[Logwatch] logwatch 2.6: scripts for FreeS/WAN and stunnel

Jay Berkenbilt ejb@ql.org
Sun, 14 Jul 2002 13:45:20 -0400


Attached is a patch to add new scripts for FreeS/WAN and stunnel.  I
run various stunnel services from xinetd and also have FreeS/WAN
installed.  Both of these log to /var/log/secure.  This patch includes
configuration files for both new services, scripts for both new
services, and a one-line patch to secure.conf to omit Pluto and
stunnel from the general "secure" log.  In order for exclusion of
Pluto (or pluto) to work, my previous match fixing the "secure" script
to do a case-insensitive match is required.

I hope you will consider these submissions for inclusion in a future
version of logwatch.

--
Jay Berkenbilt <ejb@ql.org>
http://www.ql.org/q/


---------------------------------------------------------------------------

--- conf/services/secure.conf.qdist	Mon Apr 15 17:21:54 2002
+++ conf/services/secure.conf	Sun Jul 14 12:51:31 2002
@@ -23,7 +23,7 @@
 # It is commented out by default, but you can uncomment it
 # and ignore as many services as you would like.
 # (we ignore sshd because its entries are processed by the sshd script)
-$ignore_services = sshd
+$ignore_services = Pluto sshd stunnel
 
 ########################################################
 # This was written and is maintained by:
--- conf/services/freeswan.conf.qdist	Sun Jul 14 13:12:48 2002
+++ conf/services/freeswan.conf	Sun Jul 14 11:26:36 2002
@@ -0,0 +1,20 @@
+###########################################################################
+# $Id: $
+###########################################################################
+
+# You can put comments anywhere you want to.  They are effective for the
+# rest of the line.
+
+# this is in the format of <name> = <value>.  Whitespace at the beginning
+# and end of the lines is removed.  Whitespace before and after the = sign
+# is removed.  Everything is case *insensitive*.
+
+# Yes = True  = On  = 1
+# No  = False = Off = 0
+
+# Which logfile group...
+LogFile = secure
+
+*OnlyService = Pluto
+*RemoveHeaders =
+
--- scripts/services/freeswan.qdist	Sun Jul 14 13:12:19 2002
+++ scripts/services/freeswan	Sun Jul 14 12:53:40 2002
@@ -0,0 +1,147 @@
+#!/usr/bin/perl -w
+##########################################################################
+# $Id: $
+##########################################################################
+# $Log: $
+#
+##########################################################################
+
+$^W=1;
+use strict;
+
+my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
+my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
+
+# No sense in running if FreeS/WAN doesn't even exist on this system...
+unless (( -d "/usr/lib/ipsec" ) or ( -d "/usr/local/lib/ipsec"))
+{
+   exit (0);
+}
+
+my $DebugCounter = 0;
+
+if ( $Debug >= 5 ) {
+   print STDERR "\n\nDEBUG: Inside FREESWAN Filter \n\n";
+   $DebugCounter = 1;
+}
+
+my @OtherList = ();
+my %OtherList = ();
+my %SA = ();
+
+my $ThisLine;
+
+
+while (defined($ThisLine = <STDIN>)) {
+
+   if ( $Debug >= 5 ) {
+      print STDERR "DEBUG($DebugCounter): $ThisLine";
+      $DebugCounter++;
+   }
+   chomp($ThisLine);
+   my $origline = $ThisLine;
+   if ($ThisLine =~ s/^\"(.*?)\"\s+(\d+\.\d+\.\d+\.\d+\s*)?(\#(\d+))?: //)
+   {
+      my $sa = $1;
+      my $what = undef;
+      if ($ThisLine =~ m/^(ISAKMP|IPsec) SA established/) {
+	 $what = "estabslished";
+      }
+      elsif ($ThisLine =~ m/^initiating /)
+      {
+	 $what = "initiating";
+      }
+      elsif ($ThisLine =~ m/^deleting /)
+      {
+	 $what = "deleting";
+      }
+      elsif ($ThisLine =~ m/^max number of retransmissions/)
+      {
+	 $what = "max retransmissions";
+      }
+      elsif ($ThisLine =~ m/(ISAKMP|IPsec) SA expired/)
+      {
+	 $what = "expired";
+      }
+      elsif (($ThisLine =~ m/^Peer ID is/) ||
+	     ($ThisLine =~ m/^discarding duplicate packet/) ||
+	     ($ThisLine =~ m/^starting keying attempt/) ||
+	     ($ThisLine =~ m/^(ignoring|sent|responding|received) /) ||
+	     ($ThisLine =~ m/^Issuer CRL not found/)
+	     )
+      {
+	 # ignore
+      }
+      else
+      {
+	 other($origline);
+      }
+      if (defined $what)
+      {
+	 if (! exists $SA{$sa}{$what})
+	 {
+	    $SA{$sa}{$what} = 0;
+	 }
+	 ++$SA{$sa}{$what};
+      }
+   }
+   elsif (($ThisLine =~ m/^\|/) ||
+	  ($ThisLine =~ m/: ignoring /)
+	  )
+   {
+      # ignore
+   }
+   else {
+      # Report any unmatched entries...
+      other($ThisLine);
+   }
+}
+
+if ( ( @OtherList ) ||
+     (keys %SA)
+   ) {
+
+   print "\n\n ------------------ FreeS/WAN Begin ---------------------- \n";
+
+   if (keys %SA)
+   {
+      print "\nSecurity associations:\n";
+      foreach my $sa (sort keys %SA)
+      {
+	 print "  $sa\n";
+	 my $actions = $SA{$sa};
+	 foreach my $what (sort keys %$actions)
+	 {
+	    print "    $what: ", $actions->{$what}, "\n";
+	 }
+      }
+   }
+
+   if (@OtherList) {
+      print "\n**Unmatched Entries**\n";
+      for (@OtherList)
+      {
+	 my $count = $OtherList{$_};
+	 print "($count) $_\n";
+      }
+   }
+
+   print "\n\n ------------------- FreeS/WAN End ----------------------- \n\n";
+
+}
+
+sub other
+{
+   my $msg = shift;
+   if (! exists $OtherList{$msg})
+   {
+      $OtherList{$msg} = 1;
+      push(@OtherList, $msg);
+   }
+   else
+   {
+      ++$OtherList{$msg};
+   }
+}
+
+exit(0);
--- conf/services/stunnel.conf.qdist	Sun Jul 14 13:12:52 2002
+++ conf/services/stunnel.conf	Sun Jul 14 12:51:26 2002
@@ -0,0 +1,20 @@
+###########################################################################
+# $Id: $
+###########################################################################
+
+# You can put comments anywhere you want to.  They are effective for the
+# rest of the line.
+
+# this is in the format of <name> = <value>.  Whitespace at the beginning
+# and end of the lines is removed.  Whitespace before and after the = sign
+# is removed.  Everything is case *insensitive*.
+
+# Yes = True  = On  = 1
+# No  = False = Off = 0
+
+# Which logfile group...
+LogFile = secure
+
+*OnlyService = stunnel
+*RemoveHeaders =
+
--- scripts/services/stunnel.qdist	Sun Jul 14 13:12:32 2002
+++ scripts/services/stunnel	Sun Jul 14 12:56:56 2002
@@ -0,0 +1,103 @@
+#!/usr/bin/perl -w
+##########################################################################
+# $Id: $
+##########################################################################
+# $Log: $
+#
+##########################################################################
+
+$^W=1;
+use strict;
+
+my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
+my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
+
+my $DebugCounter = 0;
+
+if ( $Debug >= 5 ) {
+   print STDERR "\n\nDEBUG: Inside FREESWAN Filter \n\n";
+   $DebugCounter = 1;
+}
+
+my @OtherList = ();
+my %OtherList = ();
+my %connections = ();
+
+my $ThisLine;
+
+while (defined($ThisLine = <STDIN>)) {
+
+   if ( $Debug >= 5 ) {
+      print STDERR "DEBUG($DebugCounter): $ThisLine";
+      $DebugCounter++;
+   }
+   chomp($ThisLine);
+   my $origline = $ThisLine;
+   if ($ThisLine =~ m/^(.+) connected from (\d+\.\d+\.\d+\.\d+)/)
+   {
+      my $service = $1;
+      my $ip = $2;
+      if (! exists($connections{$service}{$ip}))
+      {
+	 $connections{$service}{$ip} = 0;
+      }
+      ++$connections{$service}{$ip};
+   }
+   elsif ($ThisLine =~ m/^Connection (reset|closed)/)
+   {
+      # ignore
+   }
+   else {
+      # Report any unmatched entries...
+      other($ThisLine);
+   }
+}
+
+if ( ( @OtherList ) ||
+     ( keys %connections)
+   ) {
+
+   print "\n\n ------------------ stunnel Begin ---------------------- \n";
+
+   if (keys %connections)
+   {
+      print "\nconnections:\n";
+      foreach my $service (sort keys %connections)
+      {
+	 print "  $service\n";
+	 my $ips = $connections{$service};
+	 foreach my $ip (sort keys %$ips)
+	 {
+	    print "    $ip ", $ips->{$ip}, "\n";
+	 }
+      }
+   }
+
+   if (@OtherList) {
+      print "\n**Unmatched Entries**\n";
+      for (@OtherList)
+      {
+	 my $count = $OtherList{$_};
+	 print "($count) $_\n";
+      }
+   }
+
+   print "\n\n ------------------- stunnel End ----------------------- \n\n";
+
+}
+
+sub other
+{
+   my $msg = shift;
+   if (! exists $OtherList{$msg})
+   {
+      $OtherList{$msg} = 1;
+      push(@OtherList, $msg);
+   }
+   else
+   {
+      ++$OtherList{$msg};
+   }
+}
+
+exit(0);