|
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17 System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64 User : nobody ( 99) PHP Version : 5.2.17 Disable Function : NONE Directory : /proc/21573/task/21573/root/usr/share/logwatch/scripts/services/ |
Upload File : |
##########################################################################
# $Id: pluto,v 1.14 2005/12/05 23:40:13 bjorn Exp $
##########################################################################
# $Log: pluto,v $
# Revision 1.14 2005/12/05 23:40:13 bjorn
#
# Corrected attribution in log.
#
# Revision 1.13 2005/12/02 16:42:37 bjorn
# Additional filtering of STATE changes, by Markus Better.
#
# Revision 1.12 2005/09/26 10:58:04 bjorn
# Additional filtering contributed by Marcus Better
#
##########################################################################
# Note (8/28/2005, BL):
#
# This script was apparently written for FreeS/WAN, which is no longer
# supported (see http://www.freeswan.org). But it also appears to work
# with Openswan (http://www.openswan.org), which is described as a code
# fork of FreeS/WAN.
#
# Also, notice that in this script, many variables are set, but not
# printed. And many logged statements are filtered by this script.
#
# So this script would probably benefit from an update to clean it up
# and ensure full compatibility with the newer Openswan.
##########################################################################
# This is a scanner for logwatch (see www.logwatch.org) that processes
# FreeSWAN's <http://www.freeswan.org/> Pluto log files and attempts to
# make some sense out of them.
#
# Please CC suggestions to mcr@freeswan.org and/or design@lists.freeswan.org
# as well as to kirk@kaybee.org.
# the vendorID hash maps vendor IDs to products. VendorIDs are hashs of
# internal stuff from each vendor. Grow this table as you encouter new
# products.
$vendorID{"p....}..&..i...5..............................."}="KAME/Racoon";
$debug=0;
while(<>) {
# May 4 04:04:33 abigail Pluto[24170]: "abigail-istari" #1479: ISAKMP SA expired (LATEST!)
chop;
($month,$day,$time,$host,$process,$conn,$msg)=split(/ +/,$_,7);
$today="$month $day";
next unless ($process =~ /pluto/i);
$loglines{$today}++;
print STDERR "Msg: $msg\n" if $debug>1;
if($msg =~ /([^\#]*)\#(\d*)\:(.*)/) {
$ipaddr = $1;
$stateinfo = $2;
$rest = $3;
} elsif($msg =~ /no Phase 1 state for Delete/) {
$baddelete++;
next;
} elsif($msg =~ /from ([^:]*)\:([^:]*)\: Main Mode message is part of an unknown exchange/) {
$ipaddr = $1;
$ipport = $2;
$badexch{"[$ipaddr]:$ipport"}++;
next;
} else {
print STDERR "Failed to decode: $msg (of $_)\n" if $debug;
next;
}
# print STDERR "conn: $conn IP: $ipaddr STATE: $stateinfo\n" if $debug;
$conn =~ s/\"(.*)\"/$1/;
$conn =~ s/\[\d\]$//;
$conns{$conn}++;
if(!defined($peerIP{"$conn|$ipaddr"})) {
#print STDERR "Adding $ipaddr to $conn\n" if $debug;
$peerIP{$conn}=$peerIP{$conn}.$ipaddr." ";
}
$peerIP{"$conn|$ipaddr"}++;
$stateobjects{$stateinfo}++;
if(!defined($peer{$stateinfo}) && length($ipaddr)>0) {
$peer{$stateinfo}=$ipaddr;
}
# ignore following
next if($rest =~ /ISAKMP SA expired/);
next if($rest =~ /responding to Main Mode/);
next if($rest =~ /responding to Quick Mode/);
next if($rest =~ /IPsec SA expired/);
next if($rest =~ /ignoring informational payload, type IPSEC_INITIAL_CONTACT/);
next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling public value with leading zero/);
next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling shared secret with leading zero/);
next if($rest =~ /shared DH secret has leading zero -- triggers Pluto 1.0 bug/);
next if($rest =~ /(received|ignoring) Delete SA(|\(0x.*\)) payload/);
next if($rest =~ /received and ignored informational message/);
next if($rest =~ /discarding duplicate packet; already STATE_MAIN_../);
next if($rest =~ /discarding duplicate packet; already STATE_QUICK_../);
next if($rest =~ /deleting state \(STATE_MAIN_..\)/);
next if($rest =~ /deleting state \(STATE_QUICK_..\)/);
next if($rest =~ /Quick Mode .. message is unacceptable because it uses a previously used Message ID/);
next if($rest =~ /deleting connection .* instance with peer .*/);
next if($rest =~ /dropping and reinitiating exchange to avoid Pluto 1.0 bug handling DH shared secret with leading zero byte/);
next if($rest =~ /KE has 191 byte DH public value; 192 required/);
next if($rest =~ /retransmitting in response to duplicate packet; already STATE_MAIN_../);
next if($rest =~ /(Main mode p|P)eer ID is /);
next if($rest =~ /transition from state .* to state/);
next if($rest =~ /NAT-Traversal: Result using/);
next if($rest =~ /no crl from issuer/);
next if($rest =~ /I am sending (a certificate request|my cert)/);
next if($rest =~ /no suitable connection for peer/);
next if($rest =~ /sending encrypted notification/);
next if($rest =~ /enabling possible NAT-traversal with method/);
next if($rest =~ /received Vendor ID payload/);
next if($rest =~ /Dead Peer Detection \(RFC 3706\): enabled/);
next if($rest =~ /DPD: No response from peer - declaring peer dead/);
next if($rest =~ /DPD Error: could not find newest phase 1 state/);
next if($rest =~ /Informational Exchange message is invalid because it has a previously used Message ID/);
next if($rest =~ /discarding packet received during asynchronous work \(DNS or crypto\) in STATE_(MAIN|QUICK)_../);
next if($rest =~ /STATE_(MAIN|QUICK)_R[1-2]: sent [MQ]R[1-2], expecting [MQ]I[1-3]/);
next if($rest =~ /STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/);
$relevantlog{"$today"}++;
print STDERR "Rest is $rest\n" if $debug>1;
# but process these.
if($rest =~ /initiating Main Mode to replace \#(.*)/) {
$oldinfo = $1;
$statechain{$conn.$stateinfo}="$conn|$oldinfo";
next;
} elsif($rest =~ /initiating Main Mode/) {
$statechain{$conn.$stateinfo}="$conn";
next;
} elsif($rest =~ /initiating Quick Mode (.*) to replace \#(.*)/) {
$oldinfo = $2;
$phase2 = $1;
$statechain{"$conn|$stateinfo"}="$conn|$oldinfo";
$quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
next;
} elsif($rest =~ /initiating Quick Mode (.*)/) {
$phase2 = $1;
$statechain{"$conn|$stateinfo"}="$conn";
$quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
next;
} elsif($rest =~ /ISAKMP SA established/) {
$rekeysuccess{$conn}++;
next;
} elsif($rest =~ /cannot respond to IPsec SA request because no connection is known for (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_notknown{$1}++;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_I./) {
$rekeyfail{$conn}++;
$rekeyfailQI1{$conn}++;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_R./) {
$rekeyfail{$conn}++;
$rekeyfailQR1{$conn}++;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_I./) {
$rekeyfail{$conn}++;
$rekeyfailI1{$conn}++;
next;
} elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_R./) {
$rekeyfail{$conn}++;
$rekeyfailR1{$conn}++;
next;
} elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_ICMPunreachable{$conn}++;
} elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
$rekeyfail{$conn}++;
$rekeyfail_ICMPunreachable{$conn}++;
} elsif($rest =~ /starting keying attempt (.*) of an unlimited number/) {
$lastattempt=$1;
if($maxattempts{$conn} < $lastattempt) {
$maxattempts{$conn} = $lastattempt;
}
next;
} elsif($rest =~ /Vendor ID: (.*)/) {
$vid=$1;
if(defined($vendorID{$vid})) {
$peerID{$conn}=$vendorID{$vid};
} else {
$peerID{$conn}="unknown $vid";
$vendorID{$vid}="unknown $vid at $stateinfo/$ipaddr\n";
}
next;
} elsif($rest =~ /prepare-client output.*/) {
$setupfail{$conn}++;
} elsif(($rest =~ /sent QI2, IPsec SA established/) ||
($rest =~ /IPsec SA established/)) {
$ipsecSAs{$conn}++;
next;
} else {
print STDERR "UNKNOWN: $_"."\n";
}
}
if (keys %loglines) {
print "Overview summary of log files:\n";
foreach $day (keys %loglines) {
print "\t $day had ".$loglines{$day}." entries of which ".$relevantlog{$day}." were relevant\n";
}
}
if (keys %conns) {
print "Summary by peer:\n";
foreach $conn (keys %conns) {
print " Peer $conn caused $conns{$conn} lines of output.\n";
print "\tconnected from:".$peerIP{$conn}."\n";
if(defined($peerID{$conn})) {
print "\tVID: ".$peerID{$conn}."\n";
}
print "\tKeyed: ".($rekeysuccess{$conn}+0)." successes ",($rekeyfail{$conn}+0)." failures (max retries: ".($maxattempts{$conn}+0).")\n";
print "\tIPsec SAs: ".($ipsecSAs{$conn}+0)."\n";
if($setupfail{$conn} > 0) {
print "\tSetup failures: ".$setupfail{$conn}."\n";
}
}
}
if (keys %badexch) {
print "Summary of bad peers\n";
foreach $badpeer (keys %badexch) {
print "\t".$badpeer." caused ".$badexch{$badpeer}." bad exchanges\n";
}
}
# vi: shiftwidth=3 tabstop=3 syntax=perl et