xp-dev.com Git - logcheck/blob - logcheck.pl

   1 #!/usr/bin/perl
   2
   3 #    Logchecker - perl script to check unix logfiles and notify by email
   4 #    if entries appear not covered by the whitelist
   5 #    Copyright (C) long time ago by Peter, peters-webcorner.de
   6 #
   7 #    This program is free software: you can redistribute it and/or modify
   8 #    it under the terms of the GNU General Public License as published by
   9 #    the Free Software Foundation, either version 3 of the License, or
  10 #    (at your option) any later version.
  11 #
  12 #    This program is distributed in the hope that it will be useful,
  13 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 #    GNU General Public License for more details.
  16 #
  17 #    You should have received a copy of the GNU General Public License
  18 #    along with this program.  If not, see <https://www.gnu.org/licenses/>.
  19
  20 use File::Basename;
  21 use File::Spec;
  22 $dirname = File::Spec->rel2abs(dirname(__FILE__));
  23
  24 require $dirname.'/logcheck.conf';
  25 $mode="run";
  26
  27 if (defined($logcheckpath)) {
  28
  29         print "There was change in the configuration starting from version 1.0.5!\n";
  30         print "\n";
  31         print '$file_whitelist=$logcheckpath."logcheck.whitelist"; is now'."\n";
  32         print '$file_whitelist="logcheck.whitelist";'."\n";
  33         print "\n";
  34         print '$file_logfiles=$logcheckpath."logcheck.logfiles"; is now'."\n";
  35         print '$file_logfilelist="logcheck.logfiles";'."\n";
  36         print "\n";
  37         print '$logcheckpath="/your/path/"; is now'."\n";
  38         print '#$logcheckpath="/your/path/";'."\n";
  39         print "\nPlease make these changes before you continue using logcheck.pl\n";
  40         exit 1;
  41 }
  42
  43 $file_pidfile = $dirname."/logcheck.pid";
  44
  45 $file_whitelist = $dirname."/".$file_whitelist;
  46 $file_logfilelist = $dirname."/".$file_logfilelist;
  47
  48 sub head() {
  49         print "\n";
  50         print "-----------------------------\n";
  51         print "This is logcheck.pl V1.0.8\n";
  52         print "https://peters-webcorner.de\n";
  53         print "project hosted on github\n";
  54         print "https://github.com/pstimpel/logcheck\n\n";
  55         print "Logchecker - Copyright (C) long time ago by Peter\n";
  56     print "This program comes with ABSOLUTELY NO WARRANTY; for details run `-l'.\n";
  57     print "This is free software, and you are welcome to redistribute it\n";
  58     print "under certain conditions. Check license for details.\n";
  59         print "-----------------------------\n\n";
  60 }
  61
  62 if (($ARGV[0] ne "") && ($ARGV[0] ne "debug") && ($ARGV[0] ne "-l") && ($ARGV[0] ne "-r") && ($ARGV[0] ne "-d")) {
  63         head();
  64         print "Parameters:\n";
  65         print "logcheck.pl         normal run, parse logfiles and fire email if needed\n";
  66         print "logcheck.pl debug   prevents script from sending mail\n";
  67         print "logcheck.pl -d      prevents script from sending mail\n";
  68         print "logcheck.pl -l      prints license to console\n";
  69         print "logcheck.pl -p      removes existing pid-file with no further checks\n";
  70         print "logcheck.pl -h      this screen\n";
  71         print "PID: ".$$." \n";
  72         print "DIR: ".$dirname."\n";
  73         getpidfilecontent();
  74         if($pidstring ne "unknown") {
  75                 print "!!! PID-file existing, created by process ".$pidstring." !!!\n";
  76         }
  77         exit 0;
  78
  79 }
  80
  81 if ($ARGV[0] eq "-l") {
  82         head();
  83         print "Content of license\n\n\n";
  84         system('cat LICENSE | more');
  85         exit 0;
  86 }
  87
  88 if ($ARGV[0] eq "-r") {
  89         head();
  90         unlink($file_pidfile);
  91         print "done...\n";
  92         exit 0;
  93 }
  94
  95 if ($ARGV[0] eq "debug" || $ARGV[0] eq "-d") {
  96         head();
  97         print "debug mode on...\n";
  98         $mode="debug";
  99
 100 }
 101
 102 if (-e $file_whitelist) {
 103         if($mode eq "debug") {
 104                 print "whitelist found...\n";
