq "can't" && $syslog_data->[1] eq "find" && $syslog_data->[2] eq "host" ) { if ( $DETAILED_OUTPUT ) { add_list_out($syslog_data->[3],$host_index, $EVENT_TIMES, \%ntpdate_cant_find_table, $syslog_data->[3]); } $major_type_found = 1; $ntpdate_cant_find_host[$host_index]+=$EVENT_TIMES; return; } if ( $syslog_data->[0] eq "ntpdate") { $ntpdate_startup[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "no") { if ( $syslog_data->[1] eq "servers" && $syslog_data->[$#$syslog_data] eq "exiting" ) { ## no severs can be used, xiting $major_type_found = 1; $ntpdate_no_servers_exit[$host_index]+=$EVENT_TIMES; return; } } if ( $syslog_data->[0] eq "no") { if ($syslog_data->[1] eq "server" && $syslog_data->[2] eq "suitable" && $syslog_data->[3] eq "for" && $syslog_data->[4] eq "synchronization") { ##V2.1 $major_type_found = 1; $ntpdate_no_server[$host_index]+=$EVENT_TIMES; return; } } if ( $syslog_data->[0] eq "waiting" ) { $major_type_found = 1; return;} #boot msg } ## end of decode ntpdate sub Decode_radiusd { ## radius security recs. if ( $syslog_data->[0] eq "/usr/local/etc/raddb/users") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Auth.notice:") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Dropping") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Invalid") { if ($syslog_data->[1] eq "user:") { $radius_bad_on_server[$host_index] +=$EVENT_TIMES ; $test_name = $syslog_data->[$#$syslog_data]; if (substr($test_name,-1,1) eq ")" ){ $test_name = substr( $test_name, 0, length($test_name)-1); } $radius_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $radius_bad[$radius_host_index] +=$EVENT_TIMES ; if ( $REAL_REAL_DETAILED_OUTPUT ) { ## need this host index add_list_out($syslog_data->[2], $radius_host_index, $EVENT_TIMES, \%radius_inv_table, $syslog_data->[2]); } $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Login") { if ($syslog_data->[1] eq "OK:") { $radius_ok_on_server[$host_index] +=$EVENT_TIMES ; $test_name = $syslog_data->[$#$syslog_data]; if (substr($test_name,-1,1) eq ")" ) { $test_name = substr( $test_name, 0, length($test_name)-1); } $radius_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $radius_ok[$radius_host_index] +=$EVENT_TIMES ; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[2], $radius_host_index, $EVENT_TIMES, \%radius_loginok_table, $syslog_data->[2]); } $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Main.info:") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Main.notice:") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Main.crit:") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Main.error:") { if ( $syslog_data->[1] eq "request" && $syslog_data->[2] eq "from" && $syslog_data->[3] eq "unknown" && $syslog_data->[4] eq "client:") {## same as one without Main.error: $radius_unknown_client[$host_index] +=$EVENT_TIMES ; if ( $REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[5], $host_index, $EVENT_TIMES, \%radius_unknown_client_table, $syslog_data->[5]); } $major_type_found = 1; return; } $radius_server_err[$host_index] +=$EVENT_TIMES ; if ( $DETAILED_OUTPUT ) { add_usual_list_out(\%radius_server_err_table,0); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Malformed") { if ( $syslog_data->[1] eq "username:") { $radius_malformed_user_on_server{$host_index} +=$EVENT_TIMES ; $test_name = $syslog_data->[$#$syslog_data]; if (substr($test_name,-1,1) eq ")" ) { $test_name = substr( $test_name, 0, length($test_name)-1); } $radius_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $radius_malformed_user{$radius_host_index} +=$EVENT_TIMES ; if ( $REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[5], $radius_host_index, $EVENT_TIMES, \%radius_malformed_client_table, $syslog_data->[5]); } $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "MASTER:") { $major_type_found = 1; return;} if ( $syslog_data->[0] eq "Ready" ) { $radius_Ready[$host_index] += $EVENT_TIMES; # skip as same as Ready $major_type_found = 1; return; } if ($syslog_data->[0] eq "Ready") { $radius_ready[$host_index] += $EVENT_TIMES; # skip as same as Ready $major_type_found = 1; return; } if ($syslog_data->[0] eq "request") { if ( $syslog_data->[1] eq "from" && $syslog_data->[2] eq "unknown" && $syslog_data->[3] eq "client:") { ### Duplicate of msg with Main.error: $radius_unknown_client[$host_index] +=$EVENT_TIMES ; if ( $REAL_DETAILED_OUTPUT ) { add_var_list_out(\%radius_unknown_client_table, $syslog_data->[4]); } $major_type_found = 1; return; } } } # end decode radius ## printer msgs logged here sub Decode_printer { ##V2.1 ## Solaris - sparc if ($syslog_data->[0] eq "connection") { if ($syslog_data->[3] eq "aborted" ) { if ($syslog_data->[4] eq "due" && $syslog_data->[5] eq "to" && $syslog_data->[6] eq "idle" && $syslog_data->[7] eq "timeout" ) { $printer_idle_timeout[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } else { $printer_aborted[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } } if ($syslog_data->[3] eq "denied") { $printer_access_denied[$host_index]+=$EVENT_TIMES; $major_type_found = 1; } if ($major_type_found == 0) { $printer_access_other[$host_index]+=$EVENT_TIMES; $major_type_found = 1;} if ($DETAILED_OUTPUT ) { if ($syslog_data->[1] eq "with" || $syslog_data->[1] eq "from" ){ ##drop port no. if ($REAL_REAL_DETAILED_OUTPUT ) { @a = split("\\.", $syslog_data->[2]); if ( $#a > 3) { $syslog_data->[2] = join (".", @a[0 .. 3]); } } else { $syslog_data->[2] = "-- IP --"; } add_usual_list_out(\%printer_badconn_table, 0); } } return; } if ($syslog_data->[0] eq "cover/door") { if ($syslog_data->[1] eq "open") {$printer_door_open[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return;} return; } if ($syslog_data->[0] eq "error") { if ($syslog_data->[1] eq "cleared" ) {$printer_cleared[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return;} return; } if ($syslog_data->[0] eq "interface") { if ($syslog_data->[1] eq "reconfigured" ) {$printer_reconfigured[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return;} } if ($syslog_data->[0] eq "Hostname") { if ($syslog_data->[2] eq "changed" ) { $printer_hostname[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return;} } if ($syslog_data->[0] eq "toner/ink") { if ($syslog_data->[1] eq "low" ) {$printer_ink_low[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return;} } if ($syslog_data->[0] eq "offline") {$printer_offline[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "output") { if ($syslog_data->[1] eq "full" ) {$printer_output_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return;} } if ($syslog_data->[0] eq "paper") { if ($syslog_data->[1] eq "out" ) {$printer_paper_out[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return;} if ($syslog_data->[1] eq "jam" ) {$printer_paper_jam[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return;} return; } if ($syslog_data->[0] eq "powered") { if ($syslog_data->[1] eq "up") {$printer_power_up[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return;} return; } if ($syslog_data->[0] eq "memory") { if ($syslog_data->[1] eq "out") {$printer_memory_out[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return;} return; } if ($syslog_data->[0] eq "connection") { if ($syslog_data->[3] eq "aborted" && $syslog_data->[4] eq "due" && $syslog_data->[5] eq "to" && $syslog_data->[6] eq "foreign" && $syslog_data->[7] eq "side" && $syslog_data->[8] eq "aborted" ) { $printer_foreign_abort[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return; } return; } } ## end of printer sub Decode_svc_startd { ##V2.1 ## Solaris - sparc if ( $syslog_data->[1] eq "Method" && $syslog_data->[3] eq "failed") { $svc_startd_method_failed[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%svc_startd_msg_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[0] eq "instance" && $syslog_data->[2] eq "exited") { $svc_startd_bad_exit_code[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%svc_startd_msg_table,0);} $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Could" && $syslog_data->[1] eq "not" && $syslog_data->[3] eq "status" && $syslog_data->[4] eq "for" ) { $svc_startd_no_get_status[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%svc_startd_msg_table,0);} $major_type_found = 1; return; } $major_type_found = 1; $svc_startd_err[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%svc_startd_msg_table,0);} return; } ## end of decode svc.startd sub Decode_mount {##V2.1 ## Solaris - sparc if ( $syslog_data->[1] eq "mounted" && $syslog_data->[2] eq "OK") { $local_mount[$host_index]+=$EVENT_TIMES; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%mount_ok_table, $syslog_data->[0]); } $major_type_found = 1; return; } } ## end of decode mount sub Decode_mountd { ## Solaris - sparc ## maybe we should just assume any msg is an en error... if ( $syslog_data->[1] eq "denied" && $syslog_data->[2] eq "access") { $major_type_found = 1; $mountd_refused[$host_index]+=$EVENT_TIMES; if ($REAL_DETAILED_OUTPUT) { add_usual_list_out(\%mountd_ref_fs_table,0); } else {if ($DETAILED_OUTPUT) { add_usual_list_out(\%mountd_ref_fs_table,4); }} $major_type_found = 1; return; } } ## end of decode mountd sub Decode_lpd { ## Solaris - sparc if ( $syslog_data->[0] eq "connect") { $host_name = $syslog_data->[$#$syslog_data]; if (index($host_name,'@') > 0) { ## kill user@ if present $host_name = substr($host_name,index($host_name,'@')+1); } $host2_index = &Get_Table_Entry ($host_name); ## entry into table of counters $lpd_conn_lp_from[$host2_index]+=$EVENT_TIMES; ## we are the server, used in case inet not logging. $lpd_conn_lp_to[$host_index]+=$EVENT_TIMES; ## we are the server, used in case inet not logging. $major_type_found = 1; return; } if ( $syslog_data->[0] eq "refused") { if ( $syslog_data->[1] eq "connect"){ $lpd_refused[$host_index]+=$EVENT_TIMES; ## refused by $host2_index = &Get_Table_Entry ($syslog_data->[3]); ## entry into table of counters $lpd_refused_from[$host2_index]+=$EVENT_TIMES; ## refused from here. if ($DETAILED_OUTPUT) { $lpd_index = 4; if ($REAL_DETAILED_OUTPUT) { $lpd_index = 3; } add_usual_list_out(\%lpd_refused_conn_msg_table, $lpd_index); } $major_type_found = 1; return; } } } ## end of decode lpd sub Decode_lpstat { ##mostly from debug level output ## Solaris - sparc if ($syslog_data->[0] eq "database:") { $major_type_found = 1; return; } $test_name = $syslog_data->[0]; if (index($syslog_data->[0], '(') >= 0 ) { $test_name = substr( $syslog_data->[0], 0, index($syslog_data->[0], '(' )); } if ( $test_name eq "net_printf" ) { $major_type_found = 1; return; } if ( $test_name eq "net_open" ) { $host_name2 = substr($syslog_data->[0],9); chop ($host_name2); $lpstat_conn_from[$host_index]+=$EVENT_TIMES; $host2_index = &Get_Table_Entry ($host_name2); $lpstat_conn_to[$host2_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $test_name eq "job_list_append" ) { $host_name2 = $syslog_data->[2]; chop($host_name2); $lpstat_printer_name = $syslog_data->[1]; chop ($lpstat_printer_name); $printer_index = &Get_Table_Entry ($lpstat_printer_name); $lpstat_pr_query[$printer_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $test_name eq "job_list_append" || $test_name eq 'net_close' || $test_name eq 'net_read' || $test_name eq "job_printer" || $test_name eq "job_retrieve" || $test_name eq 'map_in_file' || $test_name eq 'net_write' || $test_name eq "null" ) { $major_type_found = 1; return; } } sub Decode_cancel { ##mostly from debug level output ## Solaris - sparc if ($syslog_data->[0] eq "database:") { $major_type_found = 1; return; } $test_name = $syslog_data->[0]; if (index($syslog_data->[0], '(') >= 0 ) { $test_name = substr( $syslog_data->[0], 0, index($syslog_data->[0], '(' )); } if ( $test_name eq "net_printf" ) { $major_type_found = 1; return; } if ( $test_name eq "job_list_append" ) { $cancel_job[$host_index]+=$EVENT_TIMES; $host_name2 = $syslog_data->[2]; chop($host_name2); $host_index_2 = &Get_Table_Entry ($host_name2); $cancel_to_server[$host_index_2]+=$EVENT_TIMES; $cancel_printer_name = $syslog_data->[1]; chop ($cancel_printer_name); $printer_index = &Get_Table_Entry ($cancel_printer_name); $cancel_printer[$printer_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $test_name eq "job_list_append" || $test_name eq 'net_close' || $test_name eq 'net_open' || $test_name eq 'net_read' || $test_name eq "vcancel_remote" || $test_name eq "net_write" ) { $major_type_found = 1; return; } } sub Decode_lprm { ##mostly from debug level output ## Solaris - sparc if ($syslog_data->[0] eq "database:") { $major_type_found = 1; return; } $test_name = $syslog_data->[0]; if (index($syslog_data->[0], '(') >= 0 ) { $test_name = substr( $syslog_data->[0], 0, index($syslog_data->[0], '(' )); } if ( $test_name eq "net_printf" ) { $major_type_found = 1; return; } if ( $test_name eq "job_list_append" ) { $lprm_conn_from[$host_index]+=$EVENT_TIMES; $host_name2 = $syslog_data->[2]; chop($host_name2); $host_index_2 = &Get_Table_Entry ($host_name2); $lprm_conn_to[$host_index_2]+=$EVENT_TIMES; $cancel_printer_name = $syslog_data->[1]; chop ($cancel_printer_name); $printer_index = &Get_Table_Entry ($cancel_printer_name); $lprm_pr_cancel[$printer_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $test_name eq "job_list_append" || $test_name eq 'job_printer' || $test_name eq 'job_retrieve' || $test_name eq 'map_in_file' || $test_name eq 'net_close' || $test_name eq 'net_read' || $test_name eq 'net_open' || $test_name eq "net_write" || $test_name eq 'vcancel_remote' || $test_name eq 'vjob_cancel') { $major_type_found = 1; return; } } sub Decode_lpsched { ## Solaris - sparc if ($syslog_data->[0] eq "dispatch") { if ($REAL_REAL_DETAILED_OUTPUT) { add_list_out($syslog_data->[1], $host_index, $EVENT_TIMES, \%lpsched_dispatch_table, $syslog_data->[1]); } $major_type_found = 1; return; } if ($syslog_data->[0] eq "cancel") { $test_name = substr($syslog_data->[2],1); $test_name = substr($test_name,0,rindex($test_name,'-')); $lpsched_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $lpsched_cancel[$host_index]+=$EVENT_TIMES; $lpsched_pr_cancel[$lpsched_host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "fault") { $test_name = $syslog_data->[1]; if (index($test_name, ")") >= 0 ) { $test_name = substr( $test_name, 0, index($test_name, ")" )); } if (substr($test_name,0,1) eq "(" ) { $test_name = substr( $test_name, 1); } $lpsched_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $lpsched_printer_faults[$lpsched_host_index]+=$EVENT_TIMES; $lpsched_server_printer_faults[host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { ## 2 tables, 1 by printer, 1 by server add_usual_list_out(\%lpsched_server_printer_fault_table, 3); (@line_list) = (@{$syslog_data}[3 .. $#$syslog_data]); $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $lpsched_host_index, $EVENT_TIMES, \%lpsched_printer_fault_table, (@line_list)); } $major_type_found = 1; return; } ## next entries are from debug level if ($syslog_data->[0] eq "file") { if ($syslog_data->[1] eq "descriptor" ) {$major_type_found = 1; return; } } if ($syslog_data->[0] eq "s_print_request:") { $major_type_found = 1; return; } if ($syslog_data->[0] eq "Loaded") { $major_type_found = 1; return; } ## enumerate printers ## partials, we just skip $TEST_P = $syslog_data->[0]; if (index($TEST_P,"(") > 0) { $TEST_P = substr($syslog_data->[0],0,index($TEST_P,"(")); } if ($TEST_P eq "_cancel") { $major_type_found = 1; return; } if ($TEST_P eq "ev_notify") { $major_type_found = 1; return; } if ($TEST_P eq "ev_slowf") { $major_type_found = 1; return; } if ($TEST_P eq "exec") { $major_type_found = 1; return; } if ($TEST_P eq "lock_job") { $major_type_found = 1; return; } if ($TEST_P eq "s_accept_dest") { $major_type_found = 1; return; } if ($TEST_P eq "s_alloc_files") { $major_type_found = 1; return; } if ($TEST_P eq "s_cancel") { $major_type_found = 1; return; } if ($TEST_P eq "s_child_done") { $major_type_found = 1; return; } if ($TEST_P eq "s_clear_fault") { $major_type_found = 1; return; } ## we should output this... if ($TEST_P eq "s_disable_dest") { # from enable/disable printer $test_name = substr($syslog_data->[0],15); chop ($test_name); if (index($test_name,',') > 0) { $test_name = substr($test_name,0,index($test_name,',')); } $lpsched_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $lpsched_disabled[$lpsched_host_index]+=$EVENT_TIMES; $lpsched_server_disabled[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($TEST_P eq "s_enable_dest") { # from enable/disable printer $test_name = substr($syslog_data->[0],14); chop ($test_name); $lpsched_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $lpsched_enabled[$lpsched_host_index]+=$EVENT_TIMES; $lpsched_server_enabled[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($TEST_P eq "ev_interf") { $major_type_found = 1; return; } if ($TEST_P eq "s_inquire") { $major_type_found = 1; return; } if ($TEST_P eq "s_inquire_class") { $major_type_found = 1; return; } if ($TEST_P eq "s_inquire_printer_status") { $major_type_found = 1; return; } if ($TEST_P eq "s_inquire_request") { $major_type_found = 1; return; } if ($TEST_P eq "s_inquire_request_rank") { $major_type_found = 1; return; } if ($TEST_P eq "s_print_request") { #can be host/number or just number for localhost $test_name = substr($syslog_data->[0],16); chop ($test_name); if (index($test_name,'/') > 0) { $test_name = substr($test_name,0,index($test_name,'/')); } else { $test_name = $machine; } $lpsched_host_index = &Get_Table_Entry ($test_name); ## entry into table of counters $lpsched_print_from[$lpsched_host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($TEST_P eq "s_send_fault") { $major_type_found = 1; return; } if ($TEST_P eq "s_shutdown") { $major_type_found = 1; return; } if ($TEST_P eq "schedule") { $major_type_found = 1; return; } } ## end of decode lpsched # if ($pname eq "lpsched" ) { # if ($syslog_data->[0] eq "fault" && /Printer not responding/) { $major_type_found = 1; next Decode_field_4; } # } sub Decode_lpq { ## Solaris - sparc if ($syslog_data->[0] eq "database:") { $lpq_server_startup[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ##STARTUP ## partials, we just skip $TEST_P = $syslog_data->[0]; if (index($TEST_P,"(") > 0) { $TEST_P = substr($syslog_data->[0],0,index($TEST_P,"(")); } if ($TEST_P eq "net_printf") { $major_type_found = 1; return; } if ( $TEST_P eq "net_open" ) { $host_name2 = substr($syslog_data->[0],9); chop ($host_name2); $lpq_conn_from[$host_index]+=$EVENT_TIMES; $host2_index = &Get_Table_Entry ($host_name2); $lpq_conn_to[$host2_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $TEST_P eq "job_list_append" ) { $host_name2 = $syslog_data->[2]; chop($host_name2); $lpq_printer_name = $syslog_data->[1]; chop ($lpq_printer_name); $printer_index = &Get_Table_Entry ($lpq_printer_name); $lpq_pr_query[$printer_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($TEST_P eq "net_close") { $major_type_found = 1; return; } if ($TEST_P eq "net_printf") { $major_type_found = 1; return; } if ($TEST_P eq "net_read") { $major_type_found = 1; return; } if ($TEST_P eq "job_printer") { $major_type_found = 1; return; } if ($TEST_P eq "job_retrieve") { $major_type_found = 1; return; } if ($TEST_P eq "map_in_file") { $major_type_found = 1; return; } if ($TEST_P eq "net_write") { $major_type_found = 1; return; } if ($TEST_P eq "null") { $major_type_found = 1; return; } } ## end of decode lpq #Apr 9 23:42:55 ace bsd-gw[23851]: [ID 937800 lpr.error] request to lp (unknown printer) from ::ffff:80.96.109.138 #Apr 9 23:44:37 ace bsd-gw[23927]: [ID 315218 lpr.error] Invalid protocol request (9): lp #May 8 15:14:06 ace bsd-gw[25662]: [ID 193670 lpr.error] Can't determine requested printer sub Decode_bsd_gw { ##V2.2 ## Solaris - sparc if ( $syslog_data->[0] eq "attempt") { if ( $syslog_data->[2] eq "transfer" && $syslog_data->[3] eq "job(s)") { $bsd_gw_bad_transfer[$host_index]+=$EVENT_TIMES; $bsd_gw_host_index = &Get_Table_Entry ($syslog_data->[$#$syslog_data]); ## entry by printer $bsd_printer_gw_bad_transfer[$bsd_gw_host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_var_list_out(\%bsd_gw_bad_printer_table, $syslog_data->[$#$syslog_data]);} $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Can't") { if ( $syslog_data->[1] eq "communicate" && $syslog_data->[3] eq "spooler") { $bsd_gw_cant_comm_spooler[$host_index]+=$EVENT_TIMES; $bsd_gw_host_index = &Get_Table_Entry ($syslog_data->[5]); ## entry by printer $bsd_printer_gw_cant_comm_spooler[$bsd_gw_host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_var_list_out(\%bsd_gw_no_comm_spooler_table, $syslog_data->[$#$syslog_data]);} $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Can't") { if ( $syslog_data->[1] eq "determine" && $syslog_data->[2] eq "requested" && $syslog_data->[3] eq "printer") { $bsd_gw_cant_determ_printer[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "cancel") { $bsd_gw_cancel[$host_index]+=$EVENT_TIMES; $local_pr = $syslog_data->[6] ; if (substr($local_pr,-1,1) eq ",") { chop $local_pr;} $bsd_gw_host_index = &Get_Table_Entry ($local_pr); ## entry by printer $bsd_printer_cancel[$bsd_gw_host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "ID") { if ( $syslog_data->[1] eq "Collision" ) { $bsd_gw_id_collision[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Invalid") { if ( $syslog_data->[1] eq "protocol" && $syslog_data->[2] eq "request") { $bsd_gw_inv_proto[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "request") { if ( $syslog_data->[3] eq "(unknown" && $syslog_data->[4] eq "printer)") { $bsd_gw_unknown[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%bsd_gw_req_unk_printer_table, 3);} $bsd_gw_host_index = &Get_Table_Entry ($syslog_data->[2]); ## entry by printer $bsd_printer_gw_unknown[$bsd_gw_host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Submit:") {$major_type_found = 1; return; } ##partials we care about if ( substr($syslog_data->[0],0,21) eq "lpsched_client_access") { $temp_printer = substr($syslog_data->[0],22); chop ($temp_printer); ## drop comma $temp_host = $syslog_data->[1]; chop $temp_host; ## drop right paren $bsd_gw_host_index = &Get_Table_Entry ($temp_host); ## entry by printer $bsd_gw_client_con_from[$bsd_gw_host_index]+=$EVENT_TIMES; $bsd_gw_client_con_to[$host_index]+=$EVENT_TIMES; $bsd_gw_host_index = &Get_Table_Entry ($temp_printer); ## entry by printer $bsd_printer_gw_con_to[$bsd_gw_host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( substr($syslog_data->[0],0,18) eq "lpsched_submit_job") { if ($DETAILED_OUTPUT){ $temp_printer = substr($syslog_data->[0],19); chop $temp_printer; $temp_key = join("-",$machine,$temp_printer); $host2 = substr($syslog_data->[1],1); $host2_index = &Get_Table_Entry ($host2); add_list_out($temp_key, $host2_index, $EVENT_TIMES, \%bsd_gw_host_vs_printer_table, $machine, $temp_printer); } $major_type_found = 1; return; } ## partials of first stuff we look at. if ( $syslog_data->[0] eq "pwrite" || substr($syslog_data->[0],0,7) eq "pwrite") { $bsd_gw_pwrite_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ## paritials of lines we skip if ( substr($syslog_data->[0],0,14) eq "abort_transfer") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,10) eq "cancel_job") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,7) eq "control") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,4) eq "data") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,7) eq "in.lpd:") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,8) eq "lock_job") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,8) eq "lpsched:") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,8) eq "lpsched_") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,8) eq "protocol") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,6) eq "pwrite") {$major_type_found = 1; return; } if ( substr($syslog_data->[0],0,10) eq "unlock_job") {$major_type_found = 1; return; } } ## end of decode lpd sub Decode_saslauthd { ## Solaris - sparc if ( $syslog_data->[0] eq "auth" && $syslog_data->[1] eq "failure") { $saslauthd_failurer[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } #detach_tty : master pid is: 169 if ( $syslog_data->[0] eq "detach_tty" ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "DEBUG") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "DEBUG:") { $major_type_found = 1; return; } # do_auth : auth failure: [user=admin] ... if ( $syslog_data->[0] eq "do_auth" && $syslog_data->[3] eq "failure:") { $saslauthd_failurer[$host_index]+=$EVENT_TIMES; if ( $REAL_REAL_DETAILED_OUTPUT ) { if (substr($syslog_data->[4],-1,1) eq "]") { $user_id = substr($syslog_data->[4],6,length($syslog_data->[4])-7); } else { $user_id = substr($syslog_data->[4],6);} add_var_list_out (\%saslauth_failed_user_table, $user_id); } $major_type_found = 1; return; } # do_auth : auth success: [user=jet] if ( $syslog_data->[0] eq "do_auth" && $syslog_data->[3] eq "success:") { $saslauthd_success[$host_index]+=$EVENT_TIMES; if ( $STUPID_OUTPUT ) { if (substr($syslog_data->[4],-1,1) eq "]") { $user_id = substr($syslog_data->[4],6,length($syslog_data->[4])-7); } else { $user_id = substr($syslog_data->[4],6);} add_var_list_out (\%saslauth_OK_user_table, $user_id); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "do_request") { $major_type_found = 1; return; } # do_request : response: OK if ( $syslog_data->[0] eq "get_accept_lock" ) { $major_type_found = 1; return; } # get_accept_lock... if ( $syslog_data->[0] eq "handle_sigchld" ) { $major_type_found = 1; return; } # cleanup msgs when shutdown if ( $syslog_data->[0] eq "have_baby" ) { $major_type_found = 1; return; } # have_baby : forked child: 33333 if ( $syslog_data->[0] eq "ipc_cleanup" ) { $major_type_found = 1; return; } # cleanup msgs when shutdown if ( $syslog_data->[0] eq "ipc_init" ) { if ( $syslog_data->[2] eq "listening" && $syslog_data->[4] eq "socket:") { $saslauthd_init[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "main" ) { $major_type_found = 1; return; } # main ... startup msgs if ( $syslog_data->[0] eq "rel_accept_lock" ) { $major_type_found = 1; return; } # rel_accept_lock... if ( $syslog_data->[0] eq "server_exit" ) { if ( $syslog_data->[2] eq "master" && $syslog_data->[3] eq "exited:") { $saslauthd_master_exit[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } $major_type_found = 1; return; } # pam_unix_auth: user admin not found OR user joe sshmoe not found if ( $syslog_data->[0] eq "user" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "found") { $major_type_found = 1; return; } if ( $syslog_data->[1] eq "user" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "found") { $major_type_found = 1; return; } } # end of decode saslauthd sub Decode_printd { ## Solaris - sparc if ( $syslog_data->[0] eq "send_job") { if ( $syslog_data->[1] eq "failed") { ## one per each time tried to send print jobs $printd_failed_from_err[$host_index]+=$EVENT_TIMES; $host2_name = $syslog_data->[4]; ##name is (printer@host) if (($Posit=index($host2_name,'@')) > 0) { ## kill @host.. or trailing ) $printer_name = substr($host2_name,0,$Posit); $host2_name = substr($host2_name,$Posit+1); if (substr($host2_name,-1,1) eq ")" ) { chop($host2_name)} } else { $printer_name = $host2_name; $host_name=$machine; if (substr($printer_name,-1,1) eq ")" ) { chop($printer_name)} } if (substr($printer_name,0,1) eq "(" ) { $printer_name=substr($printer_name,1); } $printer_index = &Get_Table_Entry ($printer_name); ## entry into table of counters $printd_printer_failed_err[$printer_index]+=$EVENT_TIMES; $host2_index = &Get_Table_Entry ($host2_name); ## entry into table of counters $printd_failed_to_err[$host2_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "daemon") { if ( $syslog_data->[1] eq "exiting...") { $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "got") { if ( $syslog_data->[2] eq "queue...") { $major_type_found = 1; return; } } ## partials, we just skip $TEST_P = $syslog_data->[0]; if (index($TEST_P,"(") > 0) { $TEST_P = substr($syslog_data->[0],0,index($TEST_P,"(")); } if ( $TEST_P eq "net_send_message" ) { $major_type_found = 1; return; } if ($TEST_P eq "_job_unlink_data_file") { $major_type_found = 1; return; } if ($TEST_P eq "job_free") { $major_type_found = 1; return; } if ($TEST_P eq "job_destroy") { $major_type_found = 1; return; } if ($TEST_P eq "job_printer") { $major_type_found = 1; return; } if ($TEST_P eq "job_retrieve") { $major_type_found = 1; return; } if ($TEST_P eq "map_in_file") { $major_type_found = 1; return; } if ($TEST_P eq "net_close") { $major_type_found = 1; return; } if ($TEST_P eq "net_read") { $major_type_found = 1; return; } if ($TEST_P eq "net_response") { $major_type_found = 1; return; } if ($TEST_P eq "net_send_file") { $major_type_found = 1; return; } if ($TEST_P eq "net_write") { $major_type_found = 1; return; } if ($TEST_P eq "net_open") { $major_type_found = 1; return; } if ($TEST_P eq "null") { $major_type_found = 1; return; } if ($TEST_P eq "send_job") { $major_type_found = 1; return; } if ($TEST_P eq "sendfile") { $major_type_found = 1; return; } if (substr($syslog_data->[0],0,8) eq "get_lock") {$major_type_found = 1; return; } if (substr($syslog_data->[0],0,15) eq "job_list_append") {$major_type_found = 1; return; } } ## end of decode printd sub Decode_lp { ## Solaris - sparc if ( $syslog_data->[0] eq "send_job") { if ( $syslog_data->[1] eq "failed") { ## one per print job with erro with error $lp_failed_from_err[$host_index]+=$EVENT_TIMES; $host2_name = $syslog_data->[4]; ##name is (printer@host) if (($Posit=index($host2_name,'@')) > 0) { ## kill @host.. or trailing ) $printer_name = substr($host2_name,0,$Posit); $host2_name = substr($host2_name,$Posit+1); if (substr($host2_name,-1,1) eq ")" ) { chop($host2_name)} } else { $printer_name = $host2_name; $host_name=$machine; if (substr($printer_name,-1,1) eq ")" ) { chop($printer_name)} } if (substr($printer_name,0,1) eq "(" ) { $printer_name=substr($printer_name,1); } $printer_index = &Get_Table_Entry ($printer_name); ## entry into table of counters $lp_printer_failed_err[$printer_index]+=$EVENT_TIMES; $host2_index = &Get_Table_Entry ($host2_name); ## entry into table of counters $lp_failed_to_err[$host2_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "main():") { $major_type_found = 1; return; } $test_name = $syslog_data->[0]; if (index($syslog_data->[0], "(") >= 0 ) { $test_name = substr( $syslog_data->[0], 0, index($syslog_data->[0], "(" )); } if ( $test_name eq "job_create") { $lp_jobs[$host_index]++; $lp_printer = substr($syslog_data->[0],11); substr($lp_printer,-1) = ""; $host_index_2 = &Get_Table_Entry ($lp_printer); $lp_conn_to_printer[$host_index_2]++; $lp_host= $syslog_data->[1]; substr($lp_host,-2)=""; $host_index_2 = &Get_Table_Entry ($lp_host); $lp_conn_to_host[$host_index_2]++; if ($DETAILED_OUTPUT){ $temp_printer = substr($syslog_data->[0],11); chop $temp_printer; $host2 = $syslog_data->[1]; if (substr($host2,-1,1) eq ":" || substr($host2,-1,1) eq ")") {chop ($host2) ;} ## need to chop both. if (substr($host2,-1,1) eq ":" || substr($host2,-1,1) eq ")") {chop ($host2) ;} ## need to chop both. ## $host2_index = &Get_Table_Entry ($host2); $temp_key = join ("-",$host2,$temp_printer); add_list_out($temp_printer, $host_index, $EVENT_TIMES, \%lp_host_vs_printer_table, $host2, $temp_printer); } $major_type_found = 1; return; } if ( $test_name eq "net_send_message" ) { $major_type_found = 1; return; } if ( $test_name eq "_job_alloc_file" || $test_name eq '_job_alloc_id' || $test_name eq '_job_unlink_data_file' || $test_name eq 'database:' || $test_name eq "get_lock" || $test_name eq "job_add_data_file" || $test_name eq "job_create" || $test_name eq "job_destroy" || $test_name eq "job_free" || $test_name eq "job_list_append" || $test_name eq 'job_primative' || $test_name eq 'job_printer' || $test_name eq 'job_retrieve' || $test_name eq 'job_store' || $test_name eq 'map_in_file' || $test_name eq 'net_close' || $test_name eq 'net_open' || $test_name eq 'net_read' || $test_name eq 'net_response' || $test_name eq 'net_send_file' || $test_name eq 'net_write' || $test_name eq 'null' || $test_name eq "send_job" || $test_name eq "sendfile" || $test_name eq "stdin_to_file:" || $test_name eq "write_buffer" ) { $major_type_found = 1; return; } } ## end of decode lp sub Decode_lq { ## Solaris - sparc - decode lq, say what??? if ( $syslog_data->[0] eq "database:") { $major_type_found = 1; return; } # startup $test_name = $syslog_data->[0]; if (index($syslog_data->[0], "(") >= 0 ) { $test_name = substr( $syslog_data->[0], 0, index($syslog_data->[0], "(" )); } if ( $test_name eq "net_open") { $major_type_found = 1; return; } # startup if ( $test_name eq "net_printf") { $major_type_found = 1; return; } # startup if ( $test_name eq "net_write") { $major_type_found = 1; return; } # startup if ( $test_name eq "net_read") { $major_type_found = 1; return; } # startup if ( $test_name eq "net_close") { $major_type_found = 1; return; } # startup if ( $test_name eq "job_list_append") { $major_type_found = 1; return; } # startup } sub Decode_lpr { #V2.2 ## I think same dat as lp ## Solaris - sparc if ( $syslog_data->[0] eq "send_job") { if ( $syslog_data->[1] eq "failed") { ## one per print job with erro with error $lpr_failed_from_err[$host_index]+=$EVENT_TIMES; $host2_name = $syslog_data->[4]; ##name is (printer@host) if (($Posit=index($host2_name,'@')) > 0) { ## kill @host.. or trailing ) $printer_name = substr($host2_name,0,$Posit); $host2_name = substr($host2_name,$Posit+1); if (substr($host2_name,-1,1) eq ")" ) { chop($host2_name)} } else { $printer_name = $host2_name; $host_name=$machine; if (substr($printer_name,-1,1) eq ")" ) { chop($printer_name)} } if (substr($printer_name,0,1) eq "(" ) { $printer_name=substr($printer_name,1); } $printer_index = &Get_Table_Entry ($printer_name); ## entry into table of counters $lpr_printer_failed_err[$printer_index]+=$EVENT_TIMES; $host2_index = &Get_Table_Entry ($host2_name); ## entry into table of counters $lpr_failed_to_err[$host2_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "database:") { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "stdin_to_file:") { $major_type_found = 1; return; } if (index($syslog_data->[0], '(') >= 0 ) { $sub_name=substr($syslog_data->[0],0,index($syslog_data->[0], '(') ); } if ( $sub_name eq "net_send_message" ) { $major_type_found = 1; return; } if ( $sub_name eq "job_create") { $lpr_jobs[$host_index]+=$EVENT_TIMES; $temp_printer = substr($syslog_data->[0],11); chop $temp_printer; $host2 = $syslog_data->[1]; if (substr($host2,-1,1) eq ":" || substr($host2,-1,1) eq ")") {chop ($host2) ;} ## need to chop both. if (substr($host2,-1,1) eq ":" || substr($host2,-1,1) eq ")") {chop ($host2) ;} ## need to chop both. $printer_index = &Get_Table_Entry ($temp_printer); ## entry into table of counters $lpr_to_printer[$printer_index]+=$EVENT_TIMES; $host2_index = &Get_Table_Entry ($host2); ## entry into table of counters $lpr_to_host[$host2_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT){ ## $host2_index = &Get_Table_Entry ($host2); $temp_key = join ("-",$host2,$temp_printer); add_list_out($temp_printer, $host_index, $EVENT_TIMES, \%lpr_host_vs_printer_table, $host2, $temp_printer); } $major_type_found = 1; return; } if ( $sub_name eq "_job_alloc_file" || $sub_name eq "_job_alloc_id" || $sub_name eq "_job_unlink_data_file" || $sub_name eq "get_lock" || $sub_name eq "job_add_data_file" || $sub_name eq "job_destroy" || $sub_name eq "job_free" || $sub_name eq "job_list_append" || $sub_name eq "job_primative" || $sub_name eq "job_retrieve" || $sub_name eq "job_store" || $sub_name eq "main" || $sub_name eq "map_in_file" || $sub_name eq "net_close" || $sub_name eq "net_open" || $sub_name eq "net_read" || $sub_name eq "net_response" || $sub_name eq "net_send_file" || $sub_name eq "net_write" || $sub_name eq "null" || $sub_name eq "send_job" || $sub_name eq "sendfile" || $sub_name eq "write_buffer" ) { $major_type_found = 1; return; } } ## end of decode lpr sub Decode_rpcbind { ## ok, we care about mach-to-itself, outside-to-us ## Solaris - sparc if ( $syslog_data->[0] eq "rpcbind" ) { ##V2.1 if ($syslog_data->[1] eq "terminating" && $syslog_data->[2] eq "on" && $syslog_data->[3] eq "signal.") { $rpcbind_terminate[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "connect" ) { if ( $syslog_data->[1] eq "from") { use Socket; if ($syslog_data->[2] eq "127.0.0.1" || substr($syslog_data->[2],0,9) eq "loopback(" ) { $client_name = $syslog_rec->[3]; ##local by definition } else { $my_ipaddr = inet_aton($syslog_data->[2]); if ( ! ($client_name = gethostbyaddr($my_ipaddr, AF_INET) ) ) { $client_name = $syslog_data->[2]; } } if ($client_name eq $syslog_rec->[3] || $client_name eq join(".",$syslog_rec->[3],$Def_Domain_name) || join(".",$client_name,$Def_Domain_name) eq $syslog_rec->[3] || $client_name eq $syslog_rec->[3] ) { ## connect back to self-ok $rpcbind_local[$host_index]+=$EVENT_TIMES; } else { ## oops. from other