[Logcheck-commits] r1612 - in logcheck/branches/zugschlus200707: debian src

zugschlus at users.alioth.debian.org zugschlus at users.alioth.debian.org
Fri Jul 27 17:34:26 UTC 2007 

Author: zugschlus
Date: 2007-07-27 17:34:26 +0000 (Fri, 27 Jul 2007)
New Revision: 1612

Added:
   logcheck/branches/zugschlus200707/src/logtail2
Modified:
   logcheck/branches/zugschlus200707/debian/changelog
Log:
add logtail2


Modified: logcheck/branches/zugschlus200707/debian/changelog
===================================================================
--- logcheck/branches/zugschlus200707/debian/changelog	2007-07-26 18:21:35 UTC (rev 1611)
+++ logcheck/branches/zugschlus200707/debian/changelog	2007-07-27 17:34:26 UTC (rev 1612)
@@ -1,3 +1,10 @@
+logcheck (1.2.59) unstable; urgency=low
+
+  * Zugschlus branch
+  * add logtail2
+
+ -- Marc Haber <mh+debian-packages at zugschlus.de>  Fri, 27 Jul 2007 19:34:02 +0200
+
 logcheck (1.2.58) unstable; urgency=low
 
   * Add Russian debconf translation by Yuri Kozlov (closes: #434231).

