시스템 로그 분석 스 크 립 트
64338 단어 로그 분석
VDFTP 형식 서비스 에 대한 분석 스 크 립 트 가 추가 되 었 습 니 다.
#!/bin/bash
#
# NOTE:
# The readme text is written by chinese.
# Please see this scripts in your chinese System.
#
# VBird , 2002/02/10 !
# 『 』 !
# :
#
# 0. port !
# 1. /var/log/secure
# 2. /var/log/wtmp
# 3. /var/log/messages
# 4. /var/log/maillog
# /var/log/mail
#
# Red Hat 7.2 Mandrake 9.0 ,
# , , Linux
# distributions ! ,
# !
#
###################################################################
# INSTALL ( )
#
# 1. :
# mkdir -p /usr/local/virus/logfile
# logfile.sh !
# !
# chmod 755 /usr/local/virus/logfile/logfile.sh
# chown root:root /usr/local/virus/logfile/logfile.sh
#
# 2. :
# ,
# email=.....
# basedir=..
# outputall=...
#
# 3. crontab
# vi /etc/crontab :
# 10 0 * * * root /usr/local/virus/logfile/logfile.sh > /dev/null 2>&1
# 12:10 , root !
#
#====================================================================
# :
#
# -------------------------------------------------------------------
# 2002/03/21 VBird
# 2002/04/02 VBird cut , awk 。
# 2002/04/10 VBird pop3 , maillog
# messages !
# 2002/04/14 VBird !
# 2003/03/11 VBird ! :
# 1. port , ;
# 2. ;
# 2003/03/15 VBird Postfix ,
# 2003/03/16 VBird , 23 telnet port
# !
# 2003/06/11 VBird /var/log/procmail.log ,
# sendmail 。
# , defer !
# 2004/01/17 VBird pop3 !
# 2004/03/07 VBird Postfix , !
# !
#--------------------------------------------------------------------
#####################################################################
# YOU MUST KEYIN SOME PARAMETERS HERE!!
# !
email="root@localhost" # logfile e-mail
# ,
# :
# email="root@localhost,yourID@hostname"
# email , !
basedir="/usr/local/virus/logfile" # logfile.sh
outputall="no" # 『 ?
# , ,
# "no" ,
# , "yes" !
#####################################################################
# , , !
# , ! ^_^
#####################################################################
# 0. basedir
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
LANG=en
LC_TIME=en
export PATH LANG LC_TIME
localhostname=`hostname`
# !
temp=`echo $email | cut -d '@' -f2`
if [ "$temp" == "localhost" ]; then
email=`echo $email | cut -d '@' -f1`\@"$localhostname"
fi
# awk sed egrep
which awk > /dev/null 2>&1
if [ "$?" != "0" ]; then
echo -e " awk , $0 !
\
awk " |\
mail -s " " $email
exit
fi
which sed > /dev/null 2>&1
if [ "$?" != "0" ]; then
echo -e " sed , $0 !
\
sed " |\
mail -s " " $email
exit
fi
which egrep > /dev/null 2>&1
if [ "$?" != "0" ]; then
echo -e " egrep , $0 !
\
egrep " |\
mail -s " " $email
exit
fi
# syslog !
temp=`ps -aux | grep syslog| grep -v grep`
if [ "$temp" == "" ]; then
echo -e " syslog daemon , $0 !
\
syslog daemon " |\
mail -s " " $email
exit
fi
# !
if [ ! -d "$basedir" ]; then
echo -e " $basedir , $0 !
\
$basedir " |\
mail -s " " $email
exit
fi
#####################################################################
# 0.1 , log files !
lastdate="2004-03-07"
versions="Version 2.0-4"
hosthome=`hostname`
logfile="$basedir/logfile.mail"
declare -i datenu=`date +%k`
if [ "$datenu" -le "6" ]; then
date --date='1 day ago' +%b' '%e > "$basedir/dattime"
else
date +%b' '%e > "$basedir/dattime"
fi
y="`cat $basedir/dattime`"
# 0.1.0 syslog.conf
if [ ! -f "/etc/syslog.conf" ]; then
echo -e " ! /etc/syslog.conf ,
\
script $0 , /etc/syslog.conf
\
syslog.conf , /etc
\
/etc/ :
\
ln -s /full/path/syslog.conf /etc/syslog.conf
\
http://linux.vbird.org !" |\
mail -s " " $email
exit 1
fi
# 0.1.1 secure file
log=`grep 'authpriv\.\*' /etc/syslog.conf | awk '{print $2}'| \
head -n 1|tr -d '-'`
if [ "$log" == "" ]; then
echo "Sorry, You do not have the login logfile.... Stop $0" |\
mail -s "Important Messages" $email
exit
fi
cat $log | grep "$y" > "$basedir/securelog"
# 0.1.2 maillog file
log=`grep 'mail\.\*' /etc/syslog.conf | awk '{print $2}'| \
head -n 1|tr -d '-'`
if [ "$log" == "" ]; then
log=`grep 'mail\.' /etc/syslog.conf | awk '{print $2}'| \
tr -d '-'|grep -v 'message'`
fi
if [ "$log" == "" ]; then
echo "Sorry, You do not have the mail logfile.... Stop $0" |\
mail -s "Important Messages" $email
exit
fi
cat $log | grep "$y" > "$basedir/maillog"
# 0.1.2 messages file
cat /var/log/messages | grep "$y" > "$basedir/messageslog"
# The following lines are detecting your PC live?
timeset1=`uptime | grep day`
timeset2=`uptime | grep min`
if [ "$timeset1" == "" ]; then
if [ "$timeset2" == "" ]; then
UPtime=`uptime | awk '{print $3}'`
else
UPtime=`uptime | awk '{print $3 " " $4}'`
fi
else
if [ "$timeset2" == "" ]; then
UPtime=`uptime | awk '{print $3 " " $4 " " $5}'`
else
UPtime=`uptime | awk '{print $3 " " $4 " " $5 " " $6}'`
fi
fi
#####################################################################
# 1. , !
echo "################################################" > $logfile
echo " " >> $logfile
echo " : $versions" >> $logfile
echo " : $lastdate" >> $logfile
echo " , !" >> $logfile
echo " http://linux.vbird.org" >> $logfile
echo " http://linux.vbird.org/download/" >> $logfile
echo "################################################" >> $logfile
echo " " >> $logfile
echo "=============== =======================" >> $logfile
echo " : `cat /proc/version | \
awk '{print $1 " " $2 " " $3 " " $4}'`" >> $logfile
echo "CPU : `cat /proc/cpuinfo | \
grep "model name" |\
awk '{print $4 " " $5 " " $6}'`" >> $logfile
cat /proc/cpuinfo | grep "cpu MHz" | \
awk '{print " : " $4 " MHz"}' >> $logfile
echo " : `hostname`" >> $logfile
echo " : `date +%Y/%B/%d' '%H:%M:%S' '\(' '%A' '\)`" \
>> $logfile
echo " : `cat $basedir/dattime`" >> $logfile
echo " : `echo $UPtime`" >> $logfile
echo " " >> $logfile
echo " port :" >> $logfile
netstat -tln|grep '\0.0.0.0:'|awk '{print $4}'|\
cut -d':' -f2|sort -n| uniq| \
awk '{print " : " $1}'| \
tee $basedir/netstat.tmp >> $logfile
# telnet 23
temp=`grep ' 23$' $basedir/netstat.tmp`
if [ "$temp" != "" ]; then
echo '** : telnet , , ! **' >> $logfile
fi
echo " " >> $logfile
echo " " >> $logfile
df >> $logfile
echo " " >> $logfile
#####################################################################
# 2 SSH (Function) su !
funcssh () {
echo " " >> $logfile
echo "================= SSH =======================">> $logfile
sshright=`cat $basedir/securelog |grep 'sshd.*Accept' | wc -l | \
awk '{print $1}'`
if [ "$sshright" != "0" ]; then
echo " : $sshright" | \
awk '{printf("\%-26s \%3d
",$1,$2)}' >> $logfile
echo " "| \
awk '{printf("\%-10s \%-15s \%-4s
", $1, $2, $3)}'>> $logfile
cat $basedir/securelog | grep 'sshd.*Accept' | \
sed 's/^.*for//g' |awk '{print $1}' \
> "$basedir/securelogssh-1"
cat $basedir/securelog | grep 'sshd.*Accept' | \
sed 's/^.*from//g' |awk '{print $1}' \
> "$basedir/securelogssh-2"
paste $basedir/securelogssh-1 $basedir/securelogssh-2 \
> $basedir/securelogssh
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-25s \%3d
", course, Number[course])}' \
$basedir/securelogssh | sort +2 -gr | \
awk '{printf("\%-10s \%-15s \%3d
", $1, $2, $3)}'>> $logfile
echo " " >> $logfile
fi
ssherror=`cat $basedir/securelog | grep "sshd.*Fail" | wc -l | \
awk '{print $1}'`
if [ "$ssherror" != "0" ]; then
echo " : $ssherror" | \
awk '{printf( "\%-26s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-10s \%-15s \%-4s
", $1, $2, $3)}'>> $logfile
cat $basedir/securelog | grep "sshd.*Fail" | \
sed 's/^.*for//g' |awk '{print $1}' \
> "$basedir/securelogsshno-1"
cat $basedir/securelog | grep "sshd.*Fail" | \
sed 's/^.*from//g' |awk '{print $1}' \
> "$basedir/securelogsshno-2"
paste $basedir/securelogsshno-1 $basedir/securelogsshno-2 \
> $basedir/securelogsshno
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-25s \%3d
", course, Number[course])}' \
$basedir/securelogsshno |sort +2 -gr | \
awk '{printf("\%-10s \%-15s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
cat $basedir/messageslog | grep "su"|grep "open"|grep "root"| \
sed 's/^.*by//g' |awk '{print $1}'|sort > $basedir/messagessu
sshsu=`wc -l $basedir/messagessu | awk '{print $1}'`
if [ "$sshsu" != "0" ]; then
echo " su root " >> $logfile
echo " "| \
awk '{printf("\%-26s \%-4s
", $1, $2)}' >> $logfile
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-25s \%3d
", course, Number[course])}' \
$basedir/messagessu | sort +2 -gr | \
awk '{printf("\%-25s \%3d
", $1, $2)}' >> $logfile
echo " " >> $logfile
fi
if [ "$sshright" == "0" ] && [ "$ssherror" == "0" ]; then
echo " SSH " >> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 3 POP3 (Function) !
funcpop3 () {
echo "================= POP3 ======================" >> $logfile
pop3right=`cat $basedir/maillog|grep "pop3.*Login user" | wc -l | \
awk '{print $1}'`
if [ "$pop3right" != "0" ]; then
echo "POP3 : $pop3right" | \
awk '{printf( "%-40s %4d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("%-15s %-25s %-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/maillog | grep "pop3.*Login user" |\
sed 's/^.*user=//g' | awk '{print $1}' \
> $basedir/maillogpop-1
cat $basedir/maillog | grep "pop3.*Login user" |\
sed 's/^.*host=//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/maillogpop-2
paste $basedir/maillogpop-1 $basedir/maillogpop-2 \
> $basedir/maillogpop
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "%-35s %4d
", course, Number[course])}' \
$basedir/maillogpop | sort +2 -gr | \
awk '{printf("%-15s %-25s %3d
", $1, $2, $3)}'>> $logfile
echo " " >> $logfile
fi
pop3error=`cat $basedir/messageslog|grep "pop3.*Login fail"| \
wc -l | awk '{print $1}'`
if [ "$pop3error" != "0" ]; then
echo "POP3 : $pop3error" | \
awk '{printf( "%-40s %4d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("%-15s %-25s %-4s
", $1, $2, $3)}'>> $logfile
cat $basedir/messageslog | grep "pop3.*Login fail" |\
sed 's/^.*user=//g' | awk '{print $1}' \
> $basedir/maillogpopno-1
cat $basedir/messageslog | grep "pop3.*Login fail" |\
sed 's/^.*host=//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/maillogpopno-2
paste $basedir/maillogpopno-1 $basedir/maillogpopno-2 \
> $basedir/maillogpopno
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "%-35s %4d
", course, Number[course])}' \
$basedir/maillogpopno | sort +2 -gr | \
awk '{printf("%-15s %-25s %3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
if [ "$pop3error" == "0" ] && [ "$pop3right" == "0" ]; then
echo " POP3 " >> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 4 Wu-FTP (Function) !
funcwuftp () {
echo "================= FTP =======================" >> $logfile
wuftpright=`cat $basedir/messageslog|grep "FTP LOGIN" | wc -l | \
awk '{print $1}'`
if [ "$wuftpright" != "0" ]; then
echo "Wu-FTP- : $wuftpright" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/messageslog | grep "FTP LOGIN" | \
sed 's/^.*,//g' | awk '{print $1}' \
> $basedir/messageswuftp-1
cat $basedir/messageslog | grep "FTP LOGIN" | \
sed 's/^.*FROM//g' | awk '{print $1}' \
> $basedir/messageswuftp-2
paste $basedir/messageswuftp-1 $basedir/messageswuftp-2 \
> $basedir/messageswuftp
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/messageswuftp | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
wuftperror=`cat $basedir/messageslog|grep "ftp.*auth.*fail" |\
wc -l| awk '{print $1}'`
if [ "$wuftperror" != "0" ]; then
echo "Wu-FTP- : $wuftperror" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
cat $basedir/messageslog |grep "ftp.*auth.*fail" | \
sed 's/^.*\buser=//g' | awk '{print $1}' \
> $basedir/messageswuftpno.1.tmp
awk -v mon=`date +%b` '{ if( $1 != mon ) print $1;
if( $1 == mon ) print "UnknowUser" }' \
$basedir/messageswuftpno.1.tmp \
> $basedir/messageswuftpno.1
cat $basedir/messageslog |grep "ftp.*auth.*fail" | \
sed 's/^.*rhost=//g' | awk '{print $1}' \
> $basedir/messageswuftpno.2
paste $basedir/messageswuftpno.1 $basedir/messageswuftpno.2 \
> $basedir/messageswuftpno
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/messageswuftpno| sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
if [ "$wuftpright" == "0" ] && [ "$wuftperror" == "0" ]; then
echo " Wu FTP " >> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 6 Sendmail (Function) !
funcsendmail () {
echo "================= Sednamil ==================" >> $logfile
auth=no
[ -f /usr/lib/sasl/Sendmail.conf ] && auth=yes
[ -f /usr/lib/sasl2/Sendmail.conf ] && auth=yes
if [ "$auth" == "yes" ]; then
echo " SASL " >> $logfile
else
echo " SASL " >> $logfile
fi
echo " " >> $logfile
sendmailright=`cat $basedir/maillog|grep "sendmail.*from.*class" | \
wc -l | awk '{print $1}'`
if [ "$sendmailright" != "0" ]; then
echo "SMTP : $sendmailright " | \
awk '{printf( "\%-21s \%10d
", $1, $2)}' >> $logfile
cat $basedir/maillog |grep "sendmail.*from.*class" |\
sed 's/^.*size=//g' | awk -F ',' '{print $1}' \
> $basedir/maillogsendmailall
mailsize=`awk '{ smtp = smtp + $1 } END {print smtp/1024}' \
$basedir/maillogsendmailall`
echo " : $mailsize KBytes" | \
awk '{printf( "\%-20s \%10d \%-8s
",$1, $2, $3)}'>> $logfile
echo " " >> $logfile
fi
echo " " > $basedir/maillogsendmaillocal-1
echo " " > $basedir/maillogsendmaillocal-2
echo " " > $basedir/maillogsendmaillocal-3
cat $basedir/maillog |grep "sendmail.*from.*mech=LOGIN" | \
sed 's/^.*from=//g' | awk -F ',' '{print $1}' \
>> $basedir/maillogsendmaillocal-1
cat $basedir/maillog |grep "sendmail.*from.*mech=LOGIN" | \
sed 's/^.*relay=//g' | awk '{print $1}' |\
awk '{print $1 ","}' \
>> $basedir/maillogsendmaillocal-2
cat $basedir/maillog |grep "sendmail.*from.*mech=LOGIN" | \
sed 's/^.*size=//g' | awk -F ',' '{print $1}' \
>> $basedir/maillogsendmaillocal-3
cat $basedir/maillog |grep "sendmail.*from.*localhost" | \
sed 's/^.*from=//g' | awk -F ',' '{print $1}' \
>> $basedir/maillogsendmaillocal-1
cat $basedir/maillog |grep "sendmail.*from.*localhost" | \
sed 's/^.*relay=//g' | awk '{print $1 ","}' \
>> $basedir/maillogsendmaillocal-2
cat $basedir/maillog |grep "sendmail.*from.*localhost" | \
sed 's/^.*size=//g' | awk -F ',' '{print $1}' \
>> $basedir/maillogsendmaillocal-3
paste $basedir/maillogsendmaillocal-1 \
$basedir/maillogsendmaillocal-2 \
> $basedir/maillogsendmaillocal-4
paste $basedir/maillogsendmaillocal-4 \
$basedir/maillogsendmaillocal-3 \
> $basedir/maillogsendmaillocal
declare -i sendmaillocal=`cat $basedir/maillogsendmaillocal| \
wc -l| awk '{print $1}'`
sendmaillocal=$sendmaillocal-1
if [ "$sendmaillocal" != "0" ]; then
echo "SMTP : $sendmaillocal" | \
awk '{printf( "\%-21s \%10d
", $1, $2)}' >> $logfile
mailsize=`awk '{ smtp = smtp + $1 } END {print smtp/1024}' \
$basedir/maillogsendmaillocal-3`
echo " : $mailsize KBytes" | \
awk '{printf( "\%-20s \%10d \%-8s
",$1, $2, $3)}' >> $logfile
echo " " >> $logfile
echo " (KBytes)"| \
awk '{printf("\%-35s \%-35s \%-6s \%-10s
", $1, $2, $3, $4)}'>> $logfile
awk '{FS=","}{if(NR>=2) for( i=1; i<2; i++ ) (sizes[$i]=sizes[$i]+$2/1024) && Number[$i]++ };
END{ for( course in Number )
printf( "\%-80s \%-10s \%-10s
", course, Number[course], sizes[course])}' \
$basedir/maillogsendmaillocal| sort +2 -gr |\
awk '{printf("\%-35s \%-35s \%4d \%10d
", $1, $2, $3, $4)}' >> $logfile
echo " " >> $logfile
fi
if [ -x /usr/bin/mailq ] ; then
mailq > $basedir/mailq
declare -i mailq=`wc -l $basedir/mailq | awk '{print $1}'`
if [ "$mailq" -ge "3" ] ; then
echo " " >> $logfile
cat $basedir/mailq >> $logfile
echo " " >> $logfile
fi
fi
sendmailerror=`cat $basedir/maillog | grep "sendmail.*reject=" | wc -l | \
awk '{print $1}'`
if [ "$sendmailerror" != "0" ]; then
echo " : " >> $logfile
cat $basedir/maillog | grep "sendmail.*reject=" >> $logfile
echo " " >> $logfile
fi
if [ "$sendmailright" == "0" ] && [ "$sendmaillocal" == "0" ] \
&& [ "$sendmailerror" == "0" ]; then
echo " sendmail " >> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 7 postfix (Function) !
