3 # Logchecker - perl script to check unix logfiles and notify by email
4 # if entries appear not covered by the whitelist
5 # Copyright (C) long time ago by Peter, peters-webcorner.de
7 # This program is free software: you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation, either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <https://www.gnu.org/licenses/>.
20 require 'logcheck.conf';
25 $dirname = File::Spec->rel2abs(dirname(__FILE__));
27 $file_pidfile = $dirname."/logcheck.pid";
29 $file_whitelist = $dirname."/".$file_whitelist;
30 $file_logfilelist = $dirname."/".$file_logfilelist;
34 print "-----------------------------\n";
35 print "This is logcheck.pl V1.0.5\n";
36 print "https://peters-webcorner.de\n";
37 print "project hosted on github\n";
38 print "https://github.com/pstimpel/logcheck\n\n";
39 print "Logchecker - Copyright (C) long time ago by Peter\n";
40 print "This program comes with ABSOLUTELY NO WARRANTY; for details run `-l'.\n";
41 print "This is free software, and you are welcome to redistribute it\n";
42 print "under certain conditions. Check license for details.\n";
43 print "-----------------------------\n\n";
46 if (($ARGV[0] ne "") && ($ARGV[0] ne "debug") && ($ARGV[0] ne "-l") && ($ARGV[0] ne "-r") && ($ARGV[0] ne "-d")) {
48 print "Parameters:\n";
49 print "logcheck.pl normal run, parse logfiles and fire email if needed\n";
50 print "logcheck.pl debug prevents script from sending mail\n";
51 print "logcheck.pl -d prevents script from sending mail\n";
52 print "logcheck.pl -l prints license to console\n";
53 print "logcheck.pl -p removes existing pid-file with no further checks\n";
54 print "logcheck.pl -h this screen\n";
55 print "PID: ".$$." \n";
56 print "DIR: ".$dirname."\n";
58 if($pidstring ne "unknown") {
59 print "!!! PID-file existing, created by process ".$pidstring." !!!\n";
65 if ($ARGV[0] eq "-l") {
67 print "Content of license\n\n\n";
68 system('cat LICENSE | more');
72 if ($ARGV[0] eq "-r") {
74 unlink($file_pidfile);
79 if ($ARGV[0] eq "debug" || $ARGV[0] eq "-d") {
81 print "debug mode on...\n";
86 if (-e $file_whitelist) {
87 if($mode eq "debug") {
88 print "whitelist found...\n";
93 open(ADR, ">$file_whitelist");
96 print "Please edit ".$file_whitelist." first...\n";
100 if (-e $file_logfilelist) {
101 if($mode eq "debug") {
102 print "list of logfiles found...\n";
105 open(ADR, ">$file_logfilelist");
108 print "Please edit ".$file_logfilelist." first...\n";
115 open(ADR, "<$file_whitelist");
120 if (substr($_,0,1) ne "#")
123 push @whitelisted, $_;
129 if($mode eq "debug") {
130 print $read." entries in whitelist found\n";
135 if($mode eq "debug") {
136 print "no entries in whitelist found, may be not normal...\n";
143 open(ADR, "<$file_logfilelist");
148 if (substr($_,0,1) ne "#")
157 if($mode eq "debug") {
158 print $read." entries in logfile list found\n";
163 print "there must be at least one entry in "..$file_logfilelist."\n";
164 print "ABORTING NOW!!!\n";
168 if (-e $file_pidfile) {
169 if($mode eq "debug") {
170 print "There is a pid-file already, ".$file_pidfile.", abort execution\n";
174 $psstring = `ps fax`;
176 $Jetztzeit = localtime($Jetztwert);
177 $mailer = '/usr/sbin/sendmail';
178 $Sender = $senderaddress;
179 open(MAIL, "|$mailer -t") || die "Can't open $mailer!\n";
180 print MAIL "To: ".$emailaddress."\n";
181 print MAIL "Subject: Logs NOT CHECKED report $Jetztzeit\n\n\n";
182 print MAIL "There is a pid-file already at ".$file_pidfile.", and the execution of logcheck was aborted!\n\nRemove the pid-file, but make sure logcheck is not running anymore. See output of ps fax below\n\n";
183 print MAIL "Pid of this (the aborted process) is: ".$$."\n";
184 print MAIL "Pid of blocking process is: ".$pidstring."\n\n";
186 print MAIL $psstring."\n\n";
192 open(ADR, ">$file_pidfile");
197 foreach $thisfile (@logfiles) {
202 if($mode eq "debug") {
203 print "processing ".$thisfile."\n";
209 if(-e $thisfile.".offset") {
210 if($mode eq "debug") {
211 print "using ".$thisfile.".offset\n";
214 open(OFF,"<$thisfile.offset");
218 if($mode eq "debug") {
219 print "offset is $_\n";
227 unlink($thisfile.".offset");
228 if($mode eq "debug") {
229 print "offset not found, reparsing without offset\n";
235 if ($outtext ne "") {
236 if($mode eq "debug") {
237 print "mail not sent, cause debug is enabled\n";
238 print "content of mail to $emailaddress would be:\n---------------------------------\n";
240 print "\n---------------------------------\nend of mail\n";
243 $Jetztzeit = localtime($Jetztwert);
244 $mailer = '/usr/sbin/sendmail';
245 $Sender = $senderaddress;
246 open(MAIL, "|$mailer -t") || die "Can't open $mailer!\n";
247 print MAIL "To: ".$emailaddress."\n";
248 print MAIL "Subject: ($thisfile) violation report $Jetztzeit\n\n\n";
251 $command="\/usr\/bin\/logger -p warn logcheckprint";
255 if($mode eq "debug") {
256 print "nothing to send, $thisfile seems to be ok\n";
259 if ($noffset ne "") {
260 if($mode eq "debug") {
261 print "new offset written in ".$thisfile.".offset\n";
263 open(ADR, ">$thisfile.offset");
270 print STDERR "logfile $thisfile not found...ignoring\n";
274 unlink($file_pidfile);
280 # checks the logfile itself
281 open(LOG,"<$thisfile");
284 if ($jumpover == 0) {
286 foreach $wltext (@whitelisted)
295 $outtext=$outtext.$_;
298 $noffset = substr($_,0,15,);
299 if(substr($_,0,15) eq $offset) {
301 if($mode eq "debug") {
302 print "offset found\n";
309 sub getpidfilecontent() {
310 $pidstring="unknown";
311 open(ADR, "<$file_pidfile");
316 if (substr($_,0,1) ne "#")