Added: logcheck/branches/zugschlus200707/src/logtail2
===================================================================
--- logcheck/branches/zugschlus200707/src/logtail2	                        (rev 0)
+++ logcheck/branches/zugschlus200707/src/logtail2	2007-07-27 17:34:26 UTC (rev 1612)
@@ -0,0 +1,210 @@
+#!/usr/bin/perl
+
+# Copyright (C) 2003 Jonathan Middleton <jjm at ixtab.org.uk
+# Copyright (C) 2001 Paul Slootman <paul at debian.org>
+
+# This file is part of Logcheck.
+
+# Logcheck is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# Logcheck is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with Logcheck; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+use strict;
+use warnings;
+my ($size, $logfile, $offsetfile);
+use Getopt::Std;
+use File::Basename;
+my %opts = ();
+
+# process args and switches
+my ($TEST_MODE) = 0;
+getopts("f:o:t", \%opts);
+
+# try to detect plain logtail invocation without switches
+if (!$opts{f} && $#ARGV != 0 && $#ARGV != 1) {
+   print STDERR "No logfile to read. Use -f [LOGFILE].\n";
+   exit 66;
+} elsif ($#ARGV == 0) {
+   $logfile = $ARGV[0];
+} elsif ($#ARGV == 1) {
+   ($logfile, $offsetfile) = ($ARGV[0], $ARGV[1]);
+} else {
+   ($logfile, $offsetfile) = ($opts{f}, $opts{o});
+}
+
+if ($opts{t}) {
+    $TEST_MODE = 1;
+}
+
+
+sub print_from_offset {
+    my ($filename, $offset) = @_;
+    # this subroutine prints the contents of the file named $filename,
+    # starting offset $offset.
+    print "print_from_offset $filename, $offset\n";
+    unless (open(LOGFILE, $filename)) {
+        print STDERR "File $logfile cannot be read.\n";
+        exit 66;
+    }
+
+    seek(LOGFILE, $offset, 0);
+
+    while (<LOGFILE>) {
+        print $_;
+    }
+
+    $size = tell LOGFILE;
+    close LOGFILE;
+    return $size;
+}
+
+sub mtime {
+    my ($filename) = @_;
+    my $mtime = 0;
+    if (-e "$filename") {
+      unless ((undef,undef,undef,undef,undef,undef,undef,undef,undef,$mtime) = stat "$filename") {
+          print STDERR "Cannot get $filename mtime.\n";
+          exit 65;
+      }
+    }
+    return $mtime;
+}
+
+sub inode {
+    my ($filename) = @_;
+    my $inode = 0;
+    if (-e "$filename") {
+      unless ((undef,$inode) = stat $filename) {
+          print STDERR "Cannot get $filename inode.\n";
+          exit 65;
+      }
+    }
+    return $inode;
+}
+
+sub get_directory_contents {
+    my ($filename) = @_;
+    my $dirname = dirname($filename);
+    unless (opendir(DIR, $dirname)) {
+	print STDERR "Cannot open directory $dirname.\n";
+	exit 65;
+    }
+    my @direntries = readdir(DIR);
+    closedir DIR;
+    return @direntries;
+}
+
+sub determine_rotated_logfile {
+    my ($filename,$inode) = @_;
+    my $rotated_filename;
+    # this subroutine tries to guess to where a given log file was
+    # rotated. Its magic is mainly taken from logcheck's logoutput()
+    # function with dateext magic added.
+    
+    print "determine_rotated_logfile $filename $inode\n";
+    if (-e "$filename.0" && (mtime("$filename.0") > mtime("$filename.1.gz")) ) {
+        # assume the log is rotated by savelog(8)
+        # syslog-ng leaves old files here
+	print "savelog\n";
+	$rotated_filename="$filename.0";
+    } elsif (-e "$filename.1") {
+        # assume the log is rotated by logrotate(8)
+        # should also probably check if file is still fresh
+	print "logrotate\n";
+    	$rotated_filename="$filename.1";
+    } else {
+	# find out whether we have a dateext rotation scheme
+	print "dateext\n";
+	my @list = glob("$filename-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]");
+	print "glob ". join(".", @list). "\n";
+	$rotated_filename = (sort(glob("$filename-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]")))[-1];
+    }
+    print "rotated_filename $rotated_filename (". inode($rotated_filename). ")\n";
+    if (inode($rotated_filename) == $inode) {
+      return $rotated_filename;
+    } else {
+      return "";
+    }
+}
+
+if (! -f $logfile) {
+    print STDERR "File $logfile cannot be read.\n";
+    exit 66;
+}
+unless ($offsetfile) {
+    # offsetfile not given, use .offset/$logfile in the same directory
+    $offsetfile = $logfile . '.offset';
+}
+
+my ($inode, $ino, $offset) = (0, 0, 0);
+
+if ($offsetfile) {
+    # If offset file exists, open and parse it.
+    if (open(OFFSET, $offsetfile)) {
+        $_ = <OFFSET>;
+        unless (! defined $_) {
+       	    chomp $_;
+	    $inode = $_;
+	    $_ = <OFFSET>;
+	    unless (! defined $_) {
+	        chomp $_;
+	        $offset = $_;
+	    }
+        }
+    }
+    
+    # determine log file inode and size
+    unless ((undef,$ino,undef,undef,undef,undef,undef,$size) = stat $logfile) {
+        print STDERR "Cannot get $logfile file size.\n";
+        exit 65;
+    }
+
+    if ($inode == $ino) {
+	# inode is still the same
+        exit 0 if $offset == $size; # short cut
+        if ($offset > $size) {
+            $offset = 0;
+            print "***************\n";
+            print "*** WARNING ***: Log file $logfile is smaller than last time checked!\n";
+            print "*************** This could indicate tampering.\n";
+        }
+    }
+
+    if ($inode != $ino) {
+	# this is the interesting case: inode has changed.
+	# So the file might have been rotated. We need to print the 
+	# entire file.
+        # Additionally, we might want to see whether we can find the
+	# previous instance of the file and to process it from here.
+	print "inode $inode, ino $ino\n";
+	my $rotatedfile = determine_rotated_logfile($logfile,$inode);
+	if ( $rotatedfile ) {
+	  print_from_offset($rotatedfile,$offset);
+	}
+	# print the actual file from beginning
+        $offset = 0;
+    }
+}
+
+$size = print_from_offset($logfile,$offset);
+
+# update offset, unless test mode
+unless ($TEST_MODE) {
+    unless (open(OFFSET, ">$offsetfile")) {
+        print STDERR "File $offsetfile cannot be created. Check your permissions.\n";
+        exit 73;
+    }
+    print OFFSET "$ino\n$size\n";
+    close OFFSET;
+}
+exit 0;


Property changes on: logcheck/branches/zugschlus200707/src/logtail2
___________________________________________________________________
Name: svn:executable
   + *

More information about the Logcheck-commits mailing list