 105         }
 106 }
 107 else
 108 {
 109         open(ADR, ">$file_whitelist");
 110         print ADR "";
 111         close(ADR);
 112         print "Please edit ".$file_whitelist." first...\n";
 113         exit 1;
 114
 115 }
 116 if (-e $file_logfilelist) {
 117         if($mode eq "debug") {
 118                 print "list of logfiles found...\n";
 119         }
 120 } else {
 121         open(ADR, ">$file_logfilelist");
 122         print ADR "";
 123         close(ADR);
 124         print "Please edit ".$file_logfilelist." first...\n";
 125         exit 1;
 126
 127 }
 128
 129
 130 $read=0;
 131 open(ADR, "<$file_whitelist");
 132 while(<ADR>)
 133 {
 134         chop($_);
 135         if(length($_) > 1) {
 136                 if (substr($_,0,1) ne "#")
 137                 {
 138                 $read++;
 139                 push @whitelisted, $_;
 140                 }
 141         }
 142 }
 143 close(ADR);
 144 if ($read > 0) {
 145         if($mode eq "debug") {
 146                 print $read." entries in whitelist found\n";
 147         }
 148 }
 149 else
 150 {
 151         if($mode eq "debug") {
 152                 print "no entries in whitelist found, may be not normal...\n";
 153         }
 154 }
 155
 156
 157
 158 $read=0;
 159 open(ADR, "<$file_logfilelist");
 160 while(<ADR>)
 161 {
 162         chop($_);
 163         if(length($_) > 1) {
 164                 if (substr($_,0,1) ne "#")
 165                 {
 166                 $read++;
 167                 push @logfiles, $_;
 168                 }
 169         }
 170 }
 171 close(ADR);
 172 if ($read > 0) {
 173         if($mode eq "debug") {
 174                 print $read." entries in logfile list found\n";
 175         }
 176 }
 177 else
 178 {
 179         print "there must be at least one entry in "..$file_logfilelist."\n";
 180         print "ABORTING NOW!!!\n";
 181         exit 1;
 182 }
 183
 184 if (-e $file_pidfile) {
 185         if($mode eq "debug") {
 186                 print "There is a pid-file already, ".$file_pidfile.", abort execution\n";
 187                 exit 1;
 188         } else {
 189                 getpidfilecontent();
 190                 $psstring = `ps fax`;
 191                 $Jetztwert = time();
 192                 $Jetztzeit = localtime($Jetztwert);
 193                 $mailer = '/usr/sbin/sendmail';
 194                 $Sender = $senderaddress;
 195                 open(MAIL, "|$mailer -t") || die "Can't open $mailer!\n";
 196                 print MAIL "To: ".$emailaddress."\n";
 197                 print MAIL "Subject: Logs NOT CHECKED report $Jetztzeit\n\n\n";
 198                 print MAIL "There is a pid-file already at ".$file_pidfile.", and the execution of logcheck was aborted!\n\nRemove the pid-file, but make sure logcheck is not running anymore. See output of ps fax below\n\n";
 199                 print MAIL "Pid of this (the aborted process) is: ".$$."\n";
 200                 print MAIL "Pid of blocking process is: ".$pidstring."\n\n";
 201
 202                 print MAIL $psstring."\n\n";
 203                 close(MAIL);
 204                 exit 1;
 205         }
 206 }
 207
 208 open(ADR, ">$file_pidfile");
 209 print ADR $$;
 210 close(ADR);
 211
 212
 213 foreach $thisfile (@logfiles) {
 214         $outtext="";
 215         $noffset="";
 216         $offset;
 217         $jumpover;
 218         if($mode eq "debug") {
 219                 print "processing ".$thisfile."\n";
 220         }
 221         if(-e $thisfile)
 222         {
 223                 $useoffset=0;
 224                 $thisoffset="";
 225                 if(-e $thisfile.".offset") {
 226                         if($mode eq "debug") {
 227                                 print "using ".$thisfile.".offset\n";
 228                         }
 229                         $useoffset=1;
 230                         open(OFF,"<$thisfile.offset");
 231                         while(<OFF>)
 232                         {
 233                                 $offset=$_;
 234                                 if($mode eq "debug") {
 235                                         print "offset is $_\n";
 236                                 }
 237                         }
 238                         close(OFF);
 239                 }
 240                 $jumpover=1;
 241                 check();
 242                 if($jumpover==1) {
 243                         unlink($thisfile.".offset");
 244                         if($mode eq "debug") {
 245                                 print "offset not found, reparsing without offset\n";
 246                         }
 247                         $jumpover=0;
 248                         $offset="";
 249                         check();
 250                 }
 251                 if ($outtext ne "") {
 252                         if($mode eq "debug") {
 253                                 print "mail not sent, cause debug is enabled\n";
 254                                 print "content of mail to $emailaddress would be:\n---------------------------------\n";
 255                                 print $outtext;
 256                                 print "\n---------------------------------\nend of mail\n";
 257                         } else {
 258                                 $Jetztwert = time();
 259                                 $Jetztzeit = localtime($Jetztwert);
 260                                 $mailer = '/usr/sbin/sendmail';
 261                                 $Sender = $senderaddress;
 262                                 open(MAIL, "|$mailer -t") || die "Can't open $mailer!\n";
 263                                 print MAIL "To: ".$emailaddress."\n";
 264                                 print MAIL "Subject: ($thisfile) violation report $Jetztzeit\n\n\n";
 265                                 print MAIL $outtext;
 266                                 close(MAIL);
 267                                 $command="\/usr\/bin\/logger -p warn logcheckprint";
 268                 system($command);
 269                         }
 270                 } else {
 271                         if($mode eq "debug") {
 272                                 print "nothing to send, $thisfile seems to be ok\n";
 273                         }
 274                 }
 275                 if ($noffset ne "") {
 276                         if($mode eq "debug") {
 277                                 print "new offset written in ".$thisfile.".offset\n";
 278                         }
 279                         open(ADR, ">$thisfile.offset");
 280                                print ADR $noffset;
 281                         close(ADR);
 282                 }
 283         }
 284         else
 285         {
 286                 print STDERR "logfile $thisfile not found...ignoring\n";
 287         }
 288 }
 289
 290 unlink($file_pidfile);
 291
 292 exit 0;
 293
 294
 295 sub check() {
 296         # checks the logfile itself
 297         open(LOG,"<$thisfile");
 298         while(<LOG>)
 299         {
 300                 if ($jumpover == 0) {
 301                         $wl=0;
 302                         foreach $wltext (@whitelisted)
 303                         {
 304                                 if($_ =~/$wltext/)
 305                                 {
 306                                         $wl=1;
 307                                 }
 308                         }
 309                         if($wl==0)
 310                         {
 311                                 $outtext=$outtext.$_;
 312                         }
 313                 }
 314                 $noffset = substr($_,0,15,);
 315                 if(substr($_,0,15) eq $offset) {
 316                         $jumpover=0;
 317                         if($mode eq "debug") {
 318                                 print "offset found\n";
 319                         }
 320                 }
 321         }
 322         close(LOG);
 323 }
 324
 325 sub getpidfilecontent() {
 326         $pidstring="unknown";
 327         open(ADR, "<$file_pidfile");
 328         while(<ADR>)
 329         {
 330                 chop($_);
 331                 if(length($_) > 1) {
 332                         if (substr($_,0,1) ne "#")
 333                         {
 334                                 $pidstring = $_;
 335                         }
 336                 }
 337         }
 338         close(ADR);
 339 }