machines.. $rpcbind_foreign[$host_index]+=$EVENT_TIMES; } if (! $REAL_REAL_DETAILED_OUTPUT) { $major_type_found = 1; return;} if (substr($syslog_data->[2],0,9) eq "loopback(") { add_var_list_out( \%RPCbind_all_src_table, "loopback(..."); } else { add_var_list_out( \%RPCbind_all_src_table, $syslog_data->[2]); } if ($syslog_data->[2] eq "127.0.0.1" ) { add_var_list_out( \%RPCbind_127_table, $syslog_data->[$#$syslog_data]); $major_type_found = 1; return; } if (substr($syslog_data->[2],0,9) eq "loopback(" ) { add_var_list_out( \%RPCbind_loopback_table, $syslog_data->[$#$syslog_data]); $major_type_found = 1; return; } if ($client_name eq $syslog_rec->[3] || $client_name eq join(".",$syslog_rec->[3],$Def_Domain_name) || join(".",$client_name,$Def_Domain_name) eq $syslog_rec->[3] || $client_name eq $syslog_rec->[3] ) { ## connect back to self-ok add_var_list_out( \%RPCbind_me_table, $syslog_data->[$#$syslog_data]); $major_type_found = 1; return; } else { add_var_list_out( \%RPCbind_foreign_table, $syslog_data->[$#$syslog_data]); $major_type_found = 1; return; } } } } ## end of decode rpcbind sub Decode_raid { ## just list any raid record.. - Solaris specific ## Solaris - sparc if ( $syslog_data->[0] eq "AEN" && $syslog_data->[1] eq "event") { $raid_rec_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( substr($syslog_data->[0],0,4) eq "ASC=" || substr($syslog_data->[0],0,6) eq "Sense=") { $major_type_found = 1; return; } } ## end of decode raid sub Decode_picld { ## just list any error daemon records - they probably are bad problems add_usual_list_out(\%picld_table, 0 ); $major_type_found = 1; return; } ## end of decode picld sub Decode_pseudo { ## ## Solaris - sparc list of pseudo devices if ( $syslog_data->[0] eq "pseudo-device:") { if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out(\%pseudo_dev_table, 0 ); } $major_type_found = 1; return; } } ## end of pseudo sub Decode_statd { #V2.4 ## not much to do ## Solaris - sparc if ($syslog_data->[0] eq "_svcauth_des:") { $major_type_found = 1; return; } if ($syslog_data->[4] eq "not" && $syslog_data->[5] eq "responding") { $statd_no_response[$host_index] +=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out( \%statd_table, 0 ); } $major_type_found = 1; return; } ## use no response column for cant talk to also.. if ($syslog_data->[1] eq "cannot" && $syslog_data->[2] eq "talk") { $statd_no_response[$host_index] +=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out( \%statd_table, (@key_list) ); } $major_type_found = 1; return; } } ## end of decode statd sub Decode_named_init { ## named daemon msgs - ## Solaris - sparc $decode_named_table{"bad"} = sub { if ( $syslog_data->[1] eq "referral" ){ $named_bad_referral[$host_index]+=$EVENT_TIMES; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%named_bad_referral, $#$syslog_data); } $major_type_found = 1; return; } }; $decode_named_table{"binding"} = sub {## binding TCP socket: address in use if ($syslog_data->[1] eq "TCP" && $syslog_data->[2] eq "socket:" && $syslog_data->[3] eq "address" && $syslog_data->[5] eq "use"){ $named_bind_socket_in_use[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"check-names"} = sub { if ( $syslog_data->[1] eq "warning" ){ ### ignore for now $named_check_names[$host_index]+=$EVENT_TIMES; $major_type_found = 1;return; } }; $decode_named_table{"check_hints:"} = sub { ## Detail errs sometime? $named_check_hints[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"Cleaned"} = sub { if ($syslog_data->[1] eq "cache" && $syslog_data->[4] eq "RRsets"){ ## $named_cleaned_cache_RRSETS[$host_index]+=$EVENT_TIMES; $named_cleaned_cache_RRSETS[$host_index]+=($EVENT_TIMES * $syslog_data->[3]) ; $major_type_found = 1; return; } }; $decode_named_table{"client"} = sub { if ( $syslog_data->[2] eq "bad" ){ if ( $syslog_data->[3] eq "zone" && $syslog_data->[4] eq "transfer" && $syslog_data->[5] eq "request:" ){ $named_client_bad_zone_xfer_req[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "error" ){ if ( $syslog_data->[3] eq "sending" && $syslog_data->[4] eq "response:" ){ $named_client_error_send[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "notify" ){ if ( $syslog_data->[3] eq "question" && $syslog_data->[4] eq "section" && $syslog_data->[6] eq "no" && $syslog_data->[7] eq "SOA" ){ $named_client_no_SOA[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "received" ){ if ( $syslog_data->[3] eq "notify" ){ $named_client_notify[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[7] eq "TSIG" ){ $named_client_notify_TSIG[$host_index]+=$EVENT_TIMES; } if ($syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "authoritative"){ $named_client_notify_err[$host_index]+=$EVENT_TIMES; if ($REAL_DETAILED_OUTPUT) { add_list_out($syslog_data->[6], $host_index, $EVENT_TIMES, \%named_not_our_zone_table, $syslog_data->[6]); } } $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "request" ){ if ( $syslog_data->[$#$syslog_data-3] eq "tsig" && $syslog_data->[$#$syslog_data-2] eq "verify" && $syslog_data->[$#$syslog_data-1] eq "failure" ){ $named_tsig_ver[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); if (index($key_list[1],"#") gt 0) { substr($key_list[1],index($key_list[1],"#"))=""; } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_tsig_table, (@key_list) ); } $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "transfer" ){ if ($syslog_data->[3] eq "timed" && $syslog_data->[4] eq "out") { $named_transfer_timed_out[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-1] eq "timed" && $syslog_data->[$#$syslog_data] eq "out") { $named_transfer_timed_out[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-1] eq "IXFR" && $syslog_data->[$#$syslog_data] eq "started") { ##V2.0 $named_transfer_ixfr_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-1] eq "IXFR" && $syslog_data->[$#$syslog_data] eq "ended") { ##V2.0 $named_transfer_ixfr_end[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "IXFR" && $syslog_data->[$#$syslog_data-2] eq "started:" && $syslog_data->[$#$syslog_data-1] eq "TSIG") { ##V2.0 $named_transfer_ixfr_start[$host_index]+=$EVENT_TIMES; $named_transfer_ixfr_tsig_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-1] eq "AXFR" && $syslog_data->[$#$syslog_data] eq "started") { ##V2.0 $named_transfer_axfr_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "AXFR" && $syslog_data->[$#$syslog_data-2] eq "started:" && $syslog_data->[$#$syslog_data-1] eq "TSIG") { ##V2.0 $named_transfer_axfr_start[$host_index]+=$EVENT_TIMES; $named_transfer_axfr_tsig_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-1] eq "AXFR" && $syslog_data->[$#$syslog_data] eq "ended") { ##V2.0 $named_transfer_axfr_end[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "update" ){ ##V2.0 if ( $syslog_data->[4] eq "denied" ){ $named_client_update_denied[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[2] eq "updating" ){ if ( $syslog_data->[5] eq "update" && $syslog_data->[6] eq "unsuccessful:" ){ if ( $syslog_data->[$#$syslog_data] eq "(NXRRSET)") { $named_client_update_unsuc_NXRRSET[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data] eq "(YXRRSET)") { $named_client_update_unsuc_YXRRSET[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } } if ( $syslog_data->[2] eq "zone" ){ if ( $syslog_data->[3] eq "transfer" && $syslog_data->[$#$syslog_data] eq "denied" ){ ##V2.0 $named_client_zone_xfer_denied[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } }; $decode_named_table{"command"} = sub {## startup line - ignore if ($syslog_data->[1] eq "channel" && $syslog_data->[2] eq "listening"){ $named_OK_open_cmd_channel[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"couldn't"} = sub { ##V2.1 if ($syslog_data->[1] eq "add" && $syslog_data->[2] eq "command" && $syslog_data->[3] eq "channel"){ ##V2.1 $named_no_open_cmd_channel[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"denied"} = sub { if ( $syslog_data->[1] eq "query" && $syslog_data->[2] eq "from" ){ $named_denied_query[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { $this_key=join("-",$syslog_data->[5],$syslog_data->[6]); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_denied_table, $syslog_data->[5], $syslog_data->[6]); } $major_type_found = 1; return; } if ( $syslog_data->[1] eq "AXFR" && $syslog_data->[2] eq "from" ){ $named_denied_axfr[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[5 .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_denied_axfr_table, (@key_list) ); } $major_type_found = 1; return; } if ( $syslog_data->[1] eq "IXFR" && $syslog_data->[2] eq "from" ){ ##Umm. I assume ixfr is simliar to axfr $named_denied_ixfr[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[5 .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_denied_ixfr_table, (@key_list) ); } $major_type_found = 1; return; } }; $decode_named_table{"dispatch"} = sub { ##V2.1 if ( $syslog_data->[2] eq "shutting" && $syslog_data->[3] eq "down" && $syslog_data->[6] eq "TCP" && $syslog_data->[7] eq "receive" && $syslog_data->[8] eq "error:"){ $named_dispatch_rec_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"dns_master_load:"} = sub { ## add under other master file errs... $named_file_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"dns_rdata_fromtext:"} = sub { ##V2.1 $named_file_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"enforced"} = sub { ##V2.1 if ( $syslog_data->[1] eq "delegation-only" && $syslog_data->[2] eq "for"){ ##V2.1 $named_enforce_delegate_only[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"exiting"} = sub { ##V2.3 $named_exiting[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"extra"} = sub { ##V2.1 if ( $syslog_data->[1] eq "data" && $syslog_data->[2] eq "in" && $syslog_data->[3] eq "root" && $syslog_data->[4] eq "hints"){ ##V2.1 $named_extra_dat_root_hints[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"found" } = sub {# found 1 CPU, using 1 worker thread if ($syslog_data->[2] eq "CPU,"){ $major_type_found = 1; return; } }; $decode_named_table{"Forwarding"} = sub {##V2.1 if ( $syslog_data->[1] eq "source" && $syslog_data->[2] eq "address") { $major_type_found = 1; return; } }; $decode_named_table{"freezing"} = sub { if ( $syslog_data->[1] eq "zone" ){ if ( $syslog_data->[$#$syslog_data] eq "success" ){ $named_freeze_ok[$host_index]+=$EVENT_TIMES; } else { $named_freeze_notok[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } }; $decode_named_table{"hint"} = sub {##V2.1 if ( $syslog_data->[1] eq "zone" && $syslog_data->[4] eq "loaded" ) { $major_type_found = 1; return; } }; $decode_named_table{"in.named"} = sub {##V2.3 solaris type if ($syslog_data->[1] eq "is" && $syslog_data->[2] eq "Obsolete." ){ $major_type_found = 1; return; } }; $decode_named_table{"instance"} = sub {##V2.3 solaris type $major_type_found = 1; return; }; $decode_named_table{"invalid"} = sub {##V2.3 solaris type if ( $syslog_data->[1] eq "RR" && $syslog_data->[2] eq "type") { $named_invalid_rr_type[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) {add_usual_list_out ( \%named_resolving_table, 0) ; } else { if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[0 .. 3]); $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_resolving_table, (@key_list)); } } } $major_type_found = 1; return; }; $decode_named_table{"journal"} = sub { ##V2.0 if ($syslog_data->[3] eq "does" && $syslog_data->[4] eq "not" && $syslog_data->[5] eq "exist,"){ $major_type_found = 1; return; } }; $decode_named_table{"Lame" } = sub {# needs upper and lower case if ( $syslog_data->[1] eq "server" and $syslog_data->[2] eq "on" ){ $named_lame_server[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"late"} = sub {## late CNAME in answer section if ($syslog_data->[1] eq "CNAME" && $syslog_data->[3] eq "answer" && $syslog_data->[4] eq "section"){ $named_late_cname_answer[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"listening"} = sub {## listening on IPv4 interface lo0 if ($syslog_data->[1] eq "on"){ $major_type_found = 1; return; } }; $decode_named_table{"loading"} = sub { if ( $syslog_data->[1] eq "configuration" ){ $named_load_config[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"Malformed"} = sub { if ( $syslog_data->[1] eq "response" ){ $named_malformed_response[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"master"} = sub {##V2.1 if ( $syslog_data->[1] eq "zone" && $syslog_data->[4] eq "loaded") { $major_type_found = 1; return; } }; $decode_named_table{"named"} = sub { ## ignore shutdown msg if ( $syslog_data->[1] eq "shutting" && $syslog_data->[2] eq "down") { $major_type_found = 1; return; } }; $decode_named_table{"No"} = sub {## ignore shutdown msg if ( $syslog_data->[1] eq "root" && $syslog_data->[2] eq "nameservers") { $named_no_root_servers[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"no"} = sub {## ignore shutdown msg if ( $syslog_data->[1] eq "longer" && $syslog_data->[2] eq "listening") { $major_type_found = 1; return; } }; $decode_named_table{"ns_forw:"} = sub { ##V2.1 if (substr($syslog_data->[1],0,5) eq "query" ){ if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out (\%named_ns_forw_resp_table, 0); } else { $i_end = $#$syslog_data; for ($i=2; $i <= $#$syslog_data; $i++) { if ( substr($syslog_data->[$i],0,1) eq "(" ){ $i_end= $i-1; last; } } (@key_list) = (@{$syslog_data}[0, 2 .. $i_end]); $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_ns_forw_resp_table, (@key_list)); } $major_type_found = 1; return; } }; $decode_named_table{"ns_resp:" } = sub { ##V2.3 if (substr($syslog_data->[1],0,5) eq "query" ){ if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out (\%named_ns_forw_resp_table, 0); } else { $i_end = $#$syslog_data; for ($i=2; $i <= $#$syslog_data; $i++) { if ( substr($syslog_data->[$i],0,1) eq "(" ){ $i_end= $i-1; last; } } (@key_list) = (@{$syslog_data}[0, 2 .. $i_end]); $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_ns_forw_resp_table, (@key_list)); } $major_type_found = 1; return; } }; $decode_named_table{"rcvd"} = sub {##V2.1 if ( $syslog_data->[1] eq "NOTIFY" && $syslog_data->[2] eq "for" && $syslog_data->[4] eq "name" && $syslog_data->[5] eq "not" && $syslog_data->[8] eq "our" && $syslog_data->[9] eq "zones") { $named_client_notify_err[$host_index]+=$EVENT_TIMES; if ($REAL_DETAILED_OUTPUT) { add_var_list_out( \%named_not_our_zone_table, $syslog_data->[3]); } $major_type_found = 1; return; } if ( substr($syslog_data->[1],0,7) eq 'NOTIFY(' ) { $named_client_notify[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"Ready"} = sub {##V2.1 if ( $syslog_data->[2] eq "answer" && $syslog_data->[3] eq "queries.") { $major_type_found = 1; return; } }; $decode_named_table{"reloading"} = sub {## veri 8 vs 9 if ( $syslog_data->[1] eq "nameserver" ){ $named_load_config[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"Response"} = sub { if ($syslog_data->[1] eq "from" && $syslog_data->[2] eq "unexpected" && $syslog_data->[3] eq "source" ){ $named_unexp_source[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"retry:" } = sub {# or is it just retry if (substr($syslog_data->[1],0,5) eq "query" ){ if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out (\%named_ns_forw_resp_table, 0); } else { $i_end = $#$syslog_data; for ($i=2; $i <= $#$syslog_data; $i++) { if ( substr($syslog_data->[$i],0,1) eq "(" ){ $i_end= $i-1; last; } } (@key_list) = (@{$syslog_data}[0, 2 .. $i_end]); $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_ns_forw_resp_table, (@key_list)); } $major_type_found = 1; return; } }; $decode_named_table{"running"} = sub {## first rec produced by named $named_running[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"shutting"} = sub { ## ignore shutdown msg if ( $syslog_data->[1] eq "down") { $major_type_found = 1; return; } }; $decode_named_table{"starting"} = sub {## first rec produced by named $named_starts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"starting."