[Logwatch-Devel] Logwatch pre3.2 released

Kenneth Porter shiva@sewingwitch.com
17 Jun 2002 17:06:08 -0700


--=-JzpGTDBe74kLwJipBmpV
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Sun, 2002-06-16 at 19:51, Kirk Bauer wrote:
> This pre3.2 release should have all pending patches that have been sent
> in (thanks everybody!). 
> 
> I'll probably release a final version in the next day or two, so let me
> know if I missed anything or if there are any problems.

Looks like the iptables pattern is matching only one form of log line,
and the iptables log lines vary quite a bit in which fields are logged,
so I end up with a bunch of stuff in the %kernel hash.

You might want to look at the way DShield (http://www.dshield.org/
handles iptables. I'm attaching the relevant piece of Perl.

--=-JzpGTDBe74kLwJipBmpV
Content-Description: 
Content-Disposition: inline; filename=dshield-iptables.parser
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=ISO-8859-1

# Beginning of iptables Parser

#
# Framework for parsing of the log line
#
# @rline - array to be returned holding the required values for Dshield
#  $rline[0] - date in yyyy-mm-dd HH:MM:SS tz format
#  $rline[1] - Dshield user ID
#  $rline[2] - number of lines this log entry represents (normally 1)
#  $rline[3] - source IP in dotted decimal format (x.x.x.x)
#  $rline[4] - numeric source port for TCP/UDP or ithe ICMP code
#  $rline[5] - destination IP in dotted decimal format (x.x.x.x)
#  $rline[6] - numeric destination port for TCP/UDP or the ICMP type
#  $rline[7] - protocol in uppercase
#  $rline[8] - TCP flags (SFAPRU12)
#
# Global variables defined by calling routine
# $this_year - Current year in YYYY format
# $this_month - Current month in numerical format.  '1' for Jan.
# @Month  Hash of three letter abgreviations for months. =20
# $tz - (i.e. -04:00 for EDT)
# $userid - Dshield user ID
# $line_filter  Regex that each line must match. =20
# $line_exclude Regex for lines we want to exclude.
# $reason_skipped  You fill this with the reason the line wasn't parsed.

sub parse {
    my $line=3Dshift;
    my @rline;
    my (%param, $name, $value);
    my ($srcpt, $dstpt);
    my $flags=3D"";

    #print "$line\n" if ($verbose eq 'Y');=20
	$reason_skipped =3D "Does not contain 'kernel:'"; return 0 unless ( $line =
=3D~ /kernel:/ );

    # Is this any kind of packet filter log line?
    if ($line_filter) {=20
		$reason_skipped =3D "Does not contain '$line_filter`"; return 0 unless ( =
$line =3D~ /$line_filter/ )=20
	}

    # Or maybe it has something undesirable that we don't want to see?
	if ($line_exclude) { $reason_skipped =3D "Contains `$line_exclude`"; retur=
n 0 if ( $line =3D~ /$line_exclude/ ) }

    my @fields=3Dsplit(' ', $line);

# First do date/time
    my $month=3D$fields[0];
    my $day=3D$fields[1];
    my $time=3D$fields[2];
    $month=3D$Month{$month};

    # iptables log does not have the year.  So we take a guess at it.
    # Lets hope that we are't processing more than one year.  :-(
    if ($month <=3D $this_month) {=20
		$year =3D $this_year;
    } else {
		$year =3D $this_year - 1;
    }
    my $date=3Dsprintf("%0.4d-%0.2d-%0.2d %s %s",$year,$month,$day,$time,$t=
z);

# Put the rest of the fields in a hash
    foreach ( @fields ) {
		($name,$value)=3Dsplit("=3D");
		$param{$name}=3D$value;
		$param{$name}=3D'1' if ($param{'PROTO'} eq 'TCP' && ( ($name eq 'SYN') ||=
 ($name eq 'ACK') ));=20
    }

    if ( $param{"PROTO"} eq "TCP" ) {
		$flags .=3D "R" if ( $param{"RES"} ne '0x00' );=20
		$flags .=3D "U" if ( $param{"URGP"} ne '0' );
		$flags .=3D "S" if ( $param{"SYN"} );
		$flags .=3D "A" if ( $param{"ACK"} );
    }

    if ( $param{"PROTO"} eq "ICMP" ) {
		$srcpt =3D $param{"TYPE"};
		$dstpt =3D $param{"CODE"};
    } else {
		$srcpt =3D $param{"SPT"};
		$dstpt =3D $param{"DPT"};
    }

    # Only fill the output fields if we are valid.
    if ( $date && $param{"SRC"} && ($srcpt ne '') && $param{"DST"} && ($dst=
pt ne '') && ($param{"PROTO"} ne '')  ) {=20
    =20
		$rline[0] =3D $date;
		$rline[1] =3D $userid;
		$rline[2] =3D "1";
		$rline[3] =3D $param{'SRC'};
		$rline[4] =3D $srcpt;
		$rline[5] =3D $param{'DST'};
		$rline[6] =3D $dstpt;
		$rline[7] =3D $param{'PROTO'};
		$rline[8] =3D $flags;
   } else {
		$reason_skipped =3D "Failed to parse";
		return 0;
   }

    $_=3D$x;
    return @rline;
}

--=-JzpGTDBe74kLwJipBmpV--