Context Navigation

source: server/fedora/config/etc/syslog-ng/d_zroot.pl @ 910

Last change on this file since 910 was 890, checked in by geofft, 17 years ago
I think this works better
Property svn:executable set to ``*
File size: 4.1 KB

Rev	Line
[645]	1	#!/usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5	use Sys::Hostname;
[666]	6	use Time::HiRes qw(ualarm);
[770]	7	use File::Temp;
[645]	8
[666]	9	our $ZCLASS = "scripts-auto";
	10	our @USERS = qw/root logview/;
[783]	11	my $k5login;
	12	open $k5login, '/root/.k5login';
	13	our @RECIPIENTS = map {chomp; m\|([^/@]*)\| && $1} <$k5login>;
	14	close $k5login;
[666]	15
	16	our %USERS;
	17	@USERS{@USERS} = undef;
	18
[783]	19	sub zwrite($;$$@) {
	20	my ($message, $class, $instance, @recipients) = @_;
[666]	21	$class \|\|= $ZCLASS;
[665]	22	$instance \|\|= 'root.'.hostname;
[784]	23	open(ZWRITE, "\|-", qw\|/usr/bin/zwrite -d -n -O log -c\|, $class, '-i', $instance, '-s', hostname, @recipients) or die "Couldn't open zwrite";
[645]	24	print ZWRITE $message;
	25	close(ZWRITE);
	26	}
	27
[666]	28	my %toclass;
[645]	29
[770]	30	my %sshkeys;
	31
[890]	32	my %ips;
	33
[770]	34	sub buildKeyMap($) {
	35	my ($file) = @_;
	36	open (KEYS, $file) or warn "Couldn't open $file: $!";
	37	while (<KEYS>) {
	38	chomp;
	39	my ($fingerprint, $comment) = parseKey($_);
	40	$sshkeys{$fingerprint} = $comment;
	41	}
	42	close(KEYS);
	43	}
	44
	45	sub parseKey($) {
	46	my ($key) = @_;
	47	my $tmp = new File::Temp;
	48	print $tmp $key;
	49	close $tmp;
	50	open (KEYGEN, "-\|", qw(/usr/bin/ssh-keygen -l -f), $tmp) or die "Couldn't call ssh-keygen: $!";
	51	my ($line) = <KEYGEN>;
	52	close(KEYGEN);
	53	my (undef, $fingerprint, undef) = split(' ', $line, 3);
	54	my (undef, undef, $comment) = split(' ', $key, 3);
[784]	55	#print "$fingerprint $comment";
[770]	56	return ($fingerprint, $comment);
	57	}
	58
	59	buildKeyMap("/root/.ssh/authorized_keys2");
	60
[666]	61	while (1) {
	62	my @message = scalar(<>);
	63	eval {
	64	local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required
	65	ualarm(500*1000);
	66	while (<>) { push @message, $_; }
	67	};
	68	chomp @message;
	69	map { s/^(.*?): // } @message;
	70	%toclass = ();
	71	foreach my $message (@message) {
	72	sub sendmsg ($;$) {
	73	my ($message, $class) = @_;
	74	$class \|\|= $ZCLASS;
	75	$toclass{$class} .= $message."\n";
[645]	76	}
[666]	77	if ($message =~ m\|Accepted (\S+) for (\S+)\|) {
	78	sendmsg($message) if exists $USERS{$2}
	79	} elsif ($message =~ m\|Authorized to (\S+),\|) {
	80	sendmsg($message) if exists $USERS{$1};
	81	} elsif ($message =~ m\|Root (\S+) shell\|) {
	82	sendmsg($message);
[667]	83	} elsif ($message =~ m\|session \S+ for user (\S+)\|) {
	84	sendmsg($message) if exists $USERS{$1};
[770]	85	} elsif ($message =~ m\|^Found matching (\w+) key: (\S+)\|) {
	86	if ($sshkeys{$2}) {
	87	sendmsg($message." (".$sshkeys{$2}.")");
	88	} else {
	89	sendmsg($message." (UNKNOWN KEY)");
	90	}
[889]	91	} elsif ($message =~ m\|^Failed keyboard-interactive/pam for root from ([^ ]*)\|) {
[888]	92	my $count = ++$ips{$1};
	93	if ($count % 10 == 0 or $1 =~ /^18\./) {
	94	sendmsg($message." (repeated $count times)", "scripts-spew");
	95	}
[817]	96	} elsif ($message =~ m\|^Out of memory:\|) {
	97	sendmsg($message);
[883]	98	} elsif ($message =~ m\|^giving \S+ admin rights\|) {
	99	sendmsg($message);
[666]	100	} elsif ($message =~ m\|^Connection closed\|) {
	101	# Do nothing
[770]	102	} elsif ($message =~ m\|^Closing connection to \|) {
	103	} elsif ($message =~ m\|^Connection from (\S+) port (\S+)\|) {
[666]	104	} elsif ($message =~ m\|^Invalid user\|) {
	105	} elsif ($message =~ m\|^input_userauth_request: invalid user\|) {
	106	} elsif ($message =~ m\|^Received disconnect from\|) {
[887]	107	} elsif ($message =~ m\|^Postponed keyboard-interactive\|) {
[668]	108	} elsif ($message =~ m\|^fatal: Read from socket failed: Connection reset by peer$\|) {
[690]	109	} elsif ($message =~ m\|^reverse mapping checking getaddrinfo\|) {
	110	} elsif ($message =~ m\|^pam_succeed_if\(sshd\:auth\)\:\|) {
[749]	111	} elsif ($message =~ m\|^error: PAM: Authentication failure\|) {
	112	} elsif ($message =~ m\|^pam_unix\(sshd:auth\): authentication failure\|) {
[738]	113	} elsif ($message =~ m\|^Postponed keyboard-interactive for invalid user \|) {
	114	} elsif ($message =~ m\|^Failed keyboard-interactive/pam for invalid user \|) {
[770]	115	} elsif ($message =~ m\|^Postponed gssapi-with-mic for \|) {
[739]	116	} elsif ($message =~ m\|^Address \S+ maps to \S+, but this does not map back to the address\|) {
[853]	117	} elsif ($message =~ m\|^User child is on pid \d+$\|) {
	118	} elsif ($message =~ m\|^Transferred: sent \d+, received \d+ bytes$\|) {
[666]	119	} else {
[770]	120	sendmsg($message, "scripts-spew");
[646]	121	}
[645]	122	}
[665]	123
[666]	124	foreach my $class (keys %toclass) {
[784]	125	if ($class eq "scripts-auto") {
	126	zwrite($toclass{$class}, $class);
	127	} else {
	128	zwrite($toclass{$class}, $class, undef, @RECIPIENTS);
	129	}
[666]	130	}
[645]	131	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: