diff -Nur log.d.old/conf/services/secure.conf log.d/conf/services/secure.conf --- log.d.old/conf/services/secure.conf Thu Jan 29 08:24:31 2004 +++ log.d/conf/services/secure.conf Thu Jan 29 08:55:22 2004 @@ -23,7 +23,7 @@ # It is commented out by default, but you can uncomment it # and ignore as many services as you would like. # (we ignore sshd because its entries are processed by the sshd script) -$ignore_services = sshd sshd2 +$ignore_services = sshd sshd2 sshd2-27040 ######################################################## # This was written and is maintained by: diff -Nur log.d.old/conf/services/sshd2-27040.conf log.d/conf/services/sshd2-27040.conf --- log.d.old/conf/services/sshd2-27040.conf Wed Dec 31 19:00:00 1969 +++ log.d/conf/services/sshd2-27040.conf Thu Jan 29 08:56:52 2004 @@ -0,0 +1,31 @@ +########################################################################### +# $Id: sshd2.conf,v 1.1 2002/03/29 15:32:12 kirk Exp $ +########################################################################### + +# You can put comments anywhere you want to. They are effective for the +# rest of the line. + +# this is in the format of = . Whitespace at the beginning +# and end of the lines is removed. Whitespace before and after the = sign +# is removed. Everything is case *insensitive*. + +# Yes = True = On = 1 +# No = False = Off = 0 + +# Which logfile group... +LogFile = secure + +# Only give lines pertaining to the mountd service... +*OnlyService = sshd2-27040 +*RemoveHeaders = + +######################################################## +# This was written and is maintained by: +# Kirk Bauer +# +# Please send all comments, suggestions, bug reports, +# etc, to kirk@kaybee.org. +# +######################################################## + + diff -Nur log.d.old/scripts/services/sendmail log.d/scripts/services/sendmail --- log.d.old/scripts/services/sendmail Sun Mar 31 18:03:51 2002 +++ log.d/scripts/services/sendmail Thu Jan 29 08:53:41 2004 @@ -44,6 +44,8 @@ ( $ThisLine =~ m/^alias database [^ ]* (auto)?rebuilt by/ ) or ( $ThisLine =~ m/^[^ ]*: [0-9]* aliases, longest [0-9]* bytes, [0-9]* bytes total/ ) or ( $ThisLine =~ m/^starting daemon (.*):/ ) or + ( $ThisLine =~ /^([a-zA-Z0-9]+:\s*)+discarded$/ ) or + ( $ThisLine =~ /^NOQUEUE: io.wfunet.wfu.edu/ ) or ( $ThisLine =~ m/^[a-zA-Z0-9]+: clone [a-zA-Z0-9]+, owner=/ ) ) { # We don't care about these } @@ -71,7 +73,15 @@ elsif ( $ThisLine =~ m/^[a-zA-Z0-9]+: [a-zA-Z0-9]+: return to sender: Warning: could not send message for past 4 hours/ ) { $FourHourReturns++; } - else { + elsif ( $ThisLine =~ m/^[a-zA-Z0-9]+: [a-zA-Z0-9]+: return to sender: Cannot send message for 5 days/ ) { + $FiveDayReturns++; + } + elsif ( $ThisLine =~ m/^[a-zA-Z0-9]+: [a-zA-Z0-9]+: (DSN|postmaster notify|return to sender): User unknown/ ) { + $UserUnknown++; + } + elsif ( $ThisLine =~ m/^[a-zA-Z0-9]+: [a-zA-Z0-9]+: return to sender: Service unavailable/ ) { + $ServiceUnavailable++; + } else { # Report any unmatched entries... push @OtherList,$ThisLine; } @@ -80,6 +90,9 @@ if ((@OtherList) or ($MsgsSent > 0) or ($FourHourReturns > 0) or + ($FiveDayReturns > 0) or + ($UserUnknown > 0) or + ($ServiceUnavailable > 0 ) or (keys %UnknownUsers) or (keys %RelayDenied) or (keys %AuthWarns) or @@ -95,6 +108,18 @@ print "\n\n" . $FourHourReturns . " messages returned after 4 hours"; } + if ( $FiveDayReturns > 0) { + print "\n\n" . $FiveDayReturns . " messages returned after 5 days"; + } + + if ( $UserUnknown > 0) { + print "\n\n" . $UserUnknown . " unknown users"; + } + + if ( $ServiceUnavailable > 0) { + print "\n\n" . $ServiceUnavailable . " messages returned because service was unavailable"; + } + if (keys %UnknownUsers) { print "\n\nUnknown users:\n"; foreach $ThisOne (keys %UnknownUsers) { diff -Nur log.d.old/scripts/services/sshd2-27040 log.d/scripts/services/sshd2-27040 --- log.d.old/scripts/services/sshd2-27040 Wed Dec 31 19:00:00 1969 +++ log.d/scripts/services/sshd2-27040 Thu Jan 29 08:58:50 2004 @@ -0,0 +1,82 @@ +#!/usr/bin/perl -w +########################################################################## +# $Id: sshd2,v 1.1 2002/03/29 15:32:14 kirk Exp $ +########################################################################## +# $Log: sshd2,v $ +# Revision 1.1 2002/03/29 15:32:14 kirk +# Added some filters found in RH's release +# +# First Version 1.0 2000/17/04 00:53:43 gerald +# +########################################################################## + +######################################################## +# This was written and is maintained by: +# Gerald Teschl +# +# Please send all comments, suggestions, bug reports, +# etc, to gerald@esi.ac.at and kirk@kaybee.org. +# +######################################################## + +$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'}; + +while (defined($ThisLine = )) { + if ( ($ThisLine =~ /^Daemon is running.$/) or + ($ThisLine =~ /^Listener created on port .*$/) or + ($ThisLine =~ /^Starting daemon in inetd mode.$/) or + ($ThisLine =~ /^Local disconnected: Connection closed.$/) or + ($ThisLine =~ /^Now running on .*?'s privileges.$/) or + ($ThisLine =~ /^connection lost: 'Connection closed.'$/) or + ($ThisLine =~ /^connection from ".*?"$/) or + ($ThisLine =~ /^User oracle's local password accepted.$/) or + ($ThisLine =~ /^Password authentication for user .*? accepted.$/ ) or + ($ThisLine =~ /^Public key .*? used.$/ ) or + ($ThisLine =~ /^sshd2$/) ) { + # don't care about these + } + elsif ( $ThisLine =~ /^Starting sshd2: $/ ) { + $Started++; + } + elsif ( $ThisLine =~ /^User (.*?), coming from (.*?), authenticated/ ) { + $Users{$1}++; + $Logins_From{$1} ||= {}; + $Logins_From{$1}->{$2}++; + } else { + # Report any unmatched entries... + chomp($ThisLine); + $OtherList{$ThisLine}++; + } +} + +if ( defined %Users or defined %OtherList or (($Detail >= 10) and ($Started)) ) { + + print "\n\n ------------------ Sshd2-27040 Begin --------------------- \n"; + + if ( ($Detail >= 10) and ($Started) ) { + print "\nStatistics:\n"; + print " Sshd2 started: $Started Time(s)\n"; + } + + if ( defined %Users ) { + print "Logins:\n"; + foreach my $user ( sort keys %Users ) { + print " $user: $Users{$user} login(s) from "; + print join ', ', sort keys %{ $Logins_From{$user} }; + print "\n"; + } + } + + if (keys %OtherList) { print "\n**Unmatched Entries**\n"; + foreach $ThisOne (keys %OtherList) { + print "$ThisOne: $OtherList{$ThisOne} Time(s)\n"; + } + } + print "\n\n ------------------- Sshd2-27040 End ---------------------- \n\n"; + +} + +exit(0); + + +