#!/bin/sh # # This script is copyright 2001 by A.L.Lambert. It is distributed under the # GNU public license. If you don't know what this means, I suggest you point # a web browser at www.gnu.org and find out. # # Usage: I use this script to monitor my logfiles on a regular basis, and e-mail # me when events I've not previously defined as "OK" happen. I am not going to # hold your hand too far in this, as I expect you to be able to code simple # shell script and know a bit about what you're doing before you get here. :) # # YOU MUST CREATE /etc/lt_watch/logtool.conf BEFORE YOU RUN THIS SCRIPT!!!!!! # The easiest way to do this is cp -rapfvd /etc/logtool /etc/lt_watch/ # # SEASON THIS CONFIGURATION INFO TO SUIT YOUR SYSTEM BEFORE USING THIS SCRIPT! # # Modifications: See end of script # ########################################################################################## PATH=${PATH}:/usr/local/bin:/usr/bin:/usr/etc:/usr/sbin:/usr/ucb:/etc:/bin:/usr/bsd:/tmp export PATH # logfiles="/var/log/secure /var/log/messages" mailer="/bin/mail" # Separate email addresses by spaces mailto="root" #pagemail="mypager@mypagercompany.net" # the code for these will most likely need to be edited for non-Linux systems # If you don't know how to do such editing below, SET THESE ALL TO "NO"!!!! tcpstats="no" logusers="no" lastlog="no" proclist="no" lconf="/usr/local/logtool/etc/logtool.conf" # we need a tempfile name tmpfile=`/bin/mktemp -q /tmp/logcheck.XXXXXX` tmpfile2=`/bin/mktemp -q /tmp/logcheck.XXXXXX` # touch the run file touch /var/run/logtool.check # for each logfile, see if there's anything new to report for i in $logfiles ; do /usr/local/retail/bin/retail $i | /usr/local/logtool/bin/logtool -c $lconf >> $tmpfile done # if we found anything, load it into a memory variable found="`head $tmpfile`" # if there wasn't nothing found, then we can bail out if [ "$found" = "" ] ; then rm -f $tmpfile /var/run/logtool.check echo "Nothing found, so, removing tmpfile" exit 0 else # Houston, we might possibly have a problem... Let's e-mail someone about it, shall we? # if the user wants TCP stats with their report if [ "$tcpstats" = "yes" ] ; then echo "---- Current TCP/IP status" >> $tmpfile netstat -nap >> $tmpfile fi # if they want to know who's currently logged on and doing what if [ "$logusers" = "yes" ] ; then echo "---- Currently logged in users: " >> $tmpfile w >> $tmpfile fi # if they want to know who's the last users logged on if [ "$lastlog" = "yes" ] ; then echo "---- Current last log: " >> $tmpfile last >> $tmpfile fi # if they want to know the current proclist if [ "$proclist" = "yes" ] ; then echo "---- Current process list: " >> $tmpfile ps auxfwwwwww >> $tmpfile fi # pump that tmpfile into the mail post-haste. tdate=`date +%Y%b%d_%r` # Strip out the control characters so it can be read in e-mail cp $tmpfile /tmp/tmpfile sed -e "s/\[.m//g" $tmpfile | sed -e "s/\[.;3.m//g" | sed -e "s///g" > $tmpfile2 cp $tmpfile2 /tmp/tmpfile2 if [ -e /usr/local/sbin/add_ip.pl ] then cat $tmpfile2 | /usr/local/sbin/add_ip.pl > $tmpfile else cat $tmpfile2 > $tmpfile fi $mailer -s "Logcheck $tdate" $mailto < $tmpfile rm -f $tmpfile $tmpfile2 /var/run/logtool.check # and a quick pager message to make sure he knows to check... #if [ "$pagemail" -ne "" ] ; then # echo "Check your regular e-mail for unusual log activity" | mail -s "Log Activity" $pagemail #fi fi # if found != "" end FI exit 0 ########################################################################################## # # 27 Apr 2004 mm added code to strip out control characters before mailing. #