[Logwatch-Devel] Patch against cisco service

Hugo van der Kooij hvdkooij at vanderkooij.org
Tue Oct 2 04:23:38 MST 2007


Hi,

Enclosed the patch against the Cisco service. A small change needs to be 
made to document the use of this CatchUnknown variable in the config file. 
(Anyone a suggestion?)

Hugo.


--- cisco.CVS-1.10	2007-09-20 02:15:08.000000000 +0200
+++ cisco	2007-10-02 13:16:01.000000000 +0200
@@ -19,6 +19,7 @@

  $Debug = ValueOrDefault($ENV{'LOGWATCH_DEBUG'}, 0);
  $Detail = ValueOrDefault($ENV{'LOGWATCH_DETAIL_LEVEL'}, 0);
+$CatchUnknown = ValueOrDefault($ENV{'catch_unknown'}, 0);

  # Avoid "Use of uninitialized value" warning messages.
  sub ValueOrDefault {
@@ -174,6 +175,9 @@
        }
        $InspectDrop++;
     }
+   elsif ( ($ACL,$source,$count) = ($ThisLine =~ /SEC-6-IPACCESSLOGSP: list (.*) denied igmp (.*) -> 224.0.0.1 \(17\), (.*) packet(|s)/) ) {
+      $dropigmp{$host}{$ACL}{$source} += $count;
+   }
     elsif ($ThisLine =~ /%FW-3-HTTP_JAVA_BLOCK/) {
        $JavaBlock++;
     }
@@ -411,7 +415,22 @@
     elsif ( ($interface) = ($ThisLine =~ /AMDP2_FE-5-COLL: (.*)/) ) {
        $ExcessiveCollision{$host}{$interface}++;
     }
-   else {
+   elsif ( ($hash) = ($ThisLine =~ /AUDIT-5-STARTUP_CONFIG: Startup Configuration changed. Hash: (.*)/) ) {
+      $StartConfigChange{$host}++;
+   }
+   elsif ( ($ntppear) = ($ThisLine =~ /NTP-4-PEERUNREACH: Peer (.*) is unreachable/) ) {
+      $NTPpeerUnreach{$host}{$ntppear}++;
+   }
+   elsif ( ($ntppear) = ($ThisLine =~ /NTP-5-PEERSYNC: NTP synced to peer (.*)/) ) {
+      $NTPpeerSync{$host}{$ntppear}++;
+   }
+   elsif ( ($ntppear) = ($ThisLine =~ /NTP-6-PEERREACH: Peer (.*) is reachable/) ) {
+      $NTPpeerReach{$host}{$ntppear}++;
+   }
+   elsif ( ($count) = ($ThisLine =~ /SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed (.*) packet(|s)/) ) {
+      $ACLmissed{$host} += $count;
+   }
+   elsif ( $CatchUnknown >= 1 ) {
        # Report any unmatched entries...
        chomp $ThisLine;
        ($msg) = ($ThisLine =~ /(%.*)/);
@@ -1070,7 +1089,57 @@
     	foreach $ThatOne (sort keys %{$ICMP_Echo_Req{$ThisOne}}) {
           print "\t " .$ThatOne . "\t: " . $ICMP_Echo_Req{$ThisOne}{$ThatOne} . " Time(s)\n";
        }
-  }
+   }
+}
+
+if (keys %NTPpeerSync) {
+   print "\nNTP peer synced on device :\n";
+   foreach $ThisOne (sort keys %NTPpeerSync) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$NTPpeerSync{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t: " . $NTPpeerSync{$ThisOne}{$ThatOne} . " Time(s)\n";
+      }
+   }
+}
+
+if (keys %NTPpeerReach) {
+   print "\nNTP peer reachable on device :\n";
+   foreach $ThisOne (sort keys %NTPpeerReach) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$NTPpeerReach{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t: " . $NTPpeerReach{$ThisOne}{$ThatOne} . " Time(s)\n";
+      }
+   }
+}
+
+if (keys %NTPpeerUnreach) {
+   print "\nNTP peer unreachable on device :\n";
+   foreach $ThisOne (sort keys %NTPpeerUnreach) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$NTPpeerUnreach{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t: " . $NTPpeerUnreach{$ThisOne}{$ThatOne} . " Time(s)\n";
+      }
+   }
+}
+
+if (keys %ACLmissed) {
+   print "\nACL logging missed/rate-limited on device :\n";
+   foreach $ThisOne (sort keys %ACLmissed) {
+   	print "   " . $ThisOne . " : " . $ACLmissed{$ThisOne} . " Time(s)\n";
+   }
+}
+
+if (keys %dropigmp) {
+   print "\nACL IGMP on device :\n";
+   foreach $ThisOne (sort keys %dropigmp) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$dropigmp{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t:\n";
+   	   foreach $WhichOne (sort keys %{$dropigmp{$ThisOne}{$ThatOne}}) {
+            print "\t     " .$WhichOne . "\t: " . $dropigmp{$ThisOne}{$ThatOne}{$WhichOne} . " Time(s)\n";
+         }
+      }
+   }
  }

  if (keys %ICMP_Echo_Rep) {

-- 
 	hvdkooij at vanderkooij.org	http://hugo.vanderkooij.org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say "Windows"
 	I use computers with Linux and say "Why Windows?"
 	(Thanks JFK, for this quote of George Bernard Shaw.)
-------------- next part --------------
--- cisco.CVS-1.10	2007-09-20 02:15:08.000000000 +0200
+++ cisco	2007-10-02 13:16:01.000000000 +0200
@@ -19,6 +19,7 @@
 
 $Debug = ValueOrDefault($ENV{'LOGWATCH_DEBUG'}, 0);
 $Detail = ValueOrDefault($ENV{'LOGWATCH_DETAIL_LEVEL'}, 0);
+$CatchUnknown = ValueOrDefault($ENV{'catch_unknown'}, 0);
 
 # Avoid "Use of uninitialized value" warning messages.
 sub ValueOrDefault {
@@ -174,6 +175,9 @@
       }
       $InspectDrop++;
    }
+   elsif ( ($ACL,$source,$count) = ($ThisLine =~ /SEC-6-IPACCESSLOGSP: list (.*) denied igmp (.*) -> 224.0.0.1 \(17\), (.*) packet(|s)/) ) {
+      $dropigmp{$host}{$ACL}{$source} += $count;
+   }
    elsif ($ThisLine =~ /%FW-3-HTTP_JAVA_BLOCK/) {
       $JavaBlock++;
    }
@@ -411,7 +415,22 @@
    elsif ( ($interface) = ($ThisLine =~ /AMDP2_FE-5-COLL: (.*)/) ) {
       $ExcessiveCollision{$host}{$interface}++;
    }
-   else {
+   elsif ( ($hash) = ($ThisLine =~ /AUDIT-5-STARTUP_CONFIG: Startup Configuration changed. Hash: (.*)/) ) {
+      $StartConfigChange{$host}++;
+   }
+   elsif ( ($ntppear) = ($ThisLine =~ /NTP-4-PEERUNREACH: Peer (.*) is unreachable/) ) {
+      $NTPpeerUnreach{$host}{$ntppear}++;
+   }
+   elsif ( ($ntppear) = ($ThisLine =~ /NTP-5-PEERSYNC: NTP synced to peer (.*)/) ) {
+      $NTPpeerSync{$host}{$ntppear}++;
+   }
+   elsif ( ($ntppear) = ($ThisLine =~ /NTP-6-PEERREACH: Peer (.*) is reachable/) ) {
+      $NTPpeerReach{$host}{$ntppear}++;
+   }
+   elsif ( ($count) = ($ThisLine =~ /SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed (.*) packet(|s)/) ) {
+      $ACLmissed{$host} += $count;
+   }
+   elsif ( $CatchUnknown >= 1 ) {
       # Report any unmatched entries...
       chomp $ThisLine;
       ($msg) = ($ThisLine =~ /(%.*)/);
@@ -1070,7 +1089,57 @@
    	foreach $ThatOne (sort keys %{$ICMP_Echo_Req{$ThisOne}}) {
          print "\t " .$ThatOne . "\t: " . $ICMP_Echo_Req{$ThisOne}{$ThatOne} . " Time(s)\n";
       }
-  }
+   }
+}
+
+if (keys %NTPpeerSync) {
+   print "\nNTP peer synced on device :\n";
+   foreach $ThisOne (sort keys %NTPpeerSync) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$NTPpeerSync{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t: " . $NTPpeerSync{$ThisOne}{$ThatOne} . " Time(s)\n";
+      }
+   }
+}
+
+if (keys %NTPpeerReach) {
+   print "\nNTP peer reachable on device :\n";
+   foreach $ThisOne (sort keys %NTPpeerReach) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$NTPpeerReach{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t: " . $NTPpeerReach{$ThisOne}{$ThatOne} . " Time(s)\n";
+      }
+   }
+}
+
+if (keys %NTPpeerUnreach) {
+   print "\nNTP peer unreachable on device :\n";
+   foreach $ThisOne (sort keys %NTPpeerUnreach) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$NTPpeerUnreach{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t: " . $NTPpeerUnreach{$ThisOne}{$ThatOne} . " Time(s)\n";
+      }
+   }
+}
+
+if (keys %ACLmissed) {
+   print "\nACL logging missed/rate-limited on device :\n";
+   foreach $ThisOne (sort keys %ACLmissed) {
+   	print "   " . $ThisOne . " : " . $ACLmissed{$ThisOne} . " Time(s)\n";
+   }
+}
+
+if (keys %dropigmp) {
+   print "\nACL IGMP on device :\n";
+   foreach $ThisOne (sort keys %dropigmp) {
+   	print "   " . $ThisOne . ":\n";
+   	foreach $ThatOne (sort keys %{$dropigmp{$ThisOne}}) {
+         print "\t " .$ThatOne . "\t:\n";
+   	   foreach $WhichOne (sort keys %{$dropigmp{$ThisOne}{$ThatOne}}) {
+            print "\t     " .$WhichOne . "\t: " . $dropigmp{$ThisOne}{$ThatOne}{$WhichOne} . " Time(s)\n";
+         }
+      }
+   }
 }
 
 if (keys %ICMP_Echo_Rep) {


More information about the Logwatch-Devel mailing list