funcpost () {
echo "================= Postfix ===================" >> $logfile
auth=no
[ -f /usr/lib/sasl/smtpd.conf ] && auth=yes
[ -f /usr/lib/sasl2/smtpd.conf ] && auth=yes
if [ "$auth" == "yes" ]; then
echo " SASL " >> $logfile
else
echo " SASL " >> $logfile
fi
echo " " >> $logfile
postall=`cat $basedir/maillog | grep 'postfix.*qmgr.*from.*size' | \
wc -l | awk '{print $1}'`
if [ "$postall" != "0" ]; then
echo "SMTP : $postall " | \
awk '{printf( "\%-21s \%10d
", $1, $2)}' >> $logfile
mailsize=`cat $basedir/maillog | \
grep 'postfix.*qmgr.*from.*size' | \
sed 's/^.*size=//g' | awk -F ',' '{print $1}' | \
awk '{ smtp = smtp + $1 } END {print smtp/1024}'`
echo " : $mailsize KBytes" | \
awk '{printf( "\%-20s \%10d \%-8s
",$1, $2, $3)}'>> $logfile
echo " " >> $logfile
fi
cat $basedir/maillog | grep "postfix.*qmgr.*from.*size" |\
sed 's/^.*\]://g' | sed 's/:.*$//g' | awk '{print $1}' \
> $basedir/postid
cat $basedir/maillog | grep "postfix.*smtpd.*client=" \
> $basedir/postlog-host
cat $basedir/maillog | grep "postfix.*qmgr.*from.*size" \
> $basedir/postlog-email-size
cat $basedir/maillog | grep "postfix.*smtpd.*LOGIN" \
> $basedir/postlog-auth
cat $basedir/maillog | grep "postfix.*smtp\[.*to.*relay.*sent" \
> $basedir/postlog-send
cat $basedir/maillog | grep "postfix.*smtp\[.*to.*relay" |\
grep -v 'sent' > $basedir/postlog-nosend
touch $basedir/postid
postid=`cat $basedir/postid`
[ -f $basedir/postlog.1 ] && rm $basedir/postlog.1
for mailid in $postid
do
posthost=`cat $basedir/postlog-host| grep "$mailid" |\
sed 's/^.*: client//g'|sed 's/^.*\[//g' |\
sed 's/\].*//g' | head -n 1`
if [ "$posthost" == "" ]; then
posthost="unknow"
fi
postemail=`cat $basedir/postlog-email-size |\
grep "$mailid" |\
sed 's/^.*from=<//g' | sed 's/>.*$//g' |\
head -n 1`
if [ "$postemail" == "" ]; then
postemail="unknow"
fi
postsend=`cat $basedir/postlog-send |\
grep "$mailid"|head -n 1`
postnosend=`cat $basedir/postlog-nosend |\
grep "$mailid"|head -n 1`
if [ "$postsend" == "" ] && [ "$postnosend" == "" ]; then
postsend="local"
elif [ "$postsend" == "" ] && [ "$postnosend" != "" ]; then
postsend="deffer"
else
postsend="send"
fi
postauth=`cat $basedir/postlog-auth |\
grep "$mailid" |head -n 1`
if [ "$postauth" == "" ]; then
postauth="noauth"
else
postauth="auth"
fi
postauthname=`cat $basedir/postlog-auth |\
grep "$mailid" | sed 's/^.*username=//g'|\
head -n 1`
if [ "$postauthname" == "" ]; then
postauthname="noauth"
fi
postsize=`cat $basedir/postlog-email-size |\
grep "$mailid" |\
sed 's/^.*size=//g' | sed 's/,.*$//g' |\
head -n 1`
if [ "$postsize" == "" ]; then
postsize="0"
