Commit fecba9a5 authored by Steve Kemp's avatar Steve Kemp
Browse files

Added logtail.

parent 64227c51
......@@ -393,7 +393,7 @@ sub processRules
return 0 if ( !-e $file );
open( FILE, "<", $file )
open( FILE, "/usr/bin/firewall-logtail $file|" )
or die "failed to read logfile: $file - $!";
foreach my $line (<FILE>)
......
#!/usr/bin/perl
# Copyright (C) 2003 Jonathan Middleton <jjm@ixtab.org.uk>
# Copyright (C) 2001 Paul Slootman <paul@debian.org>
# This file is part of Logcheck.
# Logcheck is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# Logcheck is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with Logcheck; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
use strict;
use warnings;
my ($size, $logfile, $offsetfile);
use Getopt::Std;
my %opts = ();
# process args and switches
my ($TEST_MODE) = 0;
getopts("f:o:t", \%opts);
# try to detect plain logtail invocation without switches
if (!$opts{f} && $#ARGV != 0 && $#ARGV != 1) {
print STDERR "No logfile to read. Use -f [LOGFILE].\n";
exit 66;
} elsif ($#ARGV == 0) {
$logfile = $ARGV[0];
} elsif ($#ARGV == 1) {
($logfile, $offsetfile) = ($ARGV[0], $ARGV[1]);
} else {
($logfile, $offsetfile) = ($opts{f}, $opts{o});
}
if ($opts{t}) {
$TEST_MODE = 1;
}
if (! -f $logfile) {
print STDERR "File $logfile cannot be read.\n";
exit 66;
}
unless ($offsetfile) {
# offsetfile not given, use .offset/$logfile in the same directory
$offsetfile = $logfile . '.offset';
}
unless (open(LOGFILE, $logfile)) {
print STDERR "File $logfile cannot be read.\n";
exit 66;
}
my ($inode, $ino, $offset) = (0, 0, 0);
unless (not $offsetfile) {
if (open(OFFSET, $offsetfile)) {
$_ = <OFFSET>;
unless (! defined $_) {
chomp $_;
$inode = $_;
$_ = <OFFSET>;
unless (! defined $_) {
chomp $_;
$offset = $_;
}
}
}
unless ((undef,$ino,undef,undef,undef,undef,undef,$size) = stat $logfile) {
print STDERR "Cannot get $logfile file size.\n", $logfile;
exit 65;
}
if ($inode == $ino) {
exit 0 if $offset == $size; # short cut
if ($offset > $size) {
$offset = 0;
}
}
if ($inode != $ino || $offset > $size) {
$offset = 0;
}
seek(LOGFILE, $offset, 0);
}
while (<LOGFILE>) {
print $_;
}
$size = tell LOGFILE;
close LOGFILE;
# update offset, unless test mode
unless ($TEST_MODE) {
unless (open(OFFSET, ">$offsetfile")) {
print STDERR "File $offsetfile cannot be created. Check your permissions.\n";
exit 73;
}
print OFFSET "$ino\n$size\n";
close OFFSET;
}
exit 0;
# Crontab snippet which will invoke our firewall-based blocker to firewall
# away people who conduct dictionary attacks.
#
# We run every fifteen minutes deliberately so that we get a fair chance of
# catching a remote IP which makes multiple rejections in between our testing
# attempts.
#
# (Since we only process *new* logfile entries each time we start.)
#
*/5 * * * * root [ -x /usr/bin/firewall-blacklist ] && /usr/bin/firewall-blacklist
*/15 * * * * root [ -x /usr/bin/firewall-blacklist ] && /usr/bin/firewall-blacklist
rule.d/* usr/share/firewall
bin/firewall usr/bin
bin/firewall-blacklist usr/bin
bin/firewall-logtail usr/bin
bin/firewall-test etc/cron.hourly
patterns.d/ etc/firewall
cron.d/* etc/cron.d/
\ No newline at end of file
......@@ -2,6 +2,9 @@ bytemark-vhost-firewall (20090731104804) stable; urgency=low
* If the firewall-blacklist program is disabled then reload the
firewall prior to exiting - to flush out bogus entries.
* Added the "logtail" script from the Debian logcheck package so
that we only process new entries.
* Changed our cronjob so that we run every 15 minutes not every 5.
-- Steve Kemp <steve@bytemark.co.uk> Fri, 31 Jul 2009 10:48:04 +0000
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment