前回までの記事で構築したswatch IDSの仕事ぶりをlogwatchで報告するスクリプト。
Logファイル場所の指定
vi /etc/logwatch/conf/logfiles/swatch.conf
/etc/logwatch/conf/logfiles/swatch.conf
#################################################
# Swatch Monitering Daemon configure file for logwatch.
# This file specify a log file of the /var/log/ directory.
#################################################
LogFile = ./swatch/swatch.log
LogFile = ./swatch/swatch.log.1
レポートのタイトルを設定
vi /etc/logwatch/conf/services/swatch.conf
/etc/logwatch/conf/services/swatch.conf
#########################################################
# Swatch Monitering Daemon configure file for logwatch
#########################################################
# The title of report.
Title = "Swatch Monitering IDS"
# Which logfile group.
LogFile = swatch
統計データ抽出スクリプトを書く
vi /etc/logwatch/scripts/services/swatch
/etc/logwatch/scripts/services/swatch
# !usr/bin/perl
$cnt = 0;
$spcval = 0;
@arraypre = ();
@arraypost = ();
$Sttcnt = 0;
$Shtdcnt = 0;
# Get a string of date.
$myTimes = time - 24 * 3600;
@watchdate = localtime($myTimes);
$mday = $watchdate[3];
$month = $watchdate[4];
@monthly =
("Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");
if($mday<10){
$targetdate = "$monthly[$month]"." $mday";
$spcval = 1;
}else{
$targetdate = "$monthly[$month]"." $mday";
}
while (<>) {
$logdate = substr($_,4,6);
if ($logdate =~ $targetdate) {
if (/locked/){
@arraypre = split(/ /, $_);
$targetIP = sprintf("%-15s", "$arraypre[6 + $spcval]");
if(!$cnt){$targetIP = " $targetIP";}
@arraypost = (@arraypost, " $targetIP : $arraypre[8 + $spcval] $arraypre[10 + $spcval] $arraypre[11 + $spcval] $arraypre[12 + $spcval]");
$cnt++;
}
if (/Shutting down/) {
$Shtdcnt++;
}
if (/has started/) {
$Sttcnt++;
}
}
}
if ($cnt) {
print "The following $cnt IP(s) has been resistered\.\n";
print "@arraypost\n";
} else {
print " No newly resistered IP(s)\.\n";
}
if ($Shtdcnt) {
print "\n Daemon shut down $Shtdcnt time(s)\.\n";
}
if ($Sttcnt) {
print "\n Daemon started $Sttcnt time(s)\.\n";
}
以上。