########################################################################## # $Id: kernel,v 1.33 2006/01/16 18:40:31 kirk Exp $ ########################################################################## # $Log: kernel,v $ # Revision 1.33 2006/01/16 18:40:31 kirk # fixed name to Logwatch (how I like it now) # # Revision 1.32 2005/11/30 05:35:11 bjorn # Replaced compStr, by Markus Lude. # # Revision 1.31 2005/11/08 20:34:49 bjorn # Fixed reporting of RAID errors and added 'use strict'. Adds support for # reporting various execution/memory access errors. These are errors on # 2.6.5-7 kernels, x86_64 and IA64 architectures, SuSE 9 distro. # All these changes by David Baldwin. # # Revision 1.30 2005/07/25 22:17:31 bjorn # Moved iptables (and ipchains, ipfwadm) code to its own service (iptables). # # Revision 1.29 2005/06/07 18:14:50 bjorn # Filtering out audit statements, since we now have an "audit" service. ########################################################################## # Kernel script for Logwatch # # Visit the Logwatch website at # http://www.logwatch.org ########################################################################## use strict; use Logwatch ':ip'; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %SYNflood = (); my %RAIDErrors = (); my %SegFaults = (); my %GPFaults = (); my %UnalignedErrors = (); my %FPAssists = (); my %Errors = (); my %Kernel = (); while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); next if ($ThisLine eq ''); if ( # filter out audit messages - these should be parsed by the audit # service ($ThisLine =~ /^\s*audit\(/) # following now in iptables service or ($ThisLine =~ /^Packet log: .*PROTO=/) or ($ThisLine =~ /IN=.*OUT=.*SRC=.*DST=.*PROTO=/) ) { # ignore the above strings } elsif ( my ($from,$on) = ( $ThisLine =~ /^Warning: possible SYN flood from ([^ ]+) on ([^ ]+):.+ Sending cookies/ ) ) { my $Fullfrom = LookupIP($from); my $Fullon = LookupIP($on); $SYNflood{$Fullon}{$Fullfrom}++; } elsif ($ThisLine =~ /continuing in degraded mode/) { $RAIDErrors{$ThisLine}++; } elsif ($ThisLine =~ /([^(]*)\[\d+\]: segfault at/) { $SegFaults{$1}++; } elsif ($ThisLine =~ /([^(]*)\[\d+\] general protection/) { $GPFaults{$1}++; } elsif ($ThisLine =~ /([^(]*)\(\d+\): unaligned access to/) { $UnalignedErrors{$1}++; } elsif ($ThisLine =~ /([^(]*)\(\d+\): floating-point assist fault at ip/) { $FPAssists{$1}++; } elsif ( ( my $errormsg ) = ( $ThisLine =~ /(.*?[Ee]rror.{0,17})/ ) ) { # filter out smb open/read errors cased by insufficient permissions my $SkipError = 0; $SkipError = 1 if $ThisLine =~ /smb_readpage_sync: .*open failed, error=-13/; $SkipError = 1 if $ThisLine =~ /smb_open: .* open failed, result=-13/; $SkipError = 1 if $ThisLine =~ /smb_open: .* open failed, error=-13/; $Errors{$errormsg}++ if ( (! $SkipError) || ($Detail > 8)); } # OTHER else { # XXX For now, going to ignore all other kernel messages as there # XXX are practically an infinite number and most of them are obviously # XXX not parsed here at this time. # filter out smb open/read errors cased by insufficient permissions my $SkipError = 0; $SkipError = 1 if $ThisLine =~ /smb_readpage_sync: .*open failed, error=-13/; $SkipError = 1 if $ThisLine =~ /smb_open: .* open failed, result=-13/; $SkipError = 1 if $ThisLine =~ /smb_open: .* open failed, error=-13/; $Kernel{$ThisLine}++ if ( (! $SkipError) || ($Detail > 8)) ; } } if (keys %SYNflood) { print "\nWarning: SYN flood on:\n"; foreach my $ThisOne (sort {$a cmp $b} keys %SYNflood) { print " " . $ThisOne . " from:\n"; foreach my $Next (sort {$a cmp $b} keys %{$SYNflood{$ThisOne}}) { print " " . $Next . ": $SYNflood{$ThisOne}{$Next} Time(s)\n"; } } } if (keys %RAIDErrors) { print "\nWARNING: RAID Errors Present\n"; foreach my $Thisone ( sort {$a cmp $b} keys %RAIDErrors ) { print " $Thisone ...: $RAIDErrors{$Thisone} Time(s)\n"; } } if (keys %SegFaults) { print "\nWARNING: Segmentation Faults in these executables\n"; foreach my $Thisone ( sort {$a cmp $b} keys %SegFaults ) { print " $Thisone : $SegFaults{$Thisone} Time(s)\n"; } } if (keys %GPFaults) { print "\nWARNING: General Protection Faults in these executables\n"; foreach my $Thisone ( sort {$a cmp $b} keys %GPFaults ) { print " $Thisone : $GPFaults{$Thisone} Time(s)\n"; } } if (keys %UnalignedErrors) { print "\nWARNING: Unaligned Errors in these executables\n"; foreach my $Thisone ( sort {$a cmp $b} keys %UnalignedErrors ) { print " $Thisone : $UnalignedErrors{$Thisone} Time(s)\n"; } } if (keys %FPAssists) { print "\nWARNING: Floating-Point Assists in these executables\n"; foreach my $Thisone ( sort {$a cmp $b} keys %FPAssists ) { print " $Thisone : $FPAssists{$Thisone} Time(s)\n"; } } if (keys %Errors) { print "\nWARNING: Kernel Errors Present\n"; foreach my $Thisone ( sort {$a cmp $b} keys %Errors ) { print " $Thisone ...: $Errors{$Thisone} Time(s)\n"; } } # OTHER if ( ($Detail >= 5) and (keys %Kernel) ) { print "\n"; foreach my $ThisOne (sort {$a cmp $b} keys %Kernel) { print $Kernel{$ThisOne} . " Time(s): " . $ThisOne . "\n"; } } exit(0); # vi: shiftwidth=3 tabstop=3 syntax=perl et