fi
echo $posthost $postemail $postsend $postauth $postauthname "," $postsize \
>> $basedir/postlog.1
done
cat $basedir/postlog.1 | sort | uniq > $basedir/postlog
touch $basedir/postlog
# 1.
postfix_auth="0"
if [ "$auth" == "yes" ]; then
cat $basedir/postlog | egrep '\bauth\b' |\
awk '{FS=","}{if(NR>=2) for( i=1; i<2; i++ ) (sizes[$i]=sizes[$i]+$2/1024) && Number[$i]++ };
END{ for( course in Number )
printf( "\%-80s \%-10s \%-10s
", course, Number[course], sizes[course])}'\
> $basedir/postfix-auth
postfix_auth=`cat $basedir/postfix-auth | grep 'send' |\
wc -l| awk '{print $1}'`
if [ "$postfix_auth" != "0" ]; then
echo " ( )" >> $logfile
echo " (KBytes)"| \
awk '{printf("\%-25s \%-20s \%-6s \%-10s
", $1, $2, $3, $4)}' >> $logfile
cat $basedir/postfix-auth | grep 'send' |\
awk '{printf("\%-25s \%-20s \%4d \%10d
", $5, $1, $6, $7)}' |\
sort +2 -gr >> $logfile
echo " " >> $logfile
fi
postfix_auth=`cat $basedir/postfix-auth | grep 'local' |\
wc -l| awk '{print $1}'`
if [ "$postfix_auth" != "0" ]; then
echo " " >> $logfile
echo " (KBytes)"| \
awk '{printf("\%-25s \%-20s \%-6s \%-10s
", $1, $2, $3, $4)}' >> $logfile
cat $basedir/postfix-auth | grep 'local' |\
awk '{printf("\%-25s \%-20s \%4d \%10d
", $5, $1, $6, $7)}' |\
sort +2 -gr >> $logfile
echo " " >> $logfile
fi
fi
# 2. deferred
cat $basedir/maillog | grep 'deferred' | awk '{print $6 }' | \
sort | uniq -c > $basedir/postfix-defer
defer=`cat $basedir/postfix-defer | awk '{print $1}'`
if [ "$defer" != "" ]; then
declare -i I
I=0
for II in $defer
do
I=$I+1
defernum[$I]=$II
done
defer=`cat $basedir/postfix-defer | awk '{print $2}'`
I=0
echo " " >> $logfile
echo " " " " " " " (bytes)" | \
awk '{printf("\%-32s \%-32s \%4s \%16s
",$1,$2,$3,$4)}' >> $logfile
for II in $defer
do
I=$I+1
defertmp=`cat $basedir/maillog | grep $II | grep 'from' |\
head -n 1`
deferfrom=`echo $defertmp | sed 's/^.*from\=//g' | \
sed 's/,.*$//g' | sed 's/<//g' | sed 's/>//g'`
defersize[$I]=`echo $defertmp | sed 's/^.*size\=//g' |\
sed 's/,.*$//g'`
defertmp=`cat $basedir/maillog | grep $II | grep 'to' | \
grep defer |head -n 1`
deferto=`echo $defertmp | sed 's/^.*to\=//g' | \
sed 's/,.*$//g' | sed 's/<//g' | sed 's/>//g'`
deferreason=`echo $defertmp | cut -d '(' -f2 | sed 's/)//g'`
echo $deferfrom $deferto ${defernum[$I]} ${defersize[$I]}| \
awk '{printf("\%-32s \%-32s \%4d \%5d
",$1,$2,$3,$4/1024)}' >> $logfile
echo " ==> " $deferreason >> $logfile
done
echo " " >> $logfile
fi
# 3.
postfix_10=`cat $basedir/postlog | wc -l | awk '{print $1}'`
if [ "$postfix_10" != "0" ]; then
echo " " >> $logfile
echo " (KBytes)"| \
awk '{printf("\%-35s \%-20s \%-8s \%-10s
", $1, $2, $3, $4)}' >> $logfile
cat $basedir/postlog |\
awk '{printf("\%-35s \%-20s \%-8s \%10d
", $2, $1, $3, $7/1024)}' |\
sort +3 -gr | head -n 10 >> $logfile
echo " " >> $logfile
fi
if [ -x /usr/bin/mailq ] ; then
mailq > $basedir/mailq
declare -i mailq=`wc -l $basedir/mailq | awk '{print $1}'`
if [ "$mailq" -ge "3" ] ; then
echo " " >> $logfile
cat $basedir/mailq >> $logfile
echo " " >> $logfile
fi
fi
if [ "$postfix_auth" == "0" ] && [ "$postfix_local" == "0" ] && [ "$postfix_10" == "0" ];then
echo " Postfix " >> $logfile
fi
cat $basedir/maillog | grep 'postfix.*smtpd.*reject.*deni*' \
> $basedir/postfix-nodeny
postfix_nodeny=`wc -l $basedir/postfix-nodeny | awk '{print $1}'`
if [ "$postfix_nodeny" != "0" ]; then
echo " " >> $logfile
sed 's/^.* from //g' $basedir/postfix-nodeny | \
sed 's/://g' | sort| \
awk '{print "From: "$1 "
" "To: "$3 "
"}' >> $logfile
echo " " >> $logfile
fi
cat $basedir/maillog | grep 'postfix.*smtpd.*SASL.*authen.*fail' \
> $basedir/postfix-noauth
postfix_noauth=`wc -l $basedir/postfix-noauth| awk '{print $1}'`
if [ "$postfix_noauth" != "0" ]; then
echo " " >> $logfile
cat $basedir/postfix-noauth >> $logfile
echo " " >> $logfile
fi
cat $basedir/maillog | egrep "(discard|reject: h|reject: b)" \
> $basedir/postfix-filtering
postfix_filtering=`wc -l $basedir/postfix-filtering | awk '{print $1}'`
if [ "$postfix_filtering" != "0" ]; then
echo " " >> $logfile
echo " : $postfix_filtering " >> $logfile
sed 's/^.*discard: //g' $basedir/postfix-filtering|\
sed 's/proto.*$//g'|sed 's/from=.* to/to/g'|\
sed 's/ from /\~/g'|sed 's/ to=/\~/g'|\
awk '{FS="~"}{print "From: "$2 "
" "To: "$3 "
" "Mode: "$1 "
"}'\
>> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 8 Proftp (Function) !