} = sub {##stupid period from bind 8 $named_starts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; }; $decode_named_table{"stopping"} = sub {$major_type_found = 1; return; }; ## ignore shutdown msg $decode_named_table{"sysquery:"} = sub {## or is it just retry if (substr($syslog_data->[1],0,5) eq "query" ){ if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out (\%named_ns_forw_resp_table, 0); } else { $i_end = $#$syslog_data; for ($i=2; $i <= $#$syslog_data; $i++) { if ( substr($syslog_data->[$i],0,1) eq "(" ){ $i_end= $i-1; last; } } (@key_list) = (@{$syslog_data}[0, 2 .. $i_end]); $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%named_ns_forw_resp_table, (@key_list)); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "findns" && $syslog_data->[2] eq "error") { ##V2.3 $named_findns_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"transfer"} = sub { if ($syslog_data->[$#$syslog_data-4] eq "failed" && $syslog_data->[$#$syslog_data-3] eq "to" && $syslog_data->[$#$syslog_data-2] eq "connect:" ){ $named_transfer_failed_conn[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-2] eq "end" && $syslog_data->[$#$syslog_data-1] eq "of" && $syslog_data->[$#$syslog_data] eq "transfer") { $named_transfer_ended[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[5] eq "connected" && $syslog_data->[6] eq "using") { ##V2.0 $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-7] eq "failed" && $syslog_data->[$#$syslog_data-6] eq "while" && $syslog_data->[$#$syslog_data-5] eq "receiving" && $syslog_data->[$#$syslog_data-4] eq "responses:" && $syslog_data->[$#$syslog_data-3] eq "CNAME") { ##V2.0 $named_transfer_failed_CNAME[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-6] eq "failed" && $syslog_data->[$#$syslog_data-5] eq "while" && $syslog_data->[$#$syslog_data-4] eq "receiving" && $syslog_data->[$#$syslog_data-3] eq "responses:" && $syslog_data->[$#$syslog_data-2] eq "end" && $syslog_data->[$#$syslog_data] eq "file") { $named_transfer_failed_EOF[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-5] eq "failed" && $syslog_data->[$#$syslog_data-4] eq "while" && $syslog_data->[$#$syslog_data-3] eq "receiving" && $syslog_data->[$#$syslog_data-2] eq "responses:" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "exact") { $named_transfer_failed_not_exact[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-4] eq "failed" && $syslog_data->[$#$syslog_data-3] eq "while" && $syslog_data->[$#$syslog_data-2] eq "receiving" && $syslog_data->[$#$syslog_data-1] eq "responses:" && $syslog_data->[$#$syslog_data] eq "NXDOMAIN" ) { $named_transfer_failed_NXDOMAIN[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data] eq "REFUSED") { ##V2.0 $named_transfer_REFUSED[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data] eq "resetting") { ##V2.0 $named_transfer_resetting[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ## multiple types of socket not conn failures if ($syslog_data->[$#$syslog_data-2] eq "socket" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "connected") { ##V2.0 $named_transfer_sock_not_conn[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "socket" && $syslog_data->[$#$syslog_data-2] eq "is" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "connected") { ##V2.0 $named_transfer_sock_not_conn[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "shut" && $syslog_data->[$#$syslog_data-2] eq "down:" && $syslog_data->[$#$syslog_data-1] eq "operation" && $syslog_data->[$#$syslog_data] eq "canceled") { ##V2.0 $named_transfer_cancelled[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-1] eq "unexpected" && $syslog_data->[$#$syslog_data] eq "error") { $named_transfer_unexpected_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"TTL"} = sub { if ($syslog_data->[1] eq "differs"){ $major_type_found = 1; return; } }; $decode_named_table{"unfreezing"} = sub { if ( $syslog_data->[1] eq "zone" ){ if ( $syslog_data->[$#$syslog_data] eq "success" ){ $named_unfreeze_ok[$host_index]+=$EVENT_TIMES; } else { $named_unfreeze_notok[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } }; $decode_named_table{"unknown"} = sub { if ( $syslog_data->[1] eq "control" && $syslog_data->[3] eq "command" ){ $named_unknown_control_cmd[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_var_list_out( \%named_unk_cmd_table, $syslog_data->[$#$syslog_data]); } } $major_type_found = 1; return; }; $decode_named_table{"unrelated"} = sub {# unrelated additional info if ($syslog_data->[1] eq "additional" ){ $named_unrelated_additional[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"update"} = sub {# update with no effect if ($syslog_data->[1] eq "with" && $syslog_data->[2] eq "no" && $syslog_data->[3] eq "effect" ){ $named_update_no_effect[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"using"} = sub {# startup msg if ($syslog_data->[2] eq "CPU" ){ $major_type_found = 1; return; } }; $decode_named_table{"wrong"} = sub {# unrelated additional info if ($syslog_data->[1] eq "ans." ){ $named_wrong_ans[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"zone"} = sub { if ($syslog_data->[2] eq "allows" && $syslog_data->[3] eq "updates" && $syslog_data->[4] eq "by" && $syslog_data->[5] eq "IP") { ##V2.1 $named_allows_update_by_ip[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "expired" ) { ##V2.1 $named_zone_expired[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "loading" && $syslog_data->[3] eq "master" && $syslog_data->[4] eq "file" && $syslog_data->[6] eq "unknown" && $syslog_data->[7] eq "class/type"){ ##V2.1 $named_load_unknown_class[$host_index]+=$EVENT_TIMES; ## from disk $major_type_found = 1; return; } if ($syslog_data->[2] eq "loading" && $syslog_data->[3] eq "master" && $syslog_data->[4] eq "file") { ##V2.1 $named_file_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "bad" && $syslog_data->[$#$syslog_data-2] eq "owner" && $syslog_data->[$#$syslog_data-1] eq "name") { ##V2.1 $named_bad_owner_name[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-2] eq "bad" && $syslog_data->[$#$syslog_data-1] eq "name") { ##V2.0 $named_zone_contains_bad_name[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[4] eq "deferred" && $syslog_data->[5] eq "due" && $syslog_data->[6] eq "to" && $syslog_data->[7] eq "quota") { ##V2.0 $named_transfer_deferred_quota[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "loaded" && $syslog_data->[3] eq "serial" ){ ## (SERVFAIL), etc $named_loaded_zone_file[$host_index]+=$EVENT_TIMES; ## from disk $major_type_found = 1; return; } if ($syslog_data->[2] eq "refresh:" && $syslog_data->[3] eq "failure" && $syslog_data->[4] eq "trying") { $named_refresh_from_master_fail[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-5] eq "refresh" && $syslog_data->[$#$syslog_data-4] eq "in" && $syslog_data->[$#$syslog_data-3] eq "progress," && $syslog_data->[$#$syslog_data-2] eq "refresh" && $syslog_data->[$#$syslog_data-1] eq "check" && $syslog_data->[$#$syslog_data] eq "queued") { ##V2.0 $major_type_found = 1; return; } if ($syslog_data->[2] eq "refresh:" && $syslog_data->[3] eq "retry" && $syslog_data->[4] eq "limit") { $named_retry_limit[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "refresh:" && $syslog_data->[3] eq "NODATA" && $syslog_data->[4] eq "response" && $syslog_data->[5] eq "from" && $syslog_data->[6] eq "master") { $named_refresh_nodata[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "refresh:" && $syslog_data->[3] eq "non-authoritative" && $syslog_data->[4] eq "answer" && $syslog_data->[5] eq "from" && $syslog_data->[6] eq "master") { ##V2.1 $named_refresh_non_author[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "refresh:" && $syslog_data->[3] eq "unexpected" && $syslog_data->[4] eq "rcode" ) { ##V2.1 $named_refresh_bad_rcode[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "refresh:" && $syslog_data->[3] eq "CNAME") { $named_refresh_cname_problem[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "refused" && $syslog_data->[3] eq "notify" ){ $named_zone_non_master[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "saved" && $syslog_data->[4] eq "as") { ## $named_file_saved_as[$host_index]+=$EVENT_TIMES; #msg saying we saved bad data as.... $major_type_found = 1; return; } if ($syslog_data->[2] eq "serial" && $syslog_data->[3] eq "number" && $syslog_data->[6] eq "from" && $syslog_data->[7] eq "master" && $syslog_data->[9] eq "<") { $named_zone_serial_no_lt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "sending" && $syslog_data->[3] eq "notifies") { $major_type_found = 1; return; } if ($syslog_data->[2] eq "Transfer" && $syslog_data->[3] eq "started.") { $named_transfer_started[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[2] eq "transferred" && $syslog_data->[3] eq "serial") { $named_transfer_done[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ## hmm.. unused as far as I can tell... oops # if ($syslog_data->[2] eq "unexpected" && $syslog_data->[3] eq "rcode" ){ ## (SERVFAIL), etc # $named_zone_unexp_rcode_refused[$host_index]+=$EVENT_TIMES; # $major_type_found = 1; # return; # } if ($syslog_data->[$#$syslog_data-4] eq "zone" && $syslog_data->[$#$syslog_data-3] eq "is" && $syslog_data->[$#$syslog_data-2] eq "up" && $syslog_data->[$#$syslog_data-1] eq "to" && $syslog_data->[$#$syslog_data] eq "date") { $named_zone_up_to_date[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_named_table{"Zone"} = sub { ##V2.1 (bind 8) if ($syslog_data->[4] eq "No" && $syslog_data->[5] eq "default" && $syslog_data->[6] eq "TTL") { $named_file_no_ttl[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; ## special sections about statistics records. I put these here, just becuase all 3 need special ## decoding for summaries. $decode_named_table{"USAGE"} = sub { $major_type_found = 1; return; }; ## just cpu times, I believe - ho hum $decode_named_table{"XSTATS"} = sub {## multiplple keywd=value items on each line is a pain ## use double index to find which table to put stuff... $NAMED_XSTAT_found=1; ## we have ANY records at all (speed up output) $this_end = $syslog_data->[1]; $this_start = $syslog_data->[2]; if ( $this_start ne $XSTAT_START[$host_index] || $this_end < $XSTAT_END[$host_index]) { ## new XSTAT batch if ($XSTAT_rec_cnt[$host_index] > 1 ) { ## have old batch. save first for ($k=1; $k<=$XSTAT_FIELD_cnt; $k++) { $this_key = join ("-",$host_index, $XSTAT_FIELD_name_index[$k]); add_list_out($XSTAT_FIELD_name_index[$k], $host_index, $XSTAT_end{$this_key} - $XSTAT_begin{$this_key}, \%XSTAT_detail_table, $XSTAT_FIELD_name_index[$k]); $XSTAT_begin{$this_key} = 0; $XSTAT_end{$this_key} = 0; } } for ($i=3; $i <= $#$syslog_data; $i++) { $eq_ptr = index($syslog_data->[$i],'='); if ($eq_ptr > 0){ $this_field_name = substr($syslog_data->[$i],0,$eq_ptr); if ($XSTAT_FIELD{$this_field_name} < 1) { ## keep fields names in order for output $XSTAT_FIELD_cnt++; ## only need to check on new set of recs. $XSTAT_FIELD{$this_field_name}=$XSTAT_FIELD_cnt; $XSTAT_FIELD_name_index[$XSTAT_FIELD_cnt]=$this_field_name; } $this_key=join('-', $host_index, $this_field_name); $XSTAT_begin{$this_key}= substr($syslog_data->[$i],$eq_ptr+1); $XSTAT_end{$this_key}= substr($syslog_data->[$i],$eq_ptr+1); } } $XSTAT_rec_cnt[$host_index] = 1; $XSTAT_START[$host_index] = $this_start; $XSTAT_END[$host_index] = $this_end; } else { ## just another incremental rec from start of named. $XSTAT_rec_cnt[$host_index]++; ## we have nother rec for this machine in this group for ($i=3; $i <= $#$syslog_data; $i++) { $eq_ptr = index($syslog_data->[$i],'='); if ($eq_ptr > 0){ $this_field_name = substr($syslog_data->[$i],0,$eq_ptr); $this_key=join('-', $host_index, $this_field_name); $XSTAT_end{$this_key}= substr($syslog_data->[$i],$eq_ptr+1); } } } $major_type_found = 1; return; }; ## end of XSTAT recs $decode_named_table{"NSTATS"} = sub {## multiplple keywd=value items on each line is a pain ## use double index to find which table to put stuff... $NAMED_NSTAT_found=1; ## we have ANY records at all (speed up output) $NSTAT_rec_cnt[$host_index]++; ## we have any records for THIS machine at all... $this_end = $syslog_data->[1]; $this_start = $syslog_data->[2]; if ($this_start ne $NSTAT_START[$host_index] || $this_end < $NSTAT_END[$host_index]) { ## new if ($NSTAT_rec_cnt[$host_index] > 1 ) { ## have old batch. save first for ($k=1; $k<=$NSTAT_FIELD_cnt; $k++) { $this_key = join ("-",$host_index, $NSTAT_FIELD_name_index[$k]); add_list_out($NSTAT_FIELD_name_index[$k], $host_index, $NSTAT_end{$this_key} - $NSTAT_begin{$this_key}, \%NSTAT_detail_table, $NSTAT_FIELD_name_index[$k]); $NSTAT_begin{$this_key} = 0; $NSTAT_end{$this_key} = 0; } } for ($i=3; $i <= $#$syslog_data; $i++) { $eq_ptr = index($syslog_data->[$i],'='); if ($eq_ptr > 0){ $this_field_name = substr($syslog_data->[$i],0,$eq_ptr); if ($NSTAT_FIELD{$this_field_name} < 1) { ## keep fields names in order for output $NSTAT_FIELD_cnt++; ## only need to check on new set of recs. $NSTAT_FIELD{$this_field_name}=$NSTAT_FIELD_cnt; $NSTAT_FIELD_name_index[$NSTAT_FIELD_cnt]=$this_field_name; } $this_key=join('-', $host_index, $this_field_name); $NSTAT_begin{$this_key}= substr($syslog_data->[$i],$eq_ptr+1); $NSTAT_end{$this_key}= substr($syslog_data->[$i],$eq_ptr+1); } } $NSTAT_rec_cnt[$host_index] = 1; $NSTAT_START[$host_index] = $this_start; $NSTAT_END[$host_index] = $this_end; } else { ## just another incremental rec from start of named. $NTAT_rec_cnt[$host_index]++; ## we have nother rec for this machine in this group for ($i=3; $i <= $#$syslog_data; $i++) { $eq_ptr = index($syslog_data->[$i],'='); if ($eq_ptr > 0){ $this_field_name = substr($syslog_data->[$i],0,$eq_ptr); $this_key=join('-', $host_index, $this_field_name); $NSTAT_end{$this_key}= substr($syslog_data->[$i],$eq_ptr+1); } } } $major_type_found = 1; return; }; ## end of NSTAT recs } ## end of decode named init sub Decode_named_resolving_1 { ## Solaris - sparc if ($DETAILED_OUTPUT) { add_var_list_out( \%named_resolving_table, $syslog_data->[0]); } $named_resolving_err[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } sub Decode_named_resolving_2 { ## Solaris - sparc $resolve_key=join("-",$syslog_data->[0],$syslog_data->[1]); if ($DETAILED_OUTPUT) { add_list_out($resolve_key, $host_index, $EVENT_TIMES, \%named_resolving_table, $syslog_data->[0],$syslog_data->[1]); } $named_resolving_err[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } sub Decode_named_resolving_3 { ## Solaris - sparc $resolve_key=join("-",$syslog_data->[0],$syslog_data->[1],$syslog_data->[2]); if ($DETAILED_OUTPUT) { add_list_out($resolve_key, $host_index, $EVENT_TIMES, \%named_resolving_table, $syslog_data->[0],$syslog_data->[1],$syslog_data->[2]); } $named_resolving_err[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } sub Decode_named_resolving_4 { ## Solaris - sparc $resolve_key=join("-",$syslog_data->[0],$syslog_data->[1],$syslog_data->[2],$syslog_data->[3]); if ($DETAILED_OUTPUT) { add_list_out($resolve_key, $host_index, $EVENT_TIMES, \%named_resolving_table, $syslog_data->[0],$syslog_data->[1],$syslog_data->[2],$syslog_data->[3]); } $named_resolving_err[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } sub Decode_named { ## named daemon msgs - ## Solaris - sparc if (defined $decode_named_table{$syslog_data->[0]}) { &{$decode_named_table{$syslog_data->[0]}}(); return if $major_type_found } ## grab resolving when we can, as there might be 1-4 fields first if ($syslog_data->[1] eq "resolving") {Decode_named_resolving_1(); } if ($syslog_data->[2] eq "resolving") {Decode_named_resolving_2(); } if ($syslog_data->[3] eq "resolving") {Decode_named_resolving_3(); } if ($syslog_data->[4] eq "resolving") {Decode_named_resolving_4(); } # some entries have file name as field 0... if ($syslog_data->[1] eq "no" && $syslog_data->[2] eq "TTL" && $syslog_data->[3] eq "specified;") { ##V2.1 $named_file_no_ttl[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "option" ) { ##V2.3 $named_option_errs[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_list_out($syslog_data->[2], $host_index, $EVENT_TIMES, \%named_opt_err_table, $syslog_data->[2],$syslog_data->[3]); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "SOA" && $syslog_data->[2] eq "record" && $syslog_data->[3] eq "not" && $syslog_data->[4] eq "at" && $syslog_data->[5] eq "top") { ##V2.1 $named_SOA_not_at_top[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "unknown" && $syslog_data->[2] eq "RR" && $syslog_data->[3] eq "type") { ##V2.1 $named_unknown_RR_type[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "decimal" && $syslog_data->[2] eq "serial" && $syslog_data->[3] eq "number" && $syslog_data->[4] eq "interpreted") { ##V2.1 $major_type_found = 1; return; } if ($syslog_data->[2] eq "points" && $syslog_data->[3] eq "to" && $syslog_data->[5] eq "CNAME") { ##V2.0 $major_type_found = 1; return; } if ($syslog_data->[3] eq "points" && $syslog_data->[4] eq "to" && $syslog_data->[6] eq "CNAME") { ##V2.0 $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-2] eq "bad" && $syslog_data->[$#$syslog_data-1] eq "name") { ##V2.1 $named_file_bad_name[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-3] eq "bad" && $syslog_data->[$#$syslog_data-2] eq "owner" && $syslog_data->[$#$syslog_data-1] eq "name") { ##V2.1 $named_file_bad_owner_name[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-2] eq "file" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "found" ) { add_var_list_out( \%named_file_not_found_table, $syslog_data->[$#$syslog_data-3] ) ; $major_type_found = 1; return; } if ($syslog_data->[$#$syslog_data-2] eq "Connection" && $syslog_data->[$#$syslog_data-1] eq "timed" && $syslog_data->[$#$syslog_data] eq "out") { ##V2.1 $named_conn_timed_out[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; } ## end of decode named sub Decode_identd { ## Solaris - sparc if ($syslog_data->[0] eq "connect") {$ident_connect[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } if ($syslog_data->[0] eq "s_getpeername(0):") { ## name/ip mismatch if ($syslog_data->[$#$syslog_data-4] eq "Transport" && $syslog_data->[$#$syslog_data-3] eq "endpoint" && $syslog_data->[$#$syslog_data-1] eq "not" && $syslog_data->[$#$syslog_data] eq "connected") { ##V2.0 $ident_endpoint_not_conn[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "k_getuid:") { if ($syslog_data->[2] eq "hash" && $syslog_data->[3] eq "miss") { $ident_hass_miss[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "kvm_open:") { $ident_kvm_open[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } if ($syslog_data->[0] eq "refused") { if ($syslog_data->[1] eq "connect") { $ident_conn_refused[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "reply") { if ($syslog_data->[7] eq "ERROR:") { $ident_reply_err[$host_index]+=$EVENT_TIMES ; } else { $ident_reply[$host_index]+=$EVENT_TIMES ; } $major_type_found = 1; return; } if ($syslog_data->[0] eq "request_thread:") { ## name/ip mismatch if ($syslog_data->[$#$syslog_data-3] eq "Connection" && $syslog_data->[$#$syslog_data-2] eq "reset" && $syslog_data->[$#$syslog_data-1] eq "by" && $syslog_data->[$#$syslog_data] eq "peer") { ##V2.0 $ident_conn_reset[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "started") { $ident_started[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } if ($syslog_data->[0] eq "terminating") { $ident_terminating[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } if ($syslog_data->[0] eq "warning:") { if ($syslog_data->[1] eq 'host') { $ident_dns_err[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } ## name/ip mismatch if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname:") { $ident_dns_err[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "get" && $syslog_data->[3] eq "client" && $syslog_data->[4] eq "address:" && $syslog_data->[5] eq "Connection" && $syslog_data->[6] eq "reset" && $syslog_data->[7] eq "by" && $syslog_data->[8] eq "peer") { $ident_conn_reset[$host_index]+=$EVENT_TIMES ; $major_type_found = 1; return; } } } ## end of Decode_identd sub Decode_tidentd { ## identd teste program. Name as per name in code ## Solaris - sparc if ($syslog_data->[0] eq "Reply:") { $tident_reply[$host_index]+=$EVENT_TIMES ; if ($REAL_DETAILED_OUTPUT) { if (substr($syslot_data->[2],0,5) eq "host=") { $local_host = substr($syslog_data->[2],5); } else { $local_host = $syslog_data->[2]; } if (substr($local_host,-1,1) eq ",") { chop ($local_host);} add_var_list_out( \%tident_access_table, $local_host); } $major_type_found = 1; return; } if ($syslog_data->[0] eq "Error:") { ## SHOULD only be reply and error.. $tident_errors[$host_index]+=$EVENT_TIMES ; if ($REAL_DETAILED_OUTPUT) { if (substr($syslot_data->[2],0,5) eq "host=") { $local_host = substr($syslog_data->[2],5); } else { $local_host = $syslog_data->[2]; } if (substr($local_host,-1,1) eq ",") { chop ($local_host);} add_var_list_out(\%tident_err_table, $local_host); } $major_type_found = 1; return; } } ## end of Decode_tidentd sub Decode_user2netname{ ##V2.0 ## Solaris - sparc if( $syslog_data->[$#$syslog_data-2] eq "is" && $syslog_data->[$#$syslog_data-1] eq "NIS+" && $syslog_data->[$#$syslog_data] eq "installed?" ) { $major_type_found = 1; return; } } ## end of Decode_user2netname sub Decode_dhcpagent { ## Solaris - sparc if ( $syslog_data->[0] eq "PAM" && $syslog_data->[1] eq "stack" && $syslog_data->[2] eq "before" && $syslog_data->[3] eq "pam_unix_auth" ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "no" && $syslog_data->[1] eq "interfaces" && $syslog_data->[2] eq "to" && $syslog_data->[3] eq "manage," ) { $major_type_found = 1;return; } } ## end of Decode_dhcpagent sub Decode_dtlogin { ##V2.2 ## Solaris - sparc if ( $syslog_data->[$#$syslog_data-3] eq "PAM" && $syslog_data->[$#$syslog_data-2] eq "stack" && $syslog_data->[$#$syslog_data-1] eq "before" && $syslog_data->[$#$syslog_data] eq "pam_unix_auth" ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "pam_unix_auth:") { ## say, user not found... but audit sys has it.. $major_type_found = 1; return; } } ## end of Decode_dtlogin sub Decode_root { ## Solaris - sparc if ($syslog_data->[0] eq "**********" && $syslog_data->[1] eq "SYSTEM" ) { $major_type_found = 1; return; } if ($syslog_data->[0] eq "************" && $syslog_data->[1] eq "ACCT" ) { $major_type_found = 1; return; } if ($syslog_data->[0] eq "Soft" && $syslog_data->[1] eq "limit" && $syslog_data->[2] eq "exceeded" ) { if ($syslog_data->[3] eq "in" && $syslog_data->[4] eq "file") { $root_audit_file_limit_exceed[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[3] eq "on" && $syslog_data->[4] eq "all") { $root_audit_filesystems_limit_exceed[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "The" && $syslog_data->[1] eq "audit_warn" && $syslog_data->[2] eq "mail" && $syslog_data->[3] eq "alias" && $syslog_data->[5] eq "not") { $root_audit_alias_ndef[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of Decode_root sub Decode_nisd { ##v2.1 ## Solaris - sparc if ($syslog_data->[0] eq "_svcauth_des:") { if ($STUPID_OUTPUT) { add_usual_list_out(\%nisd_max_err_msg, 1); } if ($syslog_data->[1] eq "corrupted" && $syslog_data->[2] eq "window") { $nisd_corrupted_win[$host_index]++; $major_type_found = 1; return; } if ($syslog_data->[1] eq "invalid" && $syslog_data->[2] eq "timestamp") { $nisd_invalid_timestamp[$host_index]++; $major_type_found = 1; return; } if ($syslog_data->[1] eq "replayed" && $syslog_data->[2] eq "credential") { $nisd_replayed[$host_index]++; $major_type_found = 1; return; } if ($syslog_data->[1] eq "timestamp" && $syslog_data->[3] eq "earlier") { $nisd_early_timestamp[$host_index]++; $major_type_found = 1; return; } if ($syslog_data->[1] eq "timestamp" && $syslog_data->[2] eq "expired") { $nisd_expired_timestamp[$host_index]++; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "NIS+") { if ($syslog_data->[1] eq "service" && $syslog_data->[2] eq "started.") { $nisd_started[$host_index]++; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "RPC") { if ($syslog_data->[1] eq "ERROR") { $nisd_rpc_error[$host_index]++; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "nis_main:") { if ($syslog_data->[1] eq "next_refresh" ) { $major_type_found = 1; return; } } } ## end of Decode_nisd sub Decode_nisping { ##v2.1 ## Solaris - sparc if ($syslog_data->[0] eq "NIS+") { if ($syslog_data->[1] eq "server" && $syslog_data->[2] eq "could" && $syslog_data->[3] eq "not" && $syslog_data->[5] eq "contacted:" ) { $nisping_no_contact[$host_index]++; $major_type_found = 1; return; } } } ## end of Decode_nisping sub Decode_winlock { ##V2.1 ## Solaris - sparc if ($syslog_data->[0] eq "NOTICE:") { if ($syslog_data->[0] eq "NOTICE:" && $syslog_data->[1] eq "Process" && $syslog_data->[3] eq "timed" && $syslog_data->[4] eq "out" && $syslog_data->[6] eq "lock") { $winlock_timeout_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } } ## end of Decode_winlock sub Decode_passwd { ##V2.2 ## Solaris - sparc if ($syslog_data->[0] eq "Couldn't" && $syslog_data->[1] eq "make" && $syslog_data->[3] eq "client" && $syslog_data->[4] eq "handle" && $syslog_data->[8] eq "daemon") { $passwd_handle_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "passwdutil.so:" && $syslog_data->[1] eq "can't" && $syslog_data->[2] eq "get" && $syslog_data->[3] eq "master" && $syslog_data->[5] eq "passwd" && $syslog_data->[6] eq "map") { $passwd_nomaster_map_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } ## end of Decode_passwd sub Decode_nscd { ##V2.4 ## Solaris - sparc if ($syslog_data->[0] eq "gethostbyaddr:" && $syslog_data->[2] eq "!="){ $nscd_name_ip_match[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "gethostans:" && $syslog_data->[2] eq "attempt" && $syslog_data->[4] eq "exploit" && $syslog_data->[5] eq "buffer" && $syslog_data->[6] eq "overflow"){ $nscd_buff_overflow_attempt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "server" && $syslog_data->[2] eq "not" && $syslog_data->[3] eq "responding" ) { $nscd_server_not_responding[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "server" && $syslog_data->[2] eq "could" && $syslog_data->[3] eq "not" && $syslog_data->[5] eq "contacted:" ) { $nscd_server_not_responding[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } ## end of Decode_nscd sub Decode_tmpfs { ##V2.1 ## Solaris - sparc if ($syslog_data->[2] eq "File" && $syslog_data->[3] eq "system" && $syslog_data->[4] eq "full,"){ $tmpfs_file_sys_full[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { add_var_list_out(\%tmpfs_fs_full_table, $syslog_data->[1]);} $major_type_found = 1; return; } } ## end of Decode_tmpfs sub Decode_hsfs { ##V2.1 ## Solaris - sparc # NOTICE: hsfs: Warning: file system mounted on /cdrom/new if ($syslog_data->[0] eq "NOTICE:" && $syslog_data->[1] eq "hsfs:" && $syslog_data->[3] eq "file" && $syslog_data->[4] eq "system" && $syslog_data->[5] eq "mounted" ){ $hsfs_mounts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } $hsfs_msgs[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; # file len greater than max allowed # if ($syslog_data->[0] eq "file" && $syslog_data->[1] eq "len" && # $syslog_data->[2] eq "greater" && $syslog_data->[4] eq "max"){ # $major_type_found = 1; # return; # } # Due to this error, the file system may not be correctly interpreted. # if ($syslog_data->[0] eq "Due" && $syslog_data->[3] eq "error," && # $syslog_data->[5] eq "file" && $syslog_data->[6] eq "system" && # $syslog_data->[10] eq "correctly" && $syslog_data->[11] eq "interpreted."){ # $major_type_found = 1; # return; # } # Other such errors in this file system will be silently ignored. # if ($syslog_data->[0] eq "Other" && $syslog_data->[1] eq "such" && # $syslog_data->[2] eq "errors" && $syslog_data->[10] eq "ignored."){ # $major_type_found = 1; # return; # } } ## end of Decode_hsfs sub Decode_pcfs { ##V2.1 ## Solaris - sparc # NOTICE: pcfs: FAT signature error # NOTICE: pcfs: illegal disk format if ($syslog_data->[0] eq "NOTICE:" && $syslog_data->[1] eq "pcfs:" ) { $pcfs_errs[$host_index]+=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%pcfs_errs_table, (@key_list)); } $major_type_found = 1; return; } $pcfs_msgs[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } sub Decode_autofs { ##V2.1 ## Solaris - sparc if ($syslog_data->[0] eq "automountd" ) { if ($syslog_data->[1] eq "not" && $syslog_data->[2] eq "running,") { $autofs_no_mountd[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[1] eq "OK" ) { $autofs_mountd_OK[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } } ## end of Decode_autofs sub Decode_halt { #V2.2 ## halt command ## Solaris - sparc if ( $syslog_data->[0] eq "halted" && $syslog_data->[1] eq "by") { $halt_cmd_cnt[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[2] eq "root") { $halt_cmd_cnt_root[$host_index]+=$EVENT_TIMES; } else { $halt_cmd_cnt_other[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } return; } ## end of decode halt sub Decode_reboot { #V2.2 ## reboot command ## Solaris - sparc if ( $syslog_data->[0] eq "rebooted" && $syslog_data->[1] eq "by") { $reboot_cmd_cnt[$host_index]+=$EVENT_TIMES; if ( $syslog_data->[2] eq "root") { $reboot_cmd_cnt_root[$host_index]+=$EVENT_TIMES; } else { $reboot_cmd_cnt_other[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } return; } ## end of decode reboot sub Decode_syslogd { #V2.2 ## Solaris - sparc if ( $syslog_data->[0] eq "/dev/console:" && $syslog_data->[1] eq "I/O" && $syslog_data->[2] eq "error") { $syslogd_console_io_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "line" ) { ## err in config file $syslogd_config_file_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "configuration" && $syslog_data->[1] eq "restart" ) { $syslogd_restart[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "going" && $syslog_data->[1] eq "down" ) { $syslogd_going_down[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "No" && $syslog_data->[2] eq "space" && $syslog_data->[3] eq "left") { $syslogd_no_space[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[$#$syslog_data-1] eq "I/O" && $syslog_data->[$#$syslog_data] eq "error") { $syslogd_other_io_err[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT) { add_usual_list_out(\%syslogd_full_msg_table, 0); } $major_type_found = 1; return; } return; } ## end of decode syslogd sub Decode_swapgeneric { #V2.2 ## boot recc ## Solaris - sparc if ( $syslog_data->[0] eq "root" && $syslog_data->[1] eq "on") { $swapgeneric_mount[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; } ## end of decode swapgeneric sub Decode_rpc_nispasswdd { ## Solaris - sparc if ( $syslog_data->[0] eq "starting") { $rpc_nispasswdd_start[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "..." && $syslog_data->[1] eq "exiting") { $rpc_nispasswdd_exit[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "cannot" && $syslog_data->[1] eq "get" && $syslog_data->[3] eq "list") { # cannot get a list of servers that serve - treat as cant reach server $rpc_nispasswdd_servers_unreach[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "cannot" && $syslog_data->[1] eq "reencrypt" && $syslog_data->[3] eq "creds") { # $rpc_nispasswdd_cannot_reencrypt_creds[$host_index]+=$EVENT_TIMES; if ( $DETAILED_OUTPUT) { add_var_list_out( \%rpc_nispasswd_bad_reencrypt_table, $syslog_data->[$#$syslog_data]);} $major_type_found = 1; return; } if ( $syslog_data->[0] eq "too" && $syslog_data->[1] eq "many" && $syslog_data->[2] eq "failed") { # $rpc_nispasswdd_too_many_fails[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[5], $host_index, $EVENT_TIMES, \%nispasswdd_too_many_fails_table, $syslog_data->[5]); } $major_type_found = 1; return; } if ( $syslog_data->[1] eq "corrupted" && $syslog_data->[2] eq "window" ) { # $rpc_nispasswdd_corrupt_window[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "Error" && $syslog_data->[3] eq "RPC" && $syslog_data->[4] eq "subsystem.") { $rpc_nispasswdd_rpc_err[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "NIS+" && $syslog_data->[2] eq "servers" && $syslog_data->[3] eq "unreachable.") { $rpc_nispasswdd_servers_unreach[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; } ## end of decode rpc_nispasswdd sub Decode_dada { #V2.3 ## dada records (disk descriptions - ata) ## Solaris - sparc ## first, decode ata disk descriptor recs, then log other errs. ## ## if ( $syslog_data->[$#$syslog_data-7] eq "cyl" || $syslog_data->[$#$syslog_data-5] eq "alt" || $syslog_data->[$#$syslog_data-3] eq "hd"|| $syslog_data->[$#$syslog_data-1] eq "sec") { if ($REAL_DETAILED_OUTPUT ) { $dadakey = substr($syslog_data->[0],1); for ($i=1;$i<$#$syslog_data-7; $i++) { $dadakey = join(" ", $dadakey, $syslog_data->[$i]); } $dada_hdr1 = join("",$syslog_data->[$#$syslog_data-7],"=",$syslog_data->[$#$syslog_data-6]); $dada_hdr2 = join("",$syslog_data->[$#$syslog_data-3],"=",$syslog_data->[$#$syslog_data-2], " ",$syslog_data->[$#$syslog_data-1],"=", substr($syslog_data->[$#$syslg_data],0,length($syslog_data->[$#$syslg_data]-1))); add_list_out($dadakey, $host_index, $EVENT_TIMES, \%dada_detail_table, $dadakey, $dada_hdr1, $dada_hdr2); } $major_type_found = 1; return; } if ($syslog_data->[0] eq "Warning:" || $syslog_data->[0] eq "WARNING:" ) { if ( substr($syslog_data->[1],0,1) eq "/") { ## actually a device path suchy as /pci@1.... $dada_ata_errs[$host_index]+=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%dada_err_msg_table,0);} else { if ($DETAILED_OUTPUT) { add_usual_list_out(\%dada_err_msg_table,2); } } $major_type_found = 1; return; } } if ($syslog_data->[1] eq "disk" && $syslog_data->[2] eq "okay") { $dada_disk_ok[$host_index] += $EVENT_TIMES; if ($DETAILED_OUTPUT) { add_usual_list_out(\%dada_err_msg_table,0); } $major_type_found = 1; return; } } ## end of decode dada sub Decode_usba { #V2.3 ## usba records ## Solaris - sparc if ( $syslog_data->[0] eq "USB-device:") { ## SOL 9 if (substr($syslog_data->[1],0,8) eq "keyboard") { $usba_keyboard[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($syslog_data->[1],0,5) eq "mouse") { $usba_mouse[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($syslog_data->[1],0,7) eq "storage") { $usba_storage[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } return; ## beats me. show err mgs } if ( $syslog_data->[0] eq "usbai:") { if ( $syslog_data->[2] eq "no" && $syslog_data->[3] eq "PM" && $syslog_data->[4] eq "enabled" && $syslog_data->[5] eq "for" && $syslog_data->[6] eq "this" && $syslog_data->[7] eq "device") { $usba_no_PM_4_dev[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "USB") { if (substr($syslog_data->[15],0,8) eq "keyboard") { $usba_keyboard[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($syslog_data->[15],0,5) eq "mouse") { $usba_mouse[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($syslog_data->[15],0,7) eq "storage") { $usba_storage[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } if (! $REAL_DETAILED_OUTPUT) { $major_type_found = 1; return; } (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data-1]); $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%usba_detail_table, (@line_list)); $major_type_found = 1; return; } ## end of decode usba sub Decode_fmd { # suns hardware recovery pgm ## Solaris - sparc # There are a number of recs added together. Unless we have the EVENT-ID: field, just skip it. # if last 2 fields are not EVENT-ID: and and id, skip it. too man fields indicates we # are later in the joining process and no longer care... (@key_list) = (@{$syslog_data}[0 .. 1]); for ( $i=2; $i <= $#$syslog_data; $i++) { if ($syslog_data->[$i] eq "TYPE:" || $syslog_data->[$i] eq "SEVERITY:" || $syslog_data->[$i] eq "EVENT-ID:") { push (@key_list, @{$syslog_data}[$i]); $i++; push (@key_list, @{$syslog_data}[$i]); } } $this_key = join("-",(@key_list)); add_list_out($this_key, $host_index, $EVENT_TIMES, \%fmd_detail_table, (@key_list)); $major_type_found = 1; return; } ## end of decode fmd sub Decode_simba { ## Solaris - sparc if (! $REAL_DETAILED_OUTPUT) { $major_type_found = 1; return; } if ( $syslog_data->[0] ne "PCI-device:" ) {return;} ## err for this level of detail $simbakey = $syslog_data->[1]; if (index($simbakey, '@') >= 0) { $simbakey = substr($simbakey, 0, index($simbakey, '@')); } add_var_list_out(\%simba_detail_table, $simbakey); $major_type_found = 1; return; } ## end of decode simba sub Decode_sbus { ## ## Solaris - sparc if ( $REAL_DETAILED_OUTPUT ) { if ( $REAL_REAL_DETAILED_OUTPUT ) { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); } else { (@key_list) = (@{$syslog_data}[0 .. 2]); } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%sbus_dev_msg_table, (@key_list) ); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of sbus sub Decode_ebus { ## Solaris specific ## Solaris - sparc if ( $REAL_DETAILED_OUTPUT ) { if ($REAL_REAL_DETAILED_OUTPUT) { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); } else { (@key_list) = (@{$syslog_data}[0 .. 2]); } $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%ebus_dev_table, (@key_list) ); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode ebus sub Decode_uata { ## Solaris specific ## Solaris - sparc if ( $REAL_DETAILED_OUTPUT ) { (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%uata_dev_table, (@key_list) ); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode uata sub Decode_qlc { ## Solaris specific ## Solaris - sparc if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%qlc_dev_table, 0 ); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode qlc sub Decode_pci_generic { ## Solaris specific ## Solaris - sparc if ( $syslog_data->[0] eq "PCI-device:" ) { if ( $REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%pci_generic_dev_table, 0 ); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "PCI" && $syslog_data->[1] eq "Express-device:" ) { if ( $REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%pci_generic_dev_table, 0 ); } $major_type_found = 1; return; } } ## end of decode pci_generic sub Decode_scsi { #V2.3 ## scsi records ## Solaris - sparc if ($syslog_data->[0] eq "Warning:" || $syslog_data->[0] eq "WARNING:" ) { if ( substr($syslog_data->[1],0,1) eq "/") { ## actually a device path suchy as /pci@1.... $scsi_warnings[$host_index] +=$EVENT_TIMES; if ($REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%scsi_WARNING_table,0);} else { if ($DETAILED_OUTPUT) { add_usual_list_out(\%scsi_WARNING_table,2); } } $major_type_found = 1; return; } } if ($syslog_data->[0] eq "Device"){ if ($syslog_data->[1] eq "is" && $syslog_data->[2] eq "gone"){ $scsi_dev_gone[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } } if ($syslog_data->[0] eq "Vendor:") { $major_type_found = 1; return; } ## why detail this? if ($syslog_data->[0] eq "Requested" && $syslog_data->[1] eq "Block:" ) {$major_type_found = 1; return; } if ($syslog_data->[0] eq "ASC:"){ ## ASC: 0x3a (medium not present), ASCQ: 0x0, FRU: 0x0 add_usual_list_out(\%scsi_asc_detail_key_table, (@key_list) ); $major_type_found = 1; return; } if ($syslog_data->[1] eq "at" && $syslog_data->[3] eq "target"){ ## sd0- at uatga0: etc... $scsiatkey = $syslog_data->[2]; if (index($scsiatkey, ':') >= 0) { $scsiatkey = substr($scsiatkey, 0, index($scsiatkey, ':')); } add_var_list_out( \%scsi_at_detail_counts_table, $scsiatkey); $major_type_found = 1; return; } if ($syslog_data->[0] eq "Sense" && $syslog_data->[1] eq "Key:" ){ ## Sense key: Not ready add_usual_list_out(\%scsi_sense_tail_key_table, (@key_list) ); $major_type_found = 1; return; } if ( substr($syslog_data->[0],0,3) eq "ssd" && $syslog_data->[1] eq "at") { ## bus populatoins.. if ($REAL_DETAILED_OUTPUT ) { add_usual_list_out(\%scsi_WARNING_table,0);} $major_type_found = 1; return; } if (substr($syslog_data->[0],0,1) eq "/" && substr($syslog_data->[1],0,1) eq "(") { #devices msg if ( $REAL_REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data]); #dev msg } else { (@line_list) = (@{$syslog_data}[1 .. $#$syslog_data]); #dev msg } $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%mpt_table, (@line_list)); $major_type_found = 1; return; } return; } sub Decode_cron { #V2.3 ## cron command ## Solaris - sparc ## cron log is full of garbage, so we just ennumerate any errors here. $cron_err_cnt[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ## end of decode cron sub Decode_rootnex { #V2.3 ## rootnex - ## Solaris - sparc ## real detail mach ids on 'root nexus =' lines some day if ( $REAL_REAL_DETAILED_OUTPUT ) { if ($syslog_data->[0] eq "root" && $syslog_data->[1] eq "nexus" && $syslog_data->[2] eq "="){ add_usual_list_out(\%rootnex_table, 3 ); } } $major_type_found = 1; return; } ## end of decode rootnex sub Decode_AFSR_PSYND { #V2.2 ## SPARC ram err ## Solaris - sparc $AFSR_PSYND[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } ## end of decode AFSR_PSYND sub Decode_gconfd { #V2.4 ## Seems to be not real useful. Dump only on Real Deatailed Output ## Solaris - sparc ## ## assume major err msg is up to first token that: ## is followed by a token that begins with ' or " ## ends in : without a : in the middle ## end in . ## is equal to dir ## is equal to pid ## secondary err msg at end of line - sometimes. ## may be enclosed in params as in (err msg) ## may be following : as in blah: err msg $gconfd_msg_counts[$host_index]+=$EVENT_TIMES; if (! $REAL_DETAILED_OUTPUT ) { $major_type_found = 1; return; } if ( $STUPID_OUTPUT) { $gconfd_max = $#$syslog_data; } else { for ($i=0; $i<= $#$syslog_data; $i++) { $gconfd_max = $i; if (substr($syslog_data->[$i],0,1) eq "'" || substr($syslog_data->[$i],0,1) eq '"') { $gconfd_max--; last; } if (substr($syslog_data->[$i],-1,1) eq '.' || substr($syslog_data->[$i],-1,1) eq ';' || $syslog_data->[$i] eq "dir" || $syslog_data->[$i] eq "pid") { last; } if (substr($syslog_data->[$i],-1,1) eq ':' && index($syslog_data->[$i],":") == length($syslog_data->[$i])-1) { last; } } } my(@key_list) = (@{$syslog_data}[0 .. $gconfd_max]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%gconfd_table, (@key_list) ); $major_type_found = 1; return; } ## end of decode gconfd sub Decode_nmbd { #V2.4 ## do minimal stuff ## Solaris - sparc if ($syslog_data->[1] eq "Samba" && $syslog_data->[5] eq "logon" && $syslog_data->[6] eq "server") { $nmbd_login_server[$host_index]++; $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode nmbd sub Decode_smbd { #V2.4 ## do minimal stuff ## Solaris - sparc if ($syslog_data->[0] eq "Denied" && $syslog_data->[1] eq "connection") { $smbd_denied_connection[$host_index]++; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_usual_list_out( \%smbd_conn_denied_table, 3); } $major_type_found = 1; return; } if ($syslog_data->[0] eq "domain_client_validate:" && $syslog_data->[1] eq "unable" && $syslog_data->[3] eq "validate" && $syslog_data->[4] eq "password") { $smbd_wrong_passwd[$host_index]++; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%smbd_bad_user_table, $syslog_data->[7] ); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "rejected" && $syslog_data->[2] eq "invalid" && $syslog_data->[3] eq "user") { $smbd_invalid_user[$host_index]++; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%smbd_bad_user_table, $syslog_data->[4] ); } $major_type_found = 1; return; } if ($syslog_data->[1] eq "NT_STATUS_WRONG_PASSWORD") { $smbd_wrong_passwd[$host_index]++; $major_type_found = 1; return; } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%smbd_bad_user_table, $syslog_data->[4] ); } $major_type_found = 1; return; } ## end of decode rootnex sub Decode_fingerd { #V2.4 ## not much to do ## Solaris - sparc if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { add_list_out("in.fingerd", $host_index, $EVENT_TIMES, \%daemon_connection_table,"in.fingerd"); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode fingerd sub Decode_timed { #V2.4 ## not much to do ## Solaris - sparc if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { add_list_out("in.timed", $host_index, $EVENT_TIMES, \%daemon_connection_table,"in.timed"); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode timed sub Decode_daytimed { #V2.4 ## not much to do ## Solaris - sparc if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { add_list_out("in.daytimed", $host_index, $EVENT_TIMES, \%daemon_connection_table,"in.daytimed"); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode daytimed sub Decode_rexecd { #V2.4 ## not much to do ## Solaris - sparc if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { add_list_out("in.rexecd", $host_index, $EVENT_TIMES, \%daemon_connection_table,"in.rexecd"); $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode rexecd sub Decode_rshd { #V2.4 ## not much to do - ignore other junk ## Solaris - sparc if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname") { $rshd_dns_err[$host_index] += $EVENT_TIMES; # use instead of audit $major_type_found = 1; return; } if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { $rshd_conn_rsh[$host_index] += $EVENT_TIMES; add_list_out("in.rshd", $host_index, $EVENT_TIMES, \%daemon_connection_table,"in.rshd"); $major_type_found = 1; return; } if ($syslog_data->[0] eq "refused" && $syslog_data->[1] eq "connect"){ $rshd_dns_err[$host_index] += $EVENT_TIMES; # use instead of audit $major_type_found = 1; return; } if ($syslog_data->[0] eq "user" && $syslog_data->[1] eq "is"){ $rshd_rsh_login_root[$host_index] += $EVENT_TIMES; # use instead of audit if ($TIMES_OUTPUT) { add_var_list_out(\%Time_daemon_rsh_table, substr($syslog_rec->[2],0,2)); } if ($syslog_data->[2] eq "root") { $rshd_rsh_login[$host_index] += $EVENT_TIMES; # use instead of audit } if ( $REAL_REAL_DETAILED_OUTPUT ) { add_var_list_out( \%rshd_bad_login_table, $syslog_data->[2]); } $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode rshd sub Decode_rsh { #rsh output - only 1 error I know of.... if ($syslog_data->[0] eq "connection" && $syslog_data->[1] eq "from" && $syslog_data->[$#$syslog_data-1] eq "bad" && $syslog_data->[$#$syslog_data] eq "port" ) { add_list_out("rsh_bad_from_port", $host_index, $EVENT_TIMES, \%daemon_err_table,"rsh","bad","from","port"); $major_type_found = 1; return; } } ## end of decode rsh sub Decode_in_rwhod { #in.rwhod output - only 1 error I know of if ($syslog_data->[0] eq "main:" && $syslog_data->[$#$syslog_data-2] eq "bad" && $syslog_data->[$#$syslog_data-1] eq "from" && $syslog_data->[$#$syslog_data] eq "port" ) { add_list_out("in_rwhod_bad_from_port", $host_index, $EVENT_TIMES, \%daemon_err_table,"in.rwhod","bad","from","port"); $major_type_found = 1; return; } } ## end of decode in.rwhod sub Decode_rlogind { #V2.4 ## not much to do - ignore other junk ## Solaris - sparc if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { $rlogind_conn_rlogind[$host_index] += $EVENT_TIMES; $rlogind_rlogin_login[$host_index] += $EVENT_TIMES; # use instead of audit add_var_list_out( \%daemon_connection_table , "rlogind" ); $major_type_found = 1; return; } if ($syslog_data->[0] eq "refused" && $syslog_data->[1] eq "connect"){ $rlogind_dns_err[$host_index] += $EVENT_TIMES; # use instead of audit $major_type_found = 1; return; } if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname:") { $rlogind_dns_err[$host_index] += $EVENT_TIMES; # use instead of audit $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode rlogind sub Decode_telnetd { #V2.4 ## not much to do - ignore other junk ## Solaris - sparc if ($syslog_data->[0] eq "connect" && $syslog_data->[1] eq "from") { $telnetd_conn_telnetd[$host_index] += $EVENT_TIMES; $telnetd_telnet_login[$host_index] += $EVENT_TIMES; # use instead of audit add_var_list_out( \%daemon_connection_table , "telnetd" ); $major_type_found = 1; return; } if ($syslog_data->[0] eq "refused" && $syslog_data->[1] eq "connect"){ $telnetd_dns_err[$host_index] += $EVENT_TIMES; # use instead of audit $major_type_found = 1; return; } if ($syslog_data->[1] eq "can't" && $syslog_data->[2] eq "verify" && $syslog_data->[3] eq "hostname:") { $telnetd_dns_err[$host_index] += $EVENT_TIMES; # use instead of audit $major_type_found = 1; return; } $major_type_found = 1; return; } ## end of decode telnetd ################### ## ## added via osx ## ################### sub Decode_cp { ## osx if ($syslog_data->[0] eq "error" && $syslog_data->[1] eq "processing" && $syslog_data->[2] eq "extended" && $syslog_data->[3] eq "attributes:") { $major_type_found = 1; return; } } ## end of cp sub Decode_shutdown { ## osx if ($syslog_data->[0] eq "halt" && $syslog_data->[1] eq "by") { if ($syslog_data->[2] eq "root:" ) { $halt_cmd_cnt_root[$host_index]+=$EVENT_TIMES; } else { $halt_cmd_cnt_other[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } if ($syslog_data->[0] eq "reboot" && $syslog_data->[1] eq "by") { if ($syslog_data->[2] eq "root:" ) { $reboot_cmd_cnt_root[$host_index]+=$EVENT_TIMES; } else { $reboot_cmd_cnt_other[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } } ## end of shutdown sub Decode_launchd { ## osx if ($syslog_data->[0] eq "Server" && $syslog_data->[$#$syslog_data] eq "Hangup") { ##assume some proc just got killed $major_type_found = 1; return; } } ## end of launchd sub Decode_lookupd { ## osx if ($syslog_data->[0] eq "lookupd" && $syslog_data->[3] eq "starting") { ##assume some proc just got killed $major_type_found = 1; return; } } ## end of lookupd sub Decode_configd { ## osx if ( $syslog_data->[0] eq "AppleTalk" ) { ## assume startup stuff - ignore if ( $syslog_data->[1] eq "shutdown" ) { $major_type_found = 1; return; } if ( $syslog_data->[1] eq "startup" ) { if ( $syslog_data->[2] eq "complete" ) { $configd_appletalk[$host_index]+=$EVENT_TIMES; } $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "INFORM" && $syslog_data->[3] eq "in" && $syslog_data->[4] eq "use") { ## (@key_list) = (@{$syslog_data}[0 .. $#$syslog_data]); $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, \%Machine_errs_table, (@key_list) ); $major_type_found = 1; return; } if ($syslog_data->[0] eq "PM" && $syslog_data->[1] eq "configd:_copyPMSettings():" ) { ## powermanager - ignoreknown stuff if ( $syslog_data->[$#$syslog_data-3] eq "power" && $syslog_data->[$#$syslog_data-2] eq "source") { $major_type_found = 1; return; } } if ( $syslog_data->[0] eq "Starting" && $syslog_data->[1] eq "kicker" ) { ## reloading module. maybe, report??? $major_type_found = 1; return; } if ($syslog_data->[0] eq "WirelessConfigure:" ) { ## $configd_wireless[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "adding" ) { ## adding module. report??? $major_type_found = 1; return; } if ( $syslog_data->[0] eq "executing") { ## assume startup stuff - ignore $major_type_found = 1; return; } if ( $syslog_data->[0] eq "hostname" ) { ## assume startup stuff - ignore $major_type_found = 1; return; } if ( $syslog_data->[0] eq "initCardWithStoredPrefs") { ## beats me - ignore $major_type_found = 1; return; } if ( $syslog_data->[0] eq "loading" ) { ## loading module. report??? $major_type_found = 1; return; } if ( $syslog_data->[0] eq "posting" && $syslog_data->[1] eq "notification" ) { ## assume startup stuff - ignore $major_type_found = 1; return; } if ( $syslog_data->[0] eq "setting" && $syslog_data->[1] eq "hostname" ) { ## assume startup stuff - ignore $major_type_found = 1; return; } if ( $syslog_data->[0] eq "target=enable-network:" ) { ## shutdown msg. if ( $syslog_data->[1] eq "disabled" ) { ## shutdown msg. $major_type_found = 1; return;} if ( $syslog_data->[1] eq "exit" ) { ## shutdown msg. $major_type_found = 1; return;} } } ## end of configd sub Decode_mDNSResponder { ## osx if ($syslog_data->[0] eq "Adding" && $syslog_data->[1] eq "browse" && $syslog_data->[2] eq "domain" && $syslog_data->[3] eq "local.") { $major_type_found = 1; return; } if ($syslog_data->[0] eq "Couldn't" && $syslog_data->[1] eq "read" && $syslog_data->[2] eq "user-specified" ) { $major_type_found = 1; return; } if ($syslog_data->[0] eq "Repeated" && $syslog_data->[1] eq "transitions" && $syslog_data->[2] eq "for" && $syslog_data->[3] eq "interface") { $major_type_found = 1; return; } if ($syslog_data->[0] eq "Service" && $syslog_data->[2] eq "renamed" ) { $major_type_found = 1; return; } if ($syslog_data->[1] eq "sendto" && $syslog_data->[2] eq "failed" ) { $major_type_found = 1; return; } } ## end of mDNSResponder sub Decode_loginwindow { ## osx if ($syslog_data->[0] eq "Login" && $syslog_data->[$#$syslog_data] eq "Started") { $loginwindow_starts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "Login" && $syslog_data->[2] eq "Started" && $syslog_data->[3] eq "Security" && $syslog_data->[4] eq "Agent") { $loginwindow_security_agent_starts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "halting" ) { $loginwindow_halts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "sendQuitEventToApp" ) { $major_type_found = 1; return; } } ## end of loginwindow sub Decode_xinetd { ## osx if ($syslog_data->[0] eq "EXIT:" ) { #end of server - ignore $major_type_found = 1; return; } if ($syslog_data->[0] eq "Reading" ) { #version record $major_type_found = 1; return; } if ($syslog_data->[0] eq "Reconfigured:" ) { # ok, reonfig done.should we repot changes?? $major_type_found = 1; return; } if ($syslog_data->[0] eq "START:" ) { ## startup server add_list_out($syslog_data->[1], $host_index, $EVENT_TIMES, \%inetd_connection_table,$syslog_data->[1]); $major_type_found = 1; return; } if ($syslog_data->[0] eq "Started" ) { $xinetd_started[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "Starting" && $syslog_data->[1] eq "reconfiguration" ) { # starting reconfig. $xinetd_start_reconfig[$host_index]+=$EVENT_TIMES; # but we don't track for inetd regular... $major_type_found = 1; return; } if ($syslog_data->[0] eq "Unexpected" ) { #ok, adjust a service $major_type_found = 1; return; } if ($syslog_data->[0] eq "readjusting" ) { #ok, adjust a service $major_type_found = 1; return; } if ($syslog_data->[0] eq "removing" ) { #ok, drop something. Ignore $major_type_found = 1; return; } if ($syslog_data->[0] eq "service" ) { #ok, drop something. Ignore $major_type_found = 1; return; } if ($syslog_data->[0] eq "xinetd" && $syslog_data->[1] eq "Version" ) { #version record $major_type_found = 1; return; } } ## end of xinetd sub Decode_diskarbitrationd { ## osx if (! $REAL_DETAILED_OUTPUT) { $major_type_found = 1; return; } if ( substr($syslog_data->[0],0,4) eq "disk" ) { #disk type.. (@line_list) = (@{$syslog_data}[1 .. $#$syslog_data-1]); #skip disk0x and mount point at end $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%dada_detail_table, (@line_list)); $major_type_found = 1; return; } } ## end of diskarbitrationd sub Decode_DirectoryService { ## osx if ( $syslog_data->[0] eq "Launched" ) { #startup $DirectoryService_starts[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Failed" && $syslog_data->[1] eq "Authentication" && $syslog_data->[2] eq "return" && $syslog_data->[5] eq "delayed" && $syslog_data->[8] eq "over" && $syslog_data->[10] eq "recent" && $syslog_data->[11] eq "auth" && $syslog_data->[12] eq "failures") { # too many failures.. $DirectoryService_toomanyfails[$host_index] += $EVENT_TIMES; if ( $REAL_REAL_DETAILED_OUTPUT ) { add_list_out($syslog_data->[15], $host_index, $EVENT_TIMES, \%DirectoryService_toomanyfails_user_table, $syslog_data->[15]); } $major_type_found = 1; return; } } ## end of DirectoryService sub Decode_ConsoleMessage { ## osx if ($syslog_data->[0] eq "Stopping" && $syslog_data->[1] eq "printing" && $syslog_data->[2] eq "services" ) { # skip $major_type_found = 1; return; } if ($syslog_data->[0] eq "Starting" && $syslog_data->[1] eq "printing" && $syslog_data->[2] eq "services" ) { # skip $major_type_found = 1; return; } } ## end of ConsoleMessage sub Decode_mdimportserver { ## osx if ( $syslog_data->[0] eq "***" && $syslog_data->[1] eq "Failed" && $syslog_data->[3] eq "decode" ) { #not really an error, I think. $major_type_found = 1; return; } } ## end of mdimportserver sub Decode_SystemStarter { ## osx if ( $syslog_data->[$#$syslog_data-3] eq "did" && $syslog_data->[$#$syslog_data-2] eq "not" && $syslog_data->[$#$syslog_data-1] eq "complete" && $syslog_data->[$#$syslog_data] eq "successfully" ) { # $SystemStarter_startup_fails[$host_index] += $EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data-5]); # service, not err msg. $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%SystemStarter_err_table, (@line_list)); } $major_type_found = 1; return; } } ## end of SystemStarter sub Decode_mDNSResponder_107 { ## osx - the 107 stuff might be junk.. if ( $syslog_data->[$#$syslog_data] eq "starting" ) { # $nDNSResponder_107_startup[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of mDNSResponder_107 sub Decode_mDNSResponder_107_3 { ## osx - and now, .3... if ( $syslog_data->[$#$syslog_data] eq "starting" ) { # $nDNSResponder_107_3_startup[$host_index] += $EVENT_TIMES; $major_type_found = 1; return; } } ## end of mDNSResponder_107_3 sub Decode_automount { ## osx if ($syslog_data->[0] eq "automount" && $syslog_data->[1] eq "version" ) { # $automount_started[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ($syslog_data->[0] eq "Cannot" && $syslog_data->[1] eq "mount" ) { # $automount_mount_fail[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[3 .. $#$syslog_data]); # mount err msg $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%mount_msg_err_table, (@line_list)); } $major_type_found = 1; return; } if ($syslog_data->[0] eq "Attempt" && $syslog_data->[2] eq "mount" ) { # $automount_mount_attempts[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } #### unless we really really care, just ignore the big batch of junk that follows if ( !