#!/usr/bin/perl # # ColourLog # # Last updated by rb on Mon Dec 15 22:03:03 EST 2003 # #use strict; use Term::ANSIColor qw(:constants); my $DEBUG = 1; sub colour_of { my $process = shift; my %colour = ( "anacron" => BOLD . BLUE, "chat" => BOLD . CYAN, "cron" => BOLD . BLUE, "festival" => BOLD . RED, "fetchmail" => MAGENTA, "ftp" => RED, "innd" => BOLD . MAGENTA, "innfeed" => BOLD . MAGENTA, "kernel" => BOLD . RED, "loadavgmon" => MAGENTA, "logger" => GREEN, "ntpd" => BOLD . MAGENTA, "ntpdate" => BOLD . MAGENTA, "postfix" => BOLD . GREEN, "pppd" => BOLD . CYAN, "say" => BOLD . YELLOW, "sendmail" => BOLD . GREEN, "sm-mta" => BOLD . GREEN, "ssh" => CYAN, "xntpd" => BOLD . MAGENTA, ); return $colour{$process} || BOLD . WHITE; } sub infoline { my $process = shift; my $time = shift; print BLUE, "[$time] ", &colour_of($process), $process, RESET, ": ", @_, RESET, "\n"; return 1; } sub errorline { print BOLD, RED, @_, RESET, "\n"; return 1; } my ($day, $time, $process, $pid, $message); while (<>) { # input from stdin chomp; #$DEBUG && print "Line: $_\n"; # some weird conditions next if /-- MARK --/; (undef, $day, $time, undef, $process, undef, $pid, $message) = /^(\w+) +(\d+) +([\d:]+):\d\d +(\S+) +([^\[]+)(\[(\d+)\])?: (.*)$/; #$DEBUG && print "Got: $day $time $process\[", $pid ? $pid : 0, "\] $message\n"; next unless $process; if ($process eq "identd") { # do stuff #$DEBUG && print "identd: $message\n"; if ($message =~ /^Connection from (\S+)\s*$/) { my $host = $1; if ($host =~ /\..*\..*\./) { # trim domain $host =~ s/^[A-Za-z0-9-]+\.//; } &infoline("identd", $time, "connection from $host"); } elsif ($message =~ /^from: (\S+) \( (\S+) \)\s*$/) { # } elsif ($message =~ /^started$/) { # } elsif ($message =~ /^Successful lookup: (\d+) , (\d+) : (\S+)\s*$/) { # } elsif ($message =~ /^Returned: .* : NO-USER/) { # } else { &errorline($_); } } elsif ($process =~ /CRON/) { # do stuff if ($message =~ /\((\w+)\) CMD \(([^)]+)\)/) { &infoline("cron", $time, "$1 executes $2"); } else { &errorline($_); } } elsif ($process =~ /postfix/) { if ($process =~ /postfix\/cleanup/) { # donothing } elsif ($process =~ /postfix\/smtpd/) { # donothing } elsif ($process =~ /postfix\/pickup/) { # donothing } elsif ($process =~ /postfix\/local/) { # donothing after all! if ($message =~ /to=<([^ ]+)>/) { &infoline("postfix", $time, "mail incoming for $1") unless $1 =~ m/rb\@localhost\.tertius\.net\.au/i; } else { &errorline($_); } } elsif ($process =~ /postfix\/qmgr/) { if ($message =~ /from=<([^ ]+)>/) { next if $1 eq 'rb@tertius.net.au'; &infoline("postfix", $time, "mail incoming from $1"); } else { &errorline($_); } } elsif ($process =~ /postfix\/smtp/) { if ($message =~ /to=<([^ ]+)>/) { &infoline("postfix", $time, "mail outgoing to $1"); } else { &errorline($_); } } else { &errorline($_); } } elsif ($process =~ /CRON/) { # do stuff if ($message =~ /\((\w+)\) CMD \(([^)]+)\)/) { &infoline("cron", $time, "$1 executes $2"); } else { &errorline($_); } } elsif ($process eq "named") { # do stuff if ($message =~ /^Network is unreachable$/) { &errorline($_); } elsif ($message =~ /^points to a CNAME/) { # ignore } elsif ($message =~ /^listening on /) { # ignore } elsif ($message =~ /^Ready to answer queries./) { # ignore } elsif ($message =~ /^Cleaned cache of/) { # ignore } elsif ($message =~ /^ns_forw: /) { # ignore } elsif ($message =~ /^ns_resp: /) { # ignore } elsif ($message =~ /^sysquery: /) { # ignore } elsif ($message =~ /^XSTATS /) { # ignore } elsif ($message =~ /^NSTATS /) { # ignore } elsif ($message =~ /^USAGE /) { # ignore } else { &errorline($_); } } elsif ($process eq "fetchmail") { if ($message =~ /flushed/) { # ignore } elsif ($message =~ /Query status=\d+/) { # ignore } elsif ($message =~ /fetchmail: POP3 connection to /) { &infoline("fetchmail", $time, $1); } elsif ($message =~ /^(sleeping|awakened) at /) { # ignore #} elsif ($message =~ /reading message/) { # } else { &infoline("fetchmail", $time, $message); } } elsif ($process eq "pppd") { &infoline("pppd", $time, $message); } elsif ($process eq "loadavgmon") { &infoline("loadavgmon", $time, $message); } elsif ($process eq "festival") { &infoline("festival", $time, $message); } elsif ($process eq "ntpdate") { &infoline("ntpdate", $time, $message); } elsif ($process eq "anacron") { &infoline("anacron", $time, $message); } elsif ($process eq "ssh") { &infoline("ssh", $time, $message); } elsif ($process eq "snort") { # ignore, they get cron-sent to me anyway } elsif ($process eq "xntpd") { &infoline("xntpd", $time, $message); } elsif ($process eq "kernel") { &infoline("kernel", $time, $message); } elsif ($process eq "init") { &infoline("init", $time, $message); } elsif ($process eq "in.ftpd") { &infoline("ftp", $time, $message); } elsif ($process eq "ntpd") { &infoline("ntpd", $time, $message); } elsif ($process eq "/usr/sbin/gpm") { if ($message =~ /^Skipping a data packet/) { # ignore } else { &errorline($_); } } elsif ($process eq "say") { &infoline("say", $time, $message); } elsif ($process eq "chat") { &infoline("chat", $time, $message); } elsif ($process eq "goofey") { &infoline("goofey", $time, $message); } elsif ($process eq "innd") { if ($message =~ /^([\w.]+) connected/) { # ignore } elsif ($message =~ /localhost/) { # ignore } elsif ($message =~ /NCmode "mode stream" received/) { # ignore } elsif ($message =~ /([\w.]+):\d+ .* accepted (\d+) refused (\d+) rejected (\d+)/) { &infoline("innd", $time, "$1, accepted $2, refused $3, rejected $4"); } else { &errorline($_); } } elsif ($process eq "innfeed") { if ($message =~ /^(\w+).*offered (\d+).*accepted (\d+)/) { &infoline("innfeed", $time, "news from $1. Offered $2, accepted $3"); } elsif ($message =~ /^ME articles/) { # ignore } elsif ($message =~ /idle tearing down connection/) { # ignore } else { # ignore } } elsif ($process eq "nnrpd") { # ignore } elsif ($process eq "login") { if (($message =~ /ROOT LOGIN ON (\S*)$/) || # local ($message =~ /ROOT LOGIN as 'root' from (\S*)$/)) { # remote &infoline("login", $time, "root login from $1"); } elsif ($message =~ /(\d+) FAILED LOGINS FROM (\S+)/) { &infoline("login", $time, BOLD, RED, "failed login from $1"); } elsif ($message =~ /^FAILED LOGIN SESSION FROM (\S+)/) { # ignore (redundant - each failure logged by above line) } else { &errorline($_); } } elsif ($process =~ "(sendmail|sm-mta)") { if ($message =~ /\bto=?,/i) { # ignore } elsif ($message =~ /\bto=([^ ]+),/) { next if ($1 eq ""); &infoline("sendmail", $time, "outgoing mail to $1"); } elsif ($message =~ /\bto=[^,]+ ([^ ]+)-outgoing/) { &infoline("sendmail", $time, "mail through $1 list"); } elsif ($message =~ /\bfrom=?/) { # ignore } elsif ($message =~ /\bfrom=<([^>]+)>/) { &infoline("sendmail", $time, "incoming mail from $1"); } else { &errorline($_); } } elsif ($process eq "squid") { # ignore } elsif ($process eq "sshd") { # do stuff if ($message =~ /^log: Generating (new )?768 bit RSA key\./) { # ignore } elsif ($message =~ /^log: RSA key generation complete\./) { # ignore } elsif ($message =~ /^log: Received signal 15; terminating\./) { # ignore } elsif ($message =~ /^log: Password authentication for (\S+) accepted\./) { &infoline("ssh", $time, "login from $1"); } elsif ($message =~ /^log: Server listening on port 22\./) { # ignore } elsif ($message =~ /^log: (connect from.*)$/) { &infoline("ssh", $time, $1); } elsif ($message =~ /^log: (Closing connection to.*)$/) { &infoline("ssh", $time, $1); } elsif ($message =~ /^log: Connection from (\S+) port (\d+)/) { &infoline("ssh", $time, "connection from $1"); } elsif ($message =~ /^log: (executing remote command as user (\S+))/) { &infoline("ssh", $time, $1); } else { &infoline("ssh", $time, $message); } } elsif ($process eq "su") { if ($message =~ /^(\S+) on (\S+)/) { &infoline("su", $time, "su by $1 on tty $2"); } else { &errorline($_); } } else { &errorline($_); } } # # End. #