funcproftp () {
echo "================= Proftp ====================" >> $logfile
proftpright=`cat $basedir/securelog |grep "proftp.*USER.*Login succes" |\
wc -l | awk '{print $1}'`
if [ "$proftpright" != "0" ]; then
echo "Pro-FTP- : $proftpright" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}'>> $logfile
cat $basedir/securelog | grep "proftp.*USER.*Login succes" | \
sed 's/^.*USER//g' | sed 's/:.*$//g' |\
awk '{print $1}' > $basedir/securelogproftp-1
cat $basedir/securelog | grep "proftp.*USER.*Login succes" | \
sed 's/^.*\[//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/securelogproftp-2
paste $basedir/securelogproftp-1 $basedir/securelogproftp-2 \
> $basedir/securelogproftp
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/securelogproftp | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
proftperr1=`cat $basedir/securelog |grep "proftp.*USER.*Login fail" |\
wc -l | awk '{print $1}'`
if [ "$proftperr1" != "0" ]; then
echo "Pro-FTP- : $proftperr1" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/securelog | grep "proftp.*USER.*Login fail" | \
sed 's/^.*USER//g' | \
awk '{print $1}' > $basedir/securelogproftpe1-1
cat $basedir/securelog | grep "proftp.*USER.*Login fail" | \
sed 's/^.*\[//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/securelogproftpe1-2
paste $basedir/securelogproftpe1-1 $basedir/securelogproftpe1-2 \
> $basedir/securelogproftpe1
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/securelogproftpe1 | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
proftperr2=`cat $basedir/securelog |grep "proftp.*USER.*no such user" |\
wc -l | awk '{print $1}'`
if [ "$proftperr2" != "0" ]; then
echo "Pro-FTP- : $proftperr2" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/securelog | grep "proftp.*USER.*no such user" | \
sed 's/^.*USER//g' | sed 's/:.*$//g' |\
awk '{print $1}' > $basedir/securelogproftpe2-1
cat $basedir/securelog | grep "proftp.*USER.*no such user" | \
sed 's/^.*\[//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/securelogproftpe2-2
paste $basedir/securelogproftpe2-1 $basedir/securelogproftpe2-2 \
> $basedir/securelogproftpe2
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/securelogproftpe2 | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
if [ "$proftpright" == "0" ] && [ "$proftperr1" == "0" ] && [ "$proftperr2" == "0" ]; then
echo " Proftp " >> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 9 Vs-ftp (Function) !
funvsftp () {
echo "================= Vs-ftp ====================" >> $logfile
y="`cat $basedir/dattime`"
cat /var/log/vsftpd.log |grep "$y" > $basedir/vsftpdlog
vsftpright=`cat $basedir/messageslog |grep "vsftpd.*can't get client address:" |\
wc -l | awk '{print $1}'`
# vsftpright=`cat $basedir/vsftpdlog |grep "$y" |wc -l |awk '{print $1}'`
if [ "$vsftpright" != "0" ]; then
echo "Vs-FTP- : $vsftpright" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/vsftpdlog | grep "proftp.*USER.*Login succes" | \
sed 's/^.*USER//g' | sed 's/:.*$//g' |\
awk '{print $1}' > $basedir/securelogproftp-1
cat $basedir/securelog | grep "proftp.*USER.*Login succes" | \
sed 's/^.*\[//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/securelogproftp-2
paste $basedir/securelogproftp-1 $basedir/securelogproftp-2 \
> $basedir/securelogproftp
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/securelogproftp | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
fi
vsftperr1=`cat $basedir/messageslog |grep "vsftpd.*authentication failure" |\
wc -l | awk '{print $1}'`
if [ "$vsftperr1" != "0" ]; then
echo "Vs-FTP- : $vsftperr1" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/messageslog | grep "vsftpd.*authentication failure" | \
sed 's/^.*user=//g' | \
awk '{print $1}' > $basedir/securelogvsftpe1-1
cat $basedir/messageslog | grep "proftp.*USER.*Login fail" | \
sed 's/^.*\[//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/securelogvsftpe1-2
paste $basedir/securelogvsftpe1-1 $basedir/securelogvsftpe1-2 \
> $basedir/securelogproftpe1
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/securelogvsftpe1 | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}'>> $logfile
echo " " >> $logfile
fi
vsftperr2=`cat $basedir/messageslog |grep "vsftpd.*check pass" |\
wc -l | awk '{print $1}'`
if [ "$vsftperr2" != "0" ]; then
echo "Vs-FTP- : $vsftperr2" | \
awk '{printf( "\%-41s \%3d
", $1, $2)}' >> $logfile
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat $basedir/messageslog | grep "vsftpd.*check pass" | \
sed 's/^.*user//g' | \
awk '{print $1}' > $basedir/securelogvsftpe2-1
cat $basedir/messageslog | grep "vsftpd.*check pass" | \
sed 's/^.*\[//g' | sed 's/^.*\[//g' |\
sed 's/\].*$//g' | awk '{print $1}' \
> $basedir/securelogvsftpe2-2
paste $basedir/securelogvsftpe2-1 $basedir/securelogvsftpe2-2 \
> $basedir/securelogvsftpe2
/bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
END{ for( course in Number )
printf( "\%-35s \%3d
", course, Number[course])}' \
$basedir/securelogvsftpe2 | sort +2 -gr | \
awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}'>> $logfile
echo " " >> $logfile
fi
cat $basedir/vsftpdlog |awk '{print $7}' >$basedir/ftpip
cat $basedir/vsftpdlog |awk '{print $14}' >$basedir/ftpwho
# ftpsum=`cat $basedir/vsftpdlog |awk '{print $8}'`
cat $basedir/vsftpdlog |awk '{print $9}' |cut -d "/" -f4 >$basedir/ftpfile
ftpsize=`cat $basedir/vsftpdlog |awk '{print $8}'|awk '{ftps=ftps+$1} END {print ftps/1024}'`
ftpin=`cat $basedir/vsftpdlog |awk '{print $8,$12}'|grep "i"|awk '{print $1}'| \
awk '{ftps=ftps+$1} END {print ftps/1024}'`
ftpout=`cat $basedir/vsftpdlog |awk '{print $8,$12}'|grep "o"|awk '{print $1}'| \
awk '{ftps=ftps+$1} END {print ftps/1024}'`
echo -e "Vs-ftp total data size(Kbyte):$ftpsize
" >>$logfile
echo -e "Vs-ftp input date size(Kbyte):$ftpin
" >>$logfile
echo -e "Vs-ftp output data size(Kbyte):$ftpout
" >>$logfile
echo -e "Vs-ftp In/Out file:
" >>$logfile
paste $basedir/ftpwho $basedir/ftpip $basedir/ftpfile > $basedir/ftplog
echo " "| \
awk '{printf("\%-15s \%-25s \%-4s
", $1, $2, $3)}' >> $logfile
cat "$basedir"/ftplog |awk '{printf("\%-15s \%-25s \%-4s
",$1,$2,$3)}' >>$logfile
# /bin/awk '{ for( i=0; i<1; i++ ) Number[$i]++ };
# END{ for( course in Number )
# printf( "\%-35s \%3d
", course, Number[course])}' \
# $basedir/ftplog | sort +2 -gr | \
# awk '{printf("\%-15s \%-25s \%3d
", $1, $2, $3)}' >> $logfile
echo " " >> $logfile
if [ "$vsftpright" == "0" ] && [ "$vsftperr1" == "0" ] && [ "$vsftperr2" == "0" ]; then
echo " Vs-ftp " >> $logfile
echo " " >> $logfile
fi
}
#####################################################################
# 9 procmail (Function) !
funcprocmail () {
echo "================= Procmail ====================" >> $logfile
echo " " >> $logfile
logprocmail=`/bin/ls /var/log/ | grep procmail| head -n 1`
declare -i nuall=`wc -l /var/log/"$logprocmail" | awk '{print $1}'`
dayproc=`cat "$basedir/dattime"`
declare -i nufir=`grep -n "$dayproc" \
/var/log/$logprocmail | cut -d ':' -f1|head -n 1`
declare -i num=$nuall-$nufir+1
tail -n $num /var/log/$logprocmail >> $logfile
echo " " >> $logfile
}
#####################################################################
# 9 !
input=`grep "22" $basedir/netstat.tmp`
if [ "$input" != "" ]; then
funcssh
fi
input=`grep "21" $basedir/netstat.tmp`
if [ "$input" != "" ]; then
[ -f /etc/ftpaccess ] && funcwuftp
proftppro=`which proftpd 2> /dev/null`
if [ "$proftppro" != "" ]; then
funcproftp
else
funvsftp
fi
fi
input=`grep "110" $basedir/netstat.tmp`
if [ "$input" != "" ]; then
funcpop3
fi
input=`grep "25" $basedir/netstat.tmp`
if [ "$input" != "" ]; then
sendmailtest=`ps -aux|grep sendmail| grep -v 'grep'`
if [ "$sendmailtest" != "" ] ; then
funcsendmail
else
funcpost
fi
procmail=`/bin/ls /var/log| grep procmail| head -n 1`
if [ "$procmail" != "" ] ; then
funcprocmail
fi
fi
#####################################################################
# 10. !
if [ "$outputall" == "yes" ] || [ "$outputall" == "YES" ] ; then
echo " " >> $logfile
echo "================= =======================">> $logfile
echo "1. ( Secure file )" >> $logfile
echo " : pop3 !" >> $logfile
grep -v 'pop3' $basedir/securelog >> $logfile
echo " " >> $logfile
echo "2. last " >> $logfile
last -20 >> $logfile
echo " " >> $logfile
echo "3. /var/log/messages !" >> $logfile
cat $basedir/messageslog | egrep -vi '\bcrond\[' >> $logfile
fi
# At last! we send this mail to you!
mail -s "$hosthome " $email < $logfile