$REAL_DETAILED_OUTPUT ) { $major_type_found = 1; return; } if ($syslog_data->[0] eq "logout" && $syslog_data->[1] eq "notification" ) { # $major_type_found = 1; return; } if ($syslog_data->[0] eq "requesting" && $syslog_data->[1] eq "logout" ) { # $major_type_found = 1; return; } if ($syslog_data->[0] eq "handle_deferred_requests:" && $syslog_data->[1] eq "user" && $syslog_data->[2] eq "logged" && $syslog_data->[3] eq "out." ) { # $major_type_found = 1; return; } if ($syslog_data->[0] eq "Checking" && $syslog_data->[1] eq "path" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Creating" && $syslog_data->[1] eq "intermediate" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Host" && $syslog_data->[1] eq "Info:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Initializing" && $syslog_data->[1] eq "map" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "MarkDirectoryInvisible:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Mounted" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Mounting" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "NSLVnode.populateCompletely(NO):" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "NSLVnode.processAddResult:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "NSLVnode.processDeleteResult:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "New" && $syslog_data->[1] eq "(FstabMap)" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "PrepareForNotificationRequests:" && $syslog_data->[1] eq "trying" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Requesting" && $syslog_data->[1] eq "Finder" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "Starting" && $syslog_data->[1] eq "service" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "[Vnode" && $syslog_data->[1] eq "mounted]:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "[Vnode" && $syslog_data->[1] eq "setMounted]:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "considerFinderNotification:" && $syslog_data->[1] eq "Deferring" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "handle_deferred_requests:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "registerAMInfoService:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "resetTime:" ) { $major_type_found = 1; return ; } if ($syslog_data->[0] eq "setupLink:" ) { $major_type_found = 1; return ; } } ## end of automount sub Decode_kernel_init { ## osx - the 107 stuff might be junk.. $decode_kernel_table{"AirPort:"} = sub { if ( $syslog_data->[1] eq "Link" ) { if ( $syslog_data->[2] eq "Active:" ) { $kernel_airport_active[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[3 .. $#$syslog_data]); # mount err msg $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%wireless_channels_table, (@line_list)); } $major_type_found = 1; return; } if ( $syslog_data->[2] eq "UP:" ) { $kernel_airport_up[$host_index]+=$EVENT_TIMES; if ( $REAL_DETAILED_OUTPUT ) { (@line_list) = (@{$syslog_data}[3 .. $#$syslog_data]); # mount err msg $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%wireless_channels_table, (@line_list)); } $major_type_found = 1; return; } if ( $syslog_data->[2] eq "DOWN" ) { $kernel_airport_down[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } }; $decode_kernel_table{"AirPortPCI_MM:"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"BSD"} = sub { if ( $syslog_data->[1] eq "root:" ) { ## declare root disk $major_type_found = 1; return; } }; $decode_kernel_table{"BSM"} = sub { if ( $syslog_data->[1] eq "auditing" && $syslog_data->[2] eq "present" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"CSRHIDTransitionDriver::probe"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"CSRHIDTransitionDriver::probe:"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"CSRHIDTransitionDriver::start"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"CSRHIDTransitionDriver::stop"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"Copyright"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"FireWire"} = sub { for ($i=1; $i< $#$syslog_data; $i++) { if ( $syslog_data->[$i] eq "now" && $syslog_data->[$i+1] eq "active,") { $major_type_found = 1; return; } } }; $decode_kernel_table{"Got"} = sub { if ( $syslog_data->[1] eq "boot" && $syslog_data->[2] eq "device" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"IPv6"} = sub { ## Hmm.. if ( $syslog_data->[1] eq "packet" && $syslog_data->[2] eq "filtering" & $syslog_data->[3] eq "initialized," ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"Jettisoning"} = sub { if ( $syslog_data->[1] eq "kernel" && $syslog_data->[2] eq "linker." ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"Matching"} = sub { if ( $syslog_data->[1] eq "service" && $syslog_data->[2] eq "count" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"Resetting"} = sub { if ( $syslog_data->[1] eq "IOCatalogue." ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"Security"} = sub { if ( $syslog_data->[1] eq "auditing" && $syslog_data->[3] eq "present" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"Sound"} = sub { if ( $syslog_data->[1] eq "assertion" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"System"} = sub { if ( $syslog_data->[1] eq "Sleep" ) { ## $kernel_system_sleep[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[1] eq "Wake" ) { ## $kernel_system_wake[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } }; $decode_kernel_table{"The"} = sub { if ( $syslog_data->[1] eq "Regents" && $syslog_data->[2] eq "of" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"USB"} = sub { if ( $syslog_data->[1] eq "caused" && $syslog_data->[2] eq "wake" ) { ## USB caused wake event .. $major_type_found = 1; return; } }; $decode_kernel_table{"USBF:"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"UniNEnet:"} = sub { if ( $syslog_data->[1] eq "Ethernet" && $syslog_data->[2] eq "address" ) { ## maybe list someday? $major_type_found = 1; return; } }; $decode_kernel_table{"UniNEnet::monitorLinkStatus"} = sub { if ( $syslog_data->[2] eq "Link" && $syslog_data->[4] eq "down." ) { ## $global_network_down[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[2] eq "Link" && $syslog_data->[4] eq "up" ) { ## if ( $syslog_data->[6] eq "10" && $syslog_data->[9] eq "Half" ) { ## $global_network_up_10_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[6] eq "10" && $syslog_data->[9] eq "Full" ) { ## $global_network_up_10_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[6] eq "100" && $syslog_data->[9] eq "Half" ) { ## $global_network_up_100_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[6] eq "100" && $syslog_data->[9] eq "Full" ) { ## $global_network_up_100_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[6] eq "1000" && $syslog_data->[9] eq "Half" ) { ## $global_network_up_1000_half[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } if ( $syslog_data->[6] eq "1000" && $syslog_data->[9] eq "Full" ) { ## $global_network_up_1000_full[$host_index]+=$EVENT_TIMES; $major_type_found = 1; return; } } }; $decode_kernel_table{"Waiting"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"Wake"} = sub { if ( $syslog_data->[1] eq "event" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"[AppleUSBHCIController][StopIsochPipeRead]"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"[HCIController][setupHardware]"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"[HCIController][start]"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"[start]"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"disabled"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"in_delmulti"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"mig_table_max_displ"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"netsmb_dev:"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"rooting"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"smbfs_aclsflunksniff:"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"smbfs_smb_qfsattr:"} = sub { $major_type_found = 1; return; }; $decode_kernel_table{"standard"} = sub { if ( $syslog_data->[1] eq "timeslicing" && $syslog_data->[2] eq "quantum" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"using"} = sub { if ( $syslog_data->[2] eq "buffer" && $syslog_data->[3] eq "headers" ) { ## $major_type_found = 1; return; } }; $decode_kernel_table{"vm_page_bootstrap:"} = sub { $major_type_found = 1; return; }; ### $decode_kernel_table{"media"} = sub {# NOTE - second field. if ( $syslog_data->[3] eq "not" && $syslog_data->[4] eq "present." ) { # skip or report? $major_type_found = 1; return; } }; $decode_kernel_table{"prelinked"} = sub {# NOTE - second field. if ( $syslog_data->[2] eq "modules" ) { # skipp $major_type_found = 1; return; } }; $decode_kernel_table{"vram"} = sub {# NOTE - second field. $major_type_found = 1; return; }; } ## end of kernel_init sub Decode_kernel { ## osx - if (defined $decode_kernel_table{$syslog_data->[0]}) { ## check first field to see if we do it. &{$decode_kernel_table{$syslog_data->[0]}}(); return if $major_type_found; } if (defined $decode_kernel_table{$syslog_data->[1]}) { ## check second field to see if we do it. &{$decode_kernel_table{$syslog_data->[1]}}(); return if $major_type_found; } for ($i=1; $i< $#$syslog_data; $i++) {# there is a control-p infront of ADB in data file..plus other junk if ( $syslog_data->[$i] =~ /ADB/ && $syslog_data->[$i+1] =~ /present/) { $major_type_found = 1; return; } } } ## end of kernel sub Decode_SecurityAgent { ## osx if ( $syslog_data->[0] eq "User" && $syslog_data->[1] eq "Authenticated:" ) { # $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Autologin" && $syslog_data->[1] eq "user" && $syslog_data->[2] eq "authenticated." ) { # primary user logged on upon boot.. $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Showing" && $syslog_data->[1] eq "Login" ) { # $major_type_found = 1; return; } } ## end of SecurityAgent sub Decode_KernelEventAgent { ## osx if ( $syslog_data->[0] eq "tid" && $syslog_data->[2] eq "received" && $syslog_data->[3] eq "unknown" && $syslog_data->[4] eq "event" ) { # beats me. Just ingore for now beats me. Just ingore for now $major_type_found = 1; return; } } ## end of KernelEventAgent sub Decode_enable_network { ## osx if ( $syslog_data->[0] eq "process" && $syslog_data->[1] eq "network" && $syslog_data->[2] eq "configuration" && $syslog_data->[3] eq "change" ) { # well, just ignore $major_type_found = 1; return; } } ## end of enble_network sub Decode_launchproxy { ## osx if ( $syslog_data->[0] eq "/usr/libexec/sshd-keygen-wrapper:" ) { # strat with this one $major_type_found = 1; return; } } ## end of launchproxy sub Decode_com_apple_SecurityServer { ## osx ### apple seems a bit sloppy on logs, so.. 2 recs per success/fail on authentication ### 1 per user id, 1 per program, plus maybe more for same/other pgms... ### check we have pair in order, and that they match success/fail. No matches, report in syslog summary. if ( $syslog_data->[0] eq "Entering" && $syslog_data->[1] eq "service") { # $major_type_found = 1; return; } if ( $syslog_data->[0] eq "authinternal" ) { # yes or no, with user id - first rec. if ( $syslog_data->[1] eq "failed" ) { # Note this for next rec $Local_key = $syslog_data->[$#$syslog_data]; chop ($Local_key); $apple_auth{$machine} = join ("-","fail",$Local_key); $major_type_found = 1; return; } if ( $syslog_data->[1] eq "authenticated" ) { # yes, note it. $apple_auth{$machine} = join ("-","good",$syslog_data->[3]); $major_type_found = 1; return; } return; } if ( $syslog_data->[0] eq "uid" ) { #optional intermediate rec $Local_key=$syslog_data->[$#$syslog_data]; chop ($Local_key); @rights_line_list = split(/\./,$Local_key); $rights_field_name = join("-",(@rights_line_list)); if ( $syslog_data->[2] eq "succeeded" ) { # I assume this is always the case, but... if ($hold_prev_rec2{$machine}->[4] ne "com.apple.SecurityServer:" || $hold_prev_data2{$machine}->[0] ne "authinternal" || substr($apple_auth{$machine},0,4) ne "good" ) {#ok, prev rec was not 1st of pair $apple_secserv_skip_succeed[$host_index] +=$EVENT_TIMES; if( $STUPID_OUTPUT ) { print "Authentication record in wrong order - $_\n"; } $major_type_found = 1; return; } #wrong rec, but known. just skip. if ($DETAILED_OUTPUT) { add_list_out($rights_field_name, $host_index, $EVENT_TIMES, \%Apple_auth_ok_rights_table, (@rights_line_list)); } $major_type_found = 1; return; } else { $apple_auth{$machine}=""; ## flag as bads if ($DETAILED_OUTPUT) { add_list_out($rights_field_name, $host_index, $EVENT_TIMES, \%Apple_auth_bad_rights_table, (@rights_line_list)); } $major_type_found = 1; return; } } ## ok, next rec declares pgm requesting authentication, and declares success or fail if ( $syslog_data->[0] eq "Failed" && $syslog_data->[2] eq "authorize") { ##ok, auth fail rec for program $Local_key=$syslog_data->[$#$syslog_data]; chop ($Local_key); @rights_line_list = split(/\./,$Local_key); $rights_field_name = join("-",(@rights_line_list)); if ($DETAILED_OUTPUT) { add_list_out($rights_field_name, $host_index, $EVENT_TIMES, \%Apple_auth_bad_rights_table, (@rights_line_list)); } if ($hold_prev_rec2{$machine}->[4] ne "com.apple.SecurityServer:" || ($hold_prev_data2{$machine}->[0] ne "authinternal" && $hold_prev_data2{$machine}->[0] ne "uid") || substr($apple_auth{$machine},0,4) ne "fail" ) {#ok,wrong sequence for logins. just note rights # $apple_secserv_skip_fail[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } #wrong rec, but known. just skip. if (substr($Local_key,-5) eq "login") { $audit_telnet_login_bad[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($Local_key,-4) eq "sshd") { $USE_audit_ssh[host_index]=1; $audit_ssh_login_bad[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($Local_key,-2) eq "su") { $USE_audit_su[$host_index]=1; $audit_su_bad[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($Local_key,-15) eq "loginwindow.app") { $audit_console_login[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } add_list_out($Local_key, $host_index, $EVENT_TIMES, \%Apple_auth_fail_pgm_table,$Local_key); $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Succeeded" && $syslog_data->[1] eq "authorizing") { $Local_key=$syslog_data->[$#$syslog_data]; chop ($Local_key); @rights_line_list = split(/\./,$Local_key); $rights_field_name = join("-",(@rights_line_list)); if ($DETAILED_OUTPUT) { add_list_out($rights_field_name, $host_index, $EVENT_TIMES, \%Apple_auth_ok_rights_table, (@rights_line_list)); } if ($hold_prev_rec2{$machine}->[4] ne "com.apple.SecurityServer:" || ( $hold_prev_data2{$machine}->[0] ne "authinternal"&& $hold_prev_data2{$machine}->[0] ne "uid") || substr($apple_auth{$machine},0,4) ne "good" ) {#ok, prev rec was not 1st of pair # $apple_secserv_skip_succeed[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } #wrong rec, but known. just skip. if (substr($Local_key,-5) eq "login") { $audit_telnet_login[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($Local_key,-4) eq "sshd") { $USE_audit_ssh[host_index]=1; $audit_ssh_login[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($Local_key,-2) eq "su") { $USE_audit_su[$host_index]=1; $audit_su[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } if (substr($Local_key,-15) eq "loginwindow.app") { $audit_console_login_bad[$host_index] +=$EVENT_TIMES; $major_type_found = 1; return; } add_list_out($Local_key, $host_index, $EVENT_TIMES, \%Apple_auth_succeed_pgm_table,$Local_key); $major_type_found = 1; return; } } ## end of com_apple_SecurityServer sub Decode_Software { ## osx - actually Software Update if ( $syslog_data->[$#$syslog_data-1] eq "Finalizing" && $syslog_data->[$#$syslog_data] eq "installation.") { $apple_software_update[$host_index] +=$EVENT_TIMES; } $major_type_found = 1; return; } ## end of Software sub Decode_memberd { ## osx - actually Software Update if ( $syslog_data->[0] eq "memberd" && $syslog_data->[1] eq "starting") { $apple_memberd_startup[$host_index] +=$EVENT_TIMES; } $major_type_found = 1; return; } ## end of memberd sub Decode_crashdump { ## osx - actually Software Update if ( $syslog_data->[$#$syslog_data] eq "crashed" ) { ## note program that crashed. $apple_crashdumps[$host_index] +=$EVENT_TIMES; if ($DETAILED_OUTPUT) { (@line_list) = (@{$syslog_data}[0 .. $#$syslog_data-1]); # mount err msg $TEMP_key = join("-",$pname,(@line_list)); add_list_out($TEMP_key, $host_index, $EVENT_TIMES, \%apple_crashdump_table, (@line_list)); } $major_type_found = 1; return; } if ( $syslog_data->[0] eq "crash" && $syslog_data->[1] eq "report" ) { ## ..written to .. $major_type_found = 1; return; } } ## end of crashdump sub Decode_postfix_postqueue { ## osx - actually if ( $syslog_data->[0] eq "warning:" ) { if ( $syslog_data->[1] eq "Mail" && $syslog_data->[2] eq "system" && $syslog_data->[4] eq "down" && $syslog_data->[6] eq "accessing" && $syslog_data->[7] eq "queue" && $syslog_data->[8] eq "directly" ) { $major_type_found = 1; return; } } } ## end of postfix_postqueue sub Decode_apple_kerb { ## osx - actually if ( $syslog_data->[0] eq "Exiting:" ) { $major_type_found = 1; return; } } ## end of apple_kerb sub Decode_macos_ccacheserver { ## osx - actually if ( $syslog_data->[0] eq "Exiting:" ) { $major_type_found = 1; return; } } ## end of apple_kerb sub Decode_macos_mail { ## osx - if ( $syslog_data->[0] eq "CGContextClipToRect:" ) { $major_type_found = 1; return; } if ( $syslog_data->[0] eq "Corrupt" && $syslog_data->[1] eq "JPEG" ) { $major_type_found = 1; return; } } ## end of macos_mail ### ### these decode are for the first word of the data fields.. ### sub Decode2_clnt_dg_create { if ( $syslog_data->[1] eq "out" && $syslog_data->[2] eq "of" && $syslog_data->[$#$syslog_data] eq "memory") { add_var_list_out(\%cant_create_no_mem_table, $pname); $major_type_found = 1; return; } } ### ### Utility code ### sub sig_handler { local($sig) = @_; $SIGNAL_SAYS_GO = 0; ## false. exit input loop. print "\n\n ### INTERRRUPT DETECTED - Read loop terminated ### \n\n"; $SIG{'INT'} = 'DEFAULT'; ## UN-define handler routine. process_output(); exit; # return; } # add an entry to a table specifying the hostname, var for field/title and table name sub add_hostvar_list_out { my($table_name, $row_id, $data_parm) = @_; my $local_host_index = &Get_random_host_index ($row_id, $table_name); ## entry into table of counters add_list_out($data_parm, $local_host_index, $EVENT_TIMES, $table_name, $data_parm ); } ##look up host(data) -parm1 - in list of entries for table - parm2 sub Get_random_host_index { my($Entry, $Table) = @_; my $local_entry_num; if (defined($Table->{"host_key_list"}->{$Entry})) { ## we have it return( $Table->{"host_key_list"}->{$Entry}); ## unique ID } ## -- new entry. add to table. $local_entry_num =($Table->{"entry_cnt"}++); #NUMBER of unique entries we have found $Table->{"host_index"}->[$local_entry_num] = $Entry; $Table->{"host_key_list"}->{$Entry} = $local_entry_num; return $local_entry_num; } ## just calls add_list_out - p1 = tablename, p2 = first parm to use of syslog_data as key and title ## and then concats all rest of parms. sub add_usual_list_out { my ($table_name, $start_index) = @_; my (@key_list) = (@{$syslog_data}[$start_index .. $#$syslog_data]); my $this_key= join("-",@key_list); add_list_out($this_key, $host_index, $EVENT_TIMES, $table_name, (@key_list) ); return; } ## just calls add_list_out - p1 = tablename, p2 = only parm to use as both title and key sub add_var_list_out { my ($table_name, $data_parm) = @_; add_list_out($data_parm, $host_index, $EVENT_TIMES, $table_name, $data_parm ); return; } ## sub to create table for output. Parms - 1 = key (sorted by key), 2=host index number, ## 3 = number to add to entry, 4 = table name, Rest = title - 1 line per parm. ## key, number of them, array that holds it, 1 or more header lines - top line first sub add_list_out { my ($add_key, $add_host_index, $add_count, $add_table) = @_; my ($add_index, $add_header_cnt, $add_i, $add_h); if ( defined ( $add_table->{"key_list"}->{$add_key} )) { $add_index= $add_table->{"key_list"}->{$add_key}; } else { $add_index = ($add_table->{"key_count"})++; $add_table->{"index"}->[$add_index] = $add_key; $add_table->{"key_list"}->{$add_key} = $add_index; $add_header_cnt=$#_-4; if ($add_table->{"max headers"} < $add_header_cnt) { $add_table->{"max headers"} = $add_header_cnt}; $add_table->{"header count"}->[$add_index] = $add_header_cnt; $add_table->{"max col header len"}->[$add_index] = 0; for ($add_i=$#_,$add_h=0; $add_i >= 4; $add_i--, $add_h++) { $add_table->{"headers"}->[$add_index]->[$add_h] = $_[$add_i]; if (length ( $_[$add_i]) > $add_table->{"max col header len"}->[$add_index] ) { $add_table->{"max col header len"}->[$add_index] = length ( $_[$add_i]); } } if ($add_table->{"max col header len"}->[$add_index] > $add_table->{"max header len"} ) { $add_table->{"max header len"} = $add_table->{"max col header len"}->[$add_index] ; } } $add_table->{"values"}->[$add_host_index]->[$add_index] += $add_count; if ( $add_table->{"values"}->[$add_host_index]->[$add_index] > $add_table->{"max table value"}) { $add_table->{"max table value"} = $add_table->{"values"}->[$add_host_index]->[$add_index]; } if ( $add_table->{"values"}->[$add_host_index]->[$add_index] > $add_table->{"max col table value"}->[$add_index]) { $add_table->{"max col table value"}->[$add_index] = $add_table->{"values"}->[$add_host_index]->[$add_index]; } return; } ## ## create output tables from secondary data structure. Note that each column can be all the same ## width, or variable (nothing like one header taking up all columns to mess up the ## pattern.) The rows are not the machine ids from the syslog file like our std. tables. ## sub put_varvar_list_out { my $indx; my($put_table) = $_[$#_]; # $local_entry_num =($Table->{"entry_cnt"}++); #NUMBER of unique entries we have found # $Table->{"index"}->[$local_entry_num] = $Entry; # $Table->{"key_list"}->{$Entry} = $local_entry_num; ## find size of first column so we know how big this field is my $local_out_size = $OUTPUT_MACHINE_FIELD_SIZE; for ($row_indx = 0; $row_indx<=$put_table->{"entry_cnt"} ; $row_indx++) { ## loop thru lines in table if ( length($put_table->{"host_index"}->[$row_indx]) > $local_out_size) { $local_out_size = length($put_table->{"host_index"}->[$row_indx]); } } if ($local_out_size > 40) { $local_out_size = 40}; ## headers first, which are the n-1 parms. output if we have LOUD_OUTPUT or we actually have something. if ( defined ($_[$#_]->{"key_list"}) || $LOUD_OUTPUT ) { #NOTE parm#2 is always defined. See if it is a table. printf "\n\n"; for ( $indx=0; $indx<$#_; $indx++) { printf "%s %s\n",$m_head_spc, $_[$indx]; ##headers shoule not be spaced over too far } # printf "\n"; } ## sort the fields to print alpha by key my @out_fields = (0); my @outkeys = sort keys %{$put_table->{"key_list"} }; my $out_fieldscnt=0; foreach $skey (@outkeys ) { $out_fields[$out_fieldscnt] = $put_table->{"key_list"}->{$skey}; $out_fieldscnt++; } ## DEFINE CONSTANTS $put_cols_out=100; ## max size of output in columns of data, $MAX_col_size = ($put_cols_out/2)-4; ### compute output field sizes - go with either fixed width fields, or variable width. $OUT_FIELD_SIZE = 4; ## absolute minimum field size if ($FIXED_WIDTH_OUTPUT) { if ($OUT_FIELD_SIZE < $put_table->{"max header len"}) { ## max bsed on header size for all headers $OUT_FIELD_SIZE = $put_table->{"max header len"} } while ( $put_table->{"max table value"} > 10**$OUT_FIELD_SIZE) { ## max based on value size for all values $OUT_FIELD_SIZE++;} if (! $STUPID_OUTPUT ) { ## stupid output has no limits on output field size, otherwise, limit to 1/2 page if ( $OUT_FIELD_SIZE > $MAX_col_size) { $OUT_FIELD_SIZE = $MAX_col_size; } } else { if ( $OUT_FIELD_SIZE >= $put_cols_out) { $OUT_FIELD_SIZE = $put_cols_out -1;} } for ($col=0; $col <=$put_table->{"key_count"}; $col++) { ## now just set output size of each col the same, truncate headers as necessary if ($OUT_FIELD_SIZE < $put_table->{"max col header len"}->[$col]) { $put_table->{"max col header len"}->[$col] = $OUT_FIELD_SIZE; for ($hdr=$put_table->{"max headers"}; $hdr>0; $hdr--) { if (defined ($put_table->{"headers"}->[$col]->[$hdr]) ) { if (length($put_table->{"headers"}->[$col]->[$hdr]) > $OUT_FIELD_SIZE) { $put_table->{"headers"}->[$col]->[$hdr] = join("", substr($put_table->{"headers"}->[$col]->[$hdr],0,$OUT_FIELD_SIZE-3),"..."); } } } } $put_table->{"max col header len"}->[$col] = $OUT_FIELD_SIZE; } } else { ## variable width output $OUT_FIELD_SIZE = 4; ## absolute minimum field size for ($col=0; $col <$put_table->{"key_count"}; $col++) { ## now set output size of each col, truncate headers as necessary while ( $put_table->{"max col table value"}->[$col] > 10**$OUT_FIELD_SIZE) { ## max based on value size for all values $OUT_FIELD_SIZE++;} if ($OUT_FIELD_SIZE > $put_table->{"max col header len"}->[$col]) { ## max based on header size for all headers $put_table->{"max col header len"}->[$col] = $OUT_FIELD_SIZE; } if ( $put_table->{"max col header len"}->[$col] > $put_cols_out ) { ## oops - bigger than output line - shrink it for ($hdr=$put_table->{"max headers"}; $hdr>0; $hdr--) { if (defined ($put_table->{"headers"}->[$col]->[$hdr]) ) { if (length($put_table->{"headers"}->[$col]->[$hdr]) > $put_cols_out) { $put_table->{"headers"}->[$col]->[$hdr] = join("", substr($put_table->{"headers"}->[$col]->[$hdr],0,$put_cols_out-3),"..."); } } } $put_table->{"max col header len"}->[$col] = $put_cols_out ; } } } my $local_dashes = "---------------------------------------------------------------------------------------------------------"; $MASTER_col = 0; while ($MASTER_col < $put_table->{"key_count"}) { #MAIN LOOP TO SEE ALL COLS OUTPUT $Out_header = 1; # need to output header for this group of stats $OUT_LOOP_start = $MASTER_col; ## first col to be in this set $OUT_spaces_used = 0; for ($indx = $MASTER_col; $indx < $put_table->{"key_count"} && $OUT_spaces_used <= $put_cols_out; $indx++) { $OUT_LOOP_end = $indx; $OUT_spaces_used = $OUT_spaces_used + $put_table->{"max col header len"}->[$out_fields[$indx]] + 1; } if ($OUT_LOOP_end > $OUT_LOOP_start && $OUT_spaces_used > $put_cols_out ) { $OUT_LOOP_end --;} #skip the field that puts us over my $row_indx; for ($row_indx = 0; $row_indx<=$put_table->{"entry_cnt"} ; $row_indx++) { ## loop thru lines in table undef @put_out_detail_array; $check_sum = 0; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) { $col= $out_fields[$Tcol]; ## loop by column, then by mach in group $check_sum = $check_sum + $put_table->{"values"}->[$row_indx]->[$col]; $put_out_detail_array[$col] += $put_table->{"values"}->[$row_indx]->[$col]; } if ($LOUD_OUTPUT || ($NO_STEALTH_OUTPUT && $i == 1) || $check_sum != 0 ) { if ($Out_header) { $Out_header = 0; print " \n"; for ($hdr=$put_table->{"max headers"}; $hdr>0; $hdr--) { my($printline)=0; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) {$col= $out_fields[$Tcol];##first. see if all are undefined if (defined ( ($put_table->{"headers"}->[$col]->[$hdr]) ) ) { $printline = 1; last; } } if ($printline) { ## print "$m_head_spc"; printf "%${local_out_size}s",$m_head_spc; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) { $col= $out_fields[$Tcol]; $field_size = $put_table->{"max col header len"}->[$col]; if ( defined ($put_table->{"headers"}->[$col]->[$hdr]) ) { printf " %${field_size}s", $put_table->{"headers"}->[$col]->[$hdr]; } else { printf " %${field_size}s", " "; } } print " \n"; } } # print "$m_head_spc"; printf "%${local_out_size}s",$m_head_spc; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) {$col= $out_fields[$Tcol]; my $Field = $put_table->{"headers"}->[$col]->[$hdr]; if (length($Field) > $put_table->{"max col header len"}->[$col]) { $Field = join("", substr($put_table->{"headers"}->[$col]->[0],0,$put_table->{"max col header len"}->[$col]-3),"..."); } $field_size = $put_table->{"max col header len"}->[$col]; printf " %${field_size}s", $Field; } print " \n"; ## dashes header # print "$m_head_spc"; printf "%${local_out_size}s",$m_head_spc; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) { $col= $out_fields[$Tcol]; $field_size = $put_table->{"max col header len"}->[$col]; printf " %${field_size}s", substr($local_dashes,0,$put_table->{"max col header len"}->[$col]); } print " \n"; }## end if $Out_header } ## end of LOUD_OUTPUT or non -zero if ($check_sum != 0 ) { ## print actual values here # printf "%s", #substr(join("",$put_table->{"host_index"}->[$row_indx]," "),0,$OUTPUT_MACHINE_FIELD_SIZE); printf "%${local_out_size}s",$put_table->{"host_index"}->[$row_indx]; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) {$col= $out_fields[$Tcol]; $field_size = $put_table->{"max col header len"}->[$col]; printf " %${field_size}d", $put_out_detail_array[$col]; } print "\n"; } } ## end of loop thru machines/classes $MASTER_col = $OUT_LOOP_end + 1; } ## end of loops thru chunks of stats } # end of sub. ## ## create output tables from our primary data structure. Note that each column can be all the same ## width, or variable (nothing like one header taking up all columns to mess up the ## pattern.) ## sub put_usual_list_out { my $indx; if ( defined ($_[$#_]->{"key_list"}) || $LOUD_OUTPUT ) { #NOTE parm#2 is always defined. See if it is a table. printf "\n\n"; for ( $indx=0; $indx<$#_; $indx++) { printf "%s %s\n",$m_head_spc, $_[$indx]; } # printf "\n"; } if ( defined ($_[$#_]->{"key_list"})) { put_list_out($_[$#_]); } } sub put_list_out { my($put_table) = @_; ## sort the fields to print alpha by key my @out_fields = (0); my @outkeys = sort keys %{$put_table->{"key_list"} }; my $out_fieldscnt=0; foreach $skey (@outkeys ) { $out_fields[$out_fieldscnt] = $put_table->{"key_list"}->{$skey}; $out_fieldscnt++; } ## DEFINE CONSTANTS $put_cols_out=100; ## max size of output in columns of data, $MAX_col_size = ($put_cols_out/2)-4; ### compute output field sizes - go with either fixed width fields, or variable width. $OUT_FIELD_SIZE = 4; ## absolute minimum field size if ($FIXED_WIDTH_OUTPUT) { if ($OUT_FIELD_SIZE < $put_table->{"max header len"}) { ## max bsed on header size for all headers $OUT_FIELD_SIZE = $put_table->{"max header len"} } while ( $put_table->{"max table value"} > 10**$OUT_FIELD_SIZE) { ## max based on value size for all values $OUT_FIELD_SIZE++;} if (! $STUPID_OUTPUT ) { ## stupid output has no limits on output field size, otherwise, limit to 1/2 page if ( $OUT_FIELD_SIZE > $MAX_col_size) { $OUT_FIELD_SIZE = $MAX_col_size; } } else { if ( $OUT_FIELD_SIZE >= $put_cols_out) { $OUT_FIELD_SIZE = $put_cols_out -1;} } for ($col=0; $col <=$put_table->{"key_count"}; $col++) { ## set output size of each col the same, truncate as necessary if ($OUT_FIELD_SIZE < $put_table->{"max col header len"}->[$col]) { $put_table->{"max col header len"}->[$col] = $OUT_FIELD_SIZE; for ($hdr=$put_table->{"max headers"}; $hdr>0; $hdr--) { if (defined ($put_table->{"headers"}->[$col]->[$hdr]) ) { if (length($put_table->{"headers"}->[$col]->[$hdr]) > $OUT_FIELD_SIZE) { $put_table->{"headers"}->[$col]->[$hdr] = join("", substr($put_table->{"headers"}->[$col]->[$hdr],0,$OUT_FIELD_SIZE-3),"..."); } } } } $put_table->{"max col header len"}->[$col] = $OUT_FIELD_SIZE; } } else { ## variable width output $OUT_FIELD_SIZE = 4; ## absolute minimum field size for ($col=0; $col <$put_table->{"key_count"}; $col++) { ## now set output size of each col, truncate headers as necessary while ( $put_table->{"max col table value"}->[$col] > 10**$OUT_FIELD_SIZE) { ## max based on value size for all values $OUT_FIELD_SIZE++;} if ($OUT_FIELD_SIZE > $put_table->{"max col header len"}->[$col]) { ## max based on header size for all headers $put_table->{"max col header len"}->[$col] = $OUT_FIELD_SIZE; } if ( $put_table->{"max col header len"}->[$col] > $put_cols_out ) { ## oops - bigger than output line - shrink it for ($hdr=$put_table->{"max headers"}; $hdr>0; $hdr--) { if (defined ($put_table->{"headers"}->[$col]->[$hdr]) ) { if (length($put_table->{"headers"}->[$col]->[$hdr]) > $put_cols_out) { $put_table->{"headers"}->[$col]->[$hdr] = join("", substr($put_table->{"headers"}->[$col]->[$hdr],0,$put_cols_out-3),"..."); } } } $put_table->{"max col header len"}->[$col] = $put_cols_out ; } } } my $local_dashes = "---------------------------------------------------------------------------------------------------------"; $MASTER_col = 0; while ($MASTER_col < $put_table->{"key_count"}) { #main loop to see all cols output $Out_header = 1; # need to output header for this group of stats $OUT_LOOP_start = $MASTER_col; ## first col to be in this set $OUT_spaces_used = 0; for ($indx = $MASTER_col; $indx < $put_table->{"key_count"} && $OUT_spaces_used <= $put_cols_out; $indx++) { $OUT_LOOP_end = $indx; $OUT_spaces_used = $OUT_spaces_used + $put_table->{"max col header len"}->[$out_fields[$indx]] + 1; } if ($OUT_LOOP_end > $OUT_LOOP_start && $OUT_spaces_used > $put_cols_out ) { $OUT_LOOP_end --;} #skip the field that puts us over for ($indx = 0; $indx<=$table_index ; $indx++) { $i = $outindex[$indx]; ## loop thru output machines/classes if ( defined $Output_table_machines[$i]) { undef @put_out_detail_array; $check_sum = 0; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) { $col= $out_fields[$Tcol]; ## loop by column, then by mach in group for ($jj=0; $jj< $Output_table_machines_cnt[$i]; $jj++) { $j = $Output_table_machines[$i][$jj]; $check_sum = $check_sum + $put_table->{"values"}->[$j]->[$col]; $put_out_detail_array[$col] += $put_table->{"values"}->[$j]->[$col]; } } if ($LOUD_OUTPUT || ($NO_STEALTH_OUTPUT && $i == 1) || $check_sum != 0 ) { if ($Out_header) { $Out_header = 0; print " \n"; for ($hdr=$put_table->{"max headers"}; $hdr>0; $hdr--) { my($printline)=0; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) {$col= $out_fields[$Tcol];##first. see if all are undefined if (defined ( ($put_table->{"headers"}->[$col]->[$hdr]) ) ) { $printline = 1; last; } } if ($printline) { print "$m_head_spc"; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) { $col= $out_fields[$Tcol]; $field_size = $put_table->{"max col header len"}->[$col]; if ( defined ($put_table->{"headers"}->[$col]->[$hdr]) ) { printf " %${field_size}s", $put_table->{"headers"}->[$col]->[$hdr]; } else { printf " %${field_size}s", " "; } } print " \n"; } } print "$m_head_one"; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) {$col= $out_fields[$Tcol]; my $Field = $put_table->{"headers"}->[$col]->[$hdr]; if (length($Field) > $put_table->{"max col header len"}->[$col]) { $Field = join("", substr($put_table->{"headers"}->[$col]->[0],0,$put_table->{"max col header len"}->[$col]-3),"..."); } $field_size = $put_table->{"max col header len"}->[$col]; printf " %${field_size}s", $Field; } print " \n"; ## dashes header print "$m_head_two"; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) { $col= $out_fields[$Tcol]; $field_size = $put_table->{"max col header len"}->[$col]; printf " %${field_size}s", substr($local_dashes,0,$put_table->{"max col header len"}->[$col]); } print " \n"; }## end if $Out_header } ## end of LOUD_OUTPUT or non -zero if ($check_sum != 0 ) { ## print actual values here printf "%s", $table_id[$i]; for ($Tcol=$OUT_LOOP_start;$Tcol<=$OUT_LOOP_end; $Tcol++) {$col= $out_fields[$Tcol]; $field_size = $put_table->{"max col header len"}->[$col]; printf " %${field_size}d", $put_out_detail_array[$col]; } print "\n"; } } ## end of machines defined for this group/machin id } ## end of loop thru machines/classes $MASTER_col = $OUT_LOOP_end + 1; } ## end of loops thru chunks of stats } # end of sub. ## ## --- output data obtained in a regular table. ## sub put_unique_table_header_out { my ($Format,@Headers) = @_; my $dashlist = $Format; ## $add =~ s/^\d+$/'###'/ge; $dashlist =~ s/\%1d/'-'/ge; #oh, the pain $dashlist =~ s/\%2d/'--'/ge; #oh, the pain $dashlist =~ s/\%3d/'---'/ge; #oh, the pain $dashlist =~ s/\%4d/'----'/ge; #oh, the pain $dashlist =~ s/\%5d/'-----'/ge; #oh, the pain $dashlist =~ s/\%6d/'------'/ge; #oh, the pain $dashlist =~ s/\%7d/'-------'/ge; #oh, the pain $dashlist =~ s/\%8d/'--------'/ge; #oh, the pain $dashlist =~ s/\%9d/'---------'/ge; #oh, the pain $dashlist =~ s/\%10d/'----------'/ge; #oh, the pain $dashlist =~ s/\%11d/'-----------'/ge; #oh, the pain $dashlist =~ s/\%12d/'------------'/ge; #oh, the pain printf "\n\n"; if ($#Headers < 0) { printf "$m_head_one\n "; } else { ##if ( $#Headers >= 0 {} for ($this_header=0; $this_header < $#Headers; $this_header ++) { printf "%s %s\n", $m_head_spc, $Headers[$this_header]; } printf "%s %s\n",$m_head_one , $Headers[$#Headers]; } print "$m_head_two $dashlist"; return; } sub put_unique_table_out { my ($fmt,$Headers, @var_list) = @_; my $Out_header = 1; my $indx, $i, $j, $jj, $parm_indx, @Out_vars, $Out_Posit, $check_sum; my $local_fmt=join("","%s ",$fmt); $Out_header = 1; for ($indx = 0; $indx<=$table_index ; $indx++) { $i = $outindex[$indx]; ##index by sorted output if ( defined $Output_table_machines[$i]) { undef @Out_vars; for ($jj=0; $jj< $Output_table_machines_cnt[$i]; $jj++) { $j = $Output_table_machines[$i][$jj]; ##index by machiens in group $Out_Posit=0; for ($parm_index = 0; $parm_index<=$#var_list; $parm_index++) {##index by variable arrays passwd to output $Out_vars[$Out_Posit++] += $var_list[$parm_index][$j]; } } $check_sum = 0; for ($j=0;$j<$Out_Posit;$j++) { $check_sum += $Out_vars[$j];} if ($LOUD_OUTPUT || ($NO_STEALTH_OUTPUT && $i == 1) || $check_sum > 0 ) { if ($Out_header) { $Out_header=0; put_unique_table_header_out ( $fmt, @Headers); } printf $local_fmt, $table_id[$i], @Out_vars; } } } } ## ## bugs - root login counts on pop and imap may be wrong. ## todo - add sort of line keys on ALL output