[SOLVED] /var/log/secure parse with perl script - guidance needed

Habitual · 10-24-2012, 07:20 AM

Thanks Chris:

I am aware of vast amounts of Perl resources.

I usually do forum signups, then mailing list(s)/subscribe on a couple. This gets the information flowing in the right direction (mine).

My modus operandi is to jump in the deep end of things and slowly make my way towards some goal or task that I need to accomplish.

Right now I am trying to "slice and dice" the /var/log/secure logs from CentOS hosts because every Sunday like clockwork my zabbix mon appliance goes bananas on a simple-check for sshd on some systems hosted...well not at c9.

So my Perl script/exercise has a two-fold purpose:

Routinely audit the CentOS hosts for intrusion.
Verify the false-positive from our zabbix mon by that audit.

I have a working script now. I posted my query over here... where spjackson told me "I've made the minimal changes to make it work".
So it appears that I was on target with the changes I did manage.

So now I have something that mostly works, RIGHT UP MY ALLEY.

It's a huge field and I'm a late starter, but I remain encouraged. Crud, I never even turned on a computer until I was 33 (19 years ago).

Currently, I am focusing on the hard copy publication that I have right here. And using online resources when I need to.

I now ask myself a lot throughout the day, how would Perl do "that"?

It's the same reason all over again...
John got bored.

I got bored with Windows and installed Linux.
I got bored with the Linux Distros Wars and installed Slackware.
I got bored with vanilla-flavored Package Management.
I got bored with writing bash scripts.

Today, I remain Inspired!

Thank you for your time,

JJ

Edit0: Ya know, it didn't even occur to me to raise the zabbix interval for the check.
But where's the fun in that?

Habitual · 10-26-2012, 10:28 AM

Well, I am calling this Solved.
Here's what the script spits out...

Code:

Results of /var/log/secure scan:
          (Failed due to bad password: 301)
               Failed due to bad user: 149
                                     +______________
      Number of Failed Login Attempts: 450

     Number of Successful Root Logins: 510

Connection Details are:

    301 FAILED root passwords from IP: 199.168.141.102
      1 Invalid user r00t from IP: 199.168.141.102
      1 Invalid user test001 from IP: 31.171.241.38
      1 Invalid user test01 from IP: 31.171.241.38
      1 Invalid user test02 from IP: 31.171.241.38
      1 Invalid user test1 from IP: 31.171.241.38
      1 Invalid user test2 from IP: 31.171.241.38
    143 Invalid user test from IP: 31.171.241.38
      4 Successful Logins for root from IP: 209.156.244.98
     38 Successful Logins for root from IP: 24.101.150.38
    468 Successful Logins for root from IP: 74.86.203.42

Host Details are:
hostname
som.ipa.dre.ss

Report Date:
Oct-26-2012

and here's the script:

Code:

#!/usr/bin/perl -W
# Written:    JJ of c9
# Purpose:    audit /var/log/secure on CentOS release 4.x
# Source :    http://www.codeproject.com/Articles/304421/Use-Perl-to-Summarize-the-Secure-Log-File-on-Linux
# Credits:  Steven Jackson - http://ubuntuforums.org/attachment.php?attachmentid=226005&d=1351026760
#        :    
# Edited :    Fri Oct 26, 2012 -  9:05:09 AM EDT
# Current:    rootonly.pl now processes the /root/.c9audit.log 'internally' 
#        :    using system("/bin/sort audit.log | /usr/bin/uniq -c"); 
    
my $dataFile = "/var/log/secure";
my $failedCount = 0;            # number of bad logins from any user
my $successCount = 0;           # number of successful logins from any user
my $badUserCount = 0;           # number of bad users
my $badPasswordCount = 0;       # number of bad passwords, excludes bad users
my %ips;
my %users;
my %successful;
my %failed;

open LOG, "<$dataFile";
open OUT, ">/root/.c9audit.log";

while (<LOG>) {
 $line = $_;
 next if ($line=~ /^\s*#/); # ignore comment lines
 if($line =~ /Failed password for root from .*?(\d+\.\d+\.\d+\.\d+)/)
  {
    print OUT "FAILED root passwords from IP: $1\n";
    if(exists $ips{$1})
    {
       $ips{$1}++;
    }
    else
    {
      $ips{$1} = 1;
    }
    if(exists $users{$1})
    {
      $users{$1}++;
    }
    else
    {
      $users{$1} = 1;
    }
    if(exists $failed{$1})
    {
      $failed{$1}++;
    }
    else
    {
      $failed{$1} = 1;
    }
    $failedCount++;
    $badPasswordCount++;
  }
  elsif($line =~ /Failed password for invalid user (.+) from .*?(\d+\.\d+\.\d+\.\d+)/)
  {
    print OUT "Invalid user $1 from IP: $2\n";
    if(exists $ips{$2})
    {
      $ips{$2}++;
    }
    else
    {
      $ips{$2} = 1;
    }
    if(exists $users{$1})
    {
      $users{$1}++;
    }
    else
    {
      $users{$1} = 1;
    }
    if(exists $failed{$1})
    {
      $failed{$1}++;
    }
    else
    {
      $failed{$1} = 1;
    }
    $failedCount++;
    $badUserCount++;
  }
  elsif($line=~ /Accepted password for (\w+) from .*?(\d*\.\d*\.\d*\.\d*)/ 
     || $line=~ /Accepted publickey for (\w+) from .*?(\d*\.\d*\.\d*\.\d*)/)
  {
    print OUT "Successful Logins for $1 from IP: $2\n";
    if(exists $ips{$2})
    {
      $ips{$2}++;
    }
    else
    {
      $ips{$2} = 1;
    }
    if(exists $users{$1})
    {
      $users{$1}++;
    }
    else
    {
      $users{$1} = 1;
    }
    if(exists $successful{$1})
    {
      $successful{$1}++;
    }
    else
    {
      $successful{$1} = 1;
    }
    $successCount++;
 }
}

print <<"END_OF_MESSAGE" ;
Results of /var/log/secure scan:
          (Failed due to bad password: $badPasswordCount)
               Failed due to bad user: $badUserCount
                                     +______________
      Number of Failed Login Attempts: $failedCount

     Number of Successful Root Logins: $successCount\n
Connection Details are:\n
END_OF_MESSAGE

system("/bin/sort /root/.c9audit.log | /usr/bin/uniq -c");
print "\n";
print "Host Details are:\n";
system("hostname");
$IP_eth1 = `ifconfig eth1`;
$IP_eth1 =~ s/.*inet addr:(.*)  Bcast:/1/;
print "" . $1 . "\n";
print "\n";
print "Report Date:\n";
system("date +%b-%e-%Y");
close LOG;
close OUT;

It's my first "baby"!
Thanks to spjackson, whom I gave credit to here...

Thank you all for your time and support.

Enjoy.