Logwatch for Plesk 10.4, Centos 5 - patches/how-to!

[bluik]

Hi,

I just installed a new server with Plesk 10.4 and Centos 5. I see that stock logwatch is largery incompatible with the Plesk 10.4/Postfix installation with a lot of log lines "unmatched".

So I will create my customized logwatch with proper regex for Plesk 10.4/Postfix installation. I would send the diffs here so that other people can benefit and improve them.

Before I start on this, has anyone else done it before so I do not waste my time?

 

[IgorG]

You can post it here and I will show your patch to our developers. I think it would be interesting for them.

 

[bluik]

This is not a busy server, and the first mail just 30 minutes ago was 9 MB in size. Most of it in "unmatched" lines from scripts:
pop3
imapd
proftpd-messages

I might use logwatch scripts from CentOS/RHEL 6 as base if there were enough goodness in them. If I remember correctly the logwatch scripts from it can be just copied over the ones from CentOS 5 and there were some significant improvements in the new version.

 

[bluik]

First revision diffs

First of all, latest logwatch scripts at logwatch SVN tree would provide significant benefits over the old version '7.3-9.el5_6' shipped with latest CentOS 5 (apparently, it is not from Plesk repo right?). For example proftpd service can properly parse the login from /var/log/secure while the old version tries to use /var/log/messages (and the logins do not go to this file). I will try later to just use them. But for now, first version of the diffs with most important fixes.

Anyone understanding the diffs will see right away that they are very simple. I acknowledge that I am not doing any ground-breaking rocket surgery here.
With this set of diffs, my daily logwatch message went down from 9 MB to "just" 1 MB, so there is a lot of work left with 'unmatched entries' flooding the daily report.

IMPORTANT: I take no responsibility whatsoever. If you decide to patch your logwatch, you cannot hold me liable for anything and are on your own. I will however try to help if anyone have problem because of these since it may help to improve the scripts. I welcome any comments and encourage to join the effort in fixing the very bad logwatch in CentOS 5+Plesk 10.4 with Postfix combo.

IMAP:
- Logout stats: Now mostly correct with list of users; how many logouts and how much downloaded. Mbox size shows 0, I will look into that later.
- CAVEAT: Still have few unmatched entries, will be checked in second revision.

--- imapd.orig 2012-03-28 07:11:49.000000000 +0200
+++ imapd 2012-03-27 06:05:22.000000000 +0200
@@ -43,13 +43,13 @@
# Don't care about these...
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Login user=(.*?) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
+ } elsif ( ($User, $Host) = ( $ThisLine =~ /LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Authenticated user=(.*) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Preauthenticated user=(.*) host=(.*)$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($Host) = ( $ThisLine =~ /^imap service init from (.*)$/ ) ) {
+ } elsif ( ($Host) = ( $ThisLine =~ /^IMAP connect from @ \[(.*)\]/ ) ) {
$ConnectionNonSSL{$Host}++;
$Connection{$Host}++;
} elsif ( ($Host) = ( $ThisLine =~ /^imaps SSL service init from (.*)$/ ) ) {
@@ -67,7 +67,7 @@
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Logout user=(.*?) host=(.*\[.*\])$/) ) {
$Logout{$User}{$Host}++;
$Logout2{$User}++;
- } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
+ } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;

POP3:
- Logout stats: Same as IMAP above.
- CAVEAT: A ton of unmatched entries.
- TODO: Fix unmatched: "FAILED: spam - short names not allowed from " - count or ignore. Should probably count, opinions?

--- pop3~ 2012-03-28 07:10:14.000000000 +0200
+++ pop3 2012-03-27 06:05:58.000000000 +0200
@@ -103,7 +103,7 @@
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$Connection{$Host}++;
- } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
+ } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;
$Logout{$User}{$Host}++;
$Logout2{$User}++;

PROFTP-MESSAGES:
- Just fix ignored messages.
- CAVEAT: There will be no output from proftpd-messages module of logwatch under normal circumstances after the patch. The old logwatch in CentOS 5 requires a large change to read the logins from secure logfile instead of messages.

--- proftpd-messages~ 2012-03-28 07:10:15.000000000 +0200
+++ proftpd-messages 2012-03-27 07:02:57.000000000 +0200
@@ -44,12 +44,14 @@
( $ThisLine =~ /^(ANONYMOUS )?FTP login as \'.*\' from [^ ]+ \[.*\] to .*/ ) or
( $ThisLine =~ /PAM\(.*\): Authentication failure/ ) or
( $ThisLine =~ /^data_sendfile/ ) or
+ ( $ThisLine =~ /Preparing to chroot to directory \'\/var\/www\/vhosts\/./ ) or
( $ThisLine =~ / - FTP session opened/ ) or
( $ThisLine =~ / - FTP session closed/ ) or
( $ThisLine =~ / - No certificate files found/ ) or
- ( $ThisLine =~ /FTP (no transfer|session idle) timeout, disconnected/ ) or
+ ( $ThisLine =~ /(FTP no transfer|Client session idle) timeout, disconnected/ ) or
( $ThisLine =~ / masquerading as / ) or
- ( $ThisLine =~ /FTP login timed out, disconnected/ )
+ ( $ThisLine =~ /(FTP login|Session) timed out, disconnected/ ) or
+ ( $ThisLine =~ /Login timeout exceeded, disconnected/ )
) {
#We don't care about these
} elsif ( ($Host,$IP,$Email,) = ( $ThisLine =~ /^FTP session opened: ftp\/ftp (.*)\[(.*)\] (.*)$/ ) ) {

Patching instructions:
Patch with something like `patch /usr/share/logwatch/scripts/services/[filename] <[file you saved the diff to]`
So for example for imapd, I saved the diff to "imapd.diff", so I patch with `patch /usr/share/logwatch/script/services/imapd <imapd.diff` (need root of course).

 

[bluik]

third revision diffs

imapd:

--- imapd~ 2012-03-27 05:42:52.000000000 +0300
+++ imapd 2012-03-31 10:46:17.000000000 +0300
@@ -38,18 +38,19 @@
if (
($ThisLine =~ /^Initializing */) or
($ThisLine =~ /^spgetpwnam: can't find user: */) or
- ($ThisLine =~ /^couriertls: read: Connection reset by peer/ )
+ ($ThisLine =~ /^couriertls: read: Connection reset by peer/) or
+ ($ThisLine =~ /digascii: [a-f0-9]*, response: /)
) {
# Don't care about these...
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Login user=(.*?) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
+ } elsif ( ($User, $Host) = ( $ThisLine =~ /LOGIN, user=(.*?), ip=\[(.*)\], protocol=IMAP$/o ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Authenticated user=(.*) host=(.*\[.*\])$/ ) ) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^Preauthenticated user=(.*) host=(.*)$/ ) ) {
$Login{$User}{$Host}++;
- } elsif ( ($Host) = ( $ThisLine =~ /^imap service init from (.*)$/ ) ) {
+ } elsif ( ($Host) = ( $ThisLine =~ /^IMAP connect from @ \[(.*)\]/ ) ) {
$ConnectionNonSSL{$Host}++;
$Connection{$Host}++;
} elsif ( ($Host) = ( $ThisLine =~ /^imaps SSL service init from (.*)$/ ) ) {
@@ -67,7 +68,12 @@
} elsif ( ($User, $Host) = ( $ThisLine =~ /^Logout user=(.*?) host=(.*\[.*\])$/) ) {
$Logout{$User}{$Host}++;
$Logout2{$User}++;
- } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
+ } elsif ( ($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), (user=.*, )?ip=\[(.*)\], headers=(\d+), body=(\d+)/o ) ) {
+ if ( ($dummy) = ( $User =~ /user=(.*)/ ) ) {
+ $User = $dummy;
+ } else {
+ $User = "unknown";
+ }
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;

pop3:

--- pop3~ 2012-03-27 06:04:56.000000000 +0300
+++ pop3 2012-04-01 04:28:48.000000000 +0300
@@ -60,7 +60,7 @@
($ThisLine =~ /^maildrop: can't read message$/) or
($ThisLine =~ /^mailbox: mailbox content has been changed$/) or
($ThisLine =~ /^(sktbuff|maildrop): write: Connection reset by peer$/) or
- ($ThisLine =~ /^(sktbuff|maildrop): write: Connection timed out$/) or ($ThisLine =~ /^mailspool_build_index.*: skipping c-client metadata$/) or
+ ($ThisLine =~ /^(sktbuff|maildrop|couriertls): (write|read): Connection timed out$/) or ($ThisLine =~ /^mailspool_build_index.*: skipping c-client metadata$/) or
($ThisLine =~ /^open: Permission denied$/) or
($ThisLine =~ /^read: Broken pipe$/) or
($ThisLine =~ /^read: Connection reset by peer$/) or
@@ -71,14 +71,15 @@
($ThisLine =~ /tpop3d startup succeeded$/) or
($ThisLine =~ /^disconnected, user=/i) or
($ThisLine =~ /^timeout, user=/i) or
- ($ThisLine =~ /^connection, ip=/i)
- or ($ThisLine =~ /^Connection, ip=/o)
+ ($ThisLine =~ /^connection, ip=/i) or
+ ($ThisLine =~ /Connection, ip=/) or
+ ($ThisLine =~ /digascii: [a-f0-9]*, response: /)
) {
# Don't care about these...
} elsif (
(($User, $Host) = ( $ThisLine =~ /^user (.*?) authenticated - (.*)$/ )) or
(($User, $Host) = ( $ThisLine =~ /^fork_child: \[\d\].*\((.*)\): began session for `(.*)' with .*; child PID is \d+$/ ))
- or (($User, $Host) = ( $ThisLine =~ /^LOGIN, user=(.*?), ip=\[(.*)\]$/ ))
+ or (($User, $Host) = ( $ThisLine =~ /LOGIN, user=(.*?), ip=\[(.*)\]$/ ))
) {
$Login{$User}{$Host}++;
} elsif ( ($User,$Downloaded,$DownloadSize,$Left,$LeftSize) = ( $ThisLine =~ /^Stats: (.*?) (.*?) (.*?) (.*?) (.*?)$/) ) {
@@ -103,7 +104,7 @@
$Logout{$User}{$Host}++;
$Logout2{$User}++;
$Connection{$Host}++;
- } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /^(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
+ } elsif (($dummy, $User, $Host, $DownloadSize1, $DownloadSize2) = ( $ThisLine =~ /(LOGOUT|TIMEOUT|DISCONNECTED), user=(.*?), ip=\[(.*)\], top=(\d+), retr=(\d+)/o)) {
$DownloadedMessagesSize{$User} += $DownloadSize1 + $DownloadSize2;
$Logout{$User}{$Host}++;
$Logout2{$User}++;
@@ -120,6 +121,8 @@
$LoginFailed{"$Host ($User)"}++;
} elsif ( ($User,$Host) = ( $ThisLine =~ /^authentication failed: no such user: (.*?) - (.*)/ ) ) {
$LoginFailed{"$Host (UNKNOWN: $User)"}++;
+ } elsif ( ($Host) = ( $ThisLine =~ /LOGIN FAILED, ip=\[(.*)\]/ ) ) {
+ $LoginFailed{"$Host"}++;
} elsif ( ($User) = ( $ThisLine =~ /^auth_pam_new_user_pass: pam_authenticate\((.*)\): Authentication failure/) ){
$LoginFailed{$User}++;
} elsif ( ($User) = ( $ThisLine =~ /^authcontext_new_user_pass: rejecting login attempt by `(.*)' with empty password$/) ) {

There are no longer any important unmatched entries. Failed logins are now accounted for properly.

 

[bluik]

Seems the patches don't really survive the message board software. Version 3 diffs at pastebin:
imapd file (directory /usr/share/logwatch/scripts/services/): http://pastebin.com/RwDPaVaP
pop3 file: http://pastebin.com/N3GHxrrz
proftpd-messages: http://pastebin.com/6X9JzJMg