Parsing down the TCP connections in syslog

Brendan Kehoe brendan at cs.widener.edu
Tue Dec 4 04:23:45 AEST 1990 

 Recently wswietse at win.tue.nl (Wietse Venema) posted a "wrapper" of
sorts to log TCP connections to syslog. They show up of the form:

Dec  2 01:24:34 laverne in.rlogind[1538]: connect from tattoo.cs.widener.edu
Dec  2 11:06:12 laverne in.fingerd[2693]: connect from CHEM.BU.EDU
Dec  2 13:53:59 laverne in.telnetd[3129]: connect from tattoo.cs.widener.edu

 What follows is my little hack to parse these down into a nice clean
report using Perl. This is my first attempt with the language, so
please excuse any programming gaffs. The more I use it, the more I
like it.
 Anyway, this thing will make a report that looks like:

-- cut --
 The Tally:
 Finger: 18       Telnet: 37      Rlogin: 15      Rexec: 0       Rsh: 3

 Finger Connections: 

[   11] ashley.cs.widener.edu              [    5] CHEM.BU.EDU
[    2] tattoo.cs.widener.edu

 Telnet Connections: 

[    1] 35.204.113.2                       [    1] ashley.cs.widener.edu
[    4] xyplex4.cs.widener.edu             [   11] xyplex2.cs.widener.edu
[    1] 128.174.130.6                      [    1] BASS.BU.EDU
[    7] tattoo.cs.widener.edu              [    4] 128.174.130.104
[    1] TERMINUS.LCS.MIT.EDU               [    6] wid_gdi_5e1.widener.edu

 Rlogin Connections: 

[    6] cs.widener.edu                     [    8] tattoo.cs.widener.edu
[    1] ashley.cs.widener.edu

 Rsh Connections: 

[    1] cs.widener.edu                     [    2] ashley.cs.widener.edu

-- cut --

 Which is considerably easier to read, in my humble opinion. You might
also want to do something like
	egrep -v my_domain | perl inet.pl
to make it not get loaded with connections from your local systems
(which are supposed to be "trusted", right?). Had I done that above,
it'd shorten it to about 8 lines. 
 I didn't make the tcp logger do ftp connections...it should be easy
enough to just add "in.ftpd" to consrch, "in.ftpd" and 5 to ind, and
"f" to conhead.
 Oh, one other thing .. to make it cleaner, I have syslog.conf set up
so that all local1.info messages are sent to the file /var/log/inetlog
on the loghost. To do it I just changed

     (void) openlog(argv[0], LOG_PID);

in tcpd.c to be:

     (void) openlog(argv[0], LOG_PID, LOG_LOCAL1);

so that it gets logged with the local1 facility (and edited
syslog.conf of course).

 Anyway, here's the program...it's been a fun hack. Any and all
comments, suggestions, etc. are welcome.

-- cut --
#!/usr/local/bin/perl
#
# A program to parse down the inetlog files
# Brendan Kehoe (brendan at cs.widener.edu) - 12/03/90
#
# increment the # of times this $act for this system has happened
sub logit { local($act) = @_; $action{$act . (split(/ /))[8]}++; }

# write out a line
sub rep { 
    if (@_[0] =~ /@_[2]/) {
      $syslen[$syscnt] = @_[1];
      # there *must* be a way to chop at the top
      $systems[$syscnt++] = substr(@_[0], 1, length(@_[0])-1);
      if ($syscnt == 2) {
        write;
        $syscnt = 0;
      }
    }
}

@conhead = ('f', 't', 'r', 'e', 'h');
@contype = ("Finger", "Telnet", "Rlogin", "Rexec", "Rsh" );
@consrch = ("in.fingerd", "in.telnetd", "in.rlogind", "in.rexecd", "in.rshd");
# there must be a way to shuffle 2 arrays together for this instead
%ind = ("in.fingerd", 0, "in.telnetd", 1, "in.rlogind", 2, "in.rexecd", 3,
        "in.rshd",    4);

while (<>) {
   chop;
   foreach $type (@consrch) {
     # if there's a line mentioning the daemon, keep a count of what system
     #  it was from & how many times that system did it total
     /$type/ && do {
       $concnt[$ind{$type}]++;
       do logit(@conhead[$ind{$type}]);
     };
   }
}

print " The Tally:\n";
$~ = repline; write; $~ = sysline;

foreach $type (@consrch) {
  # if there was at least one entry (can't do != 0 cuz it could be NULL)
  if (@concnt[$ind{$type}]) {
    print "\n $contype[$ind{$type}] Connections: \n\n";
    # Ok, report it
    while (($sys,$n) = each %action) {
      # we're working from the first character, e.g. ^f
      do rep ($sys, $n, '^' . $conhead[$ind{$type}]);
    }
    # if there was only one system, rep wouldn't do it, so finish it here
    if ($syscnt == 1) {
      $~ = onesysline; write; $~ = sysline; $syscnt = 0;
   }
  }
}
print "\n"; exit;
#
# Formats
#
format repline =
 Finger: @<<<<<<  Telnet: @<<<<<  Rlogin: @<<<<<  Rexec: @<<<<<  Rsh: @<<<<<
$concnt[0] ? $concnt[0] : 0, $concnt[1] ? $concnt[1] : 0, $concnt[2] ? $concnt[2] : 0, $concnt[3] ? $concnt[3] : 0, $concnt[4] ? $concnt[4] : 0
.

format sysline =
[@>>>>] @<<<<<<<<<<<<<<<<<<<<<<<<<<<<      [@>>>>] @<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 $syslen[0], $systems[0], $syslen[1], $systems[1]
.

format onesysline =
[@>>>>] @<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 $syslen[0], $systems[0]
.

-- 
    Brendan Kehoe - Widener Sun Network Manager - brendan at cs.widener.edu
 Widener University in Chester PA              A Bloody Sun-vs-Dec War Zone
  "Hi there! Did you know that the very same technology that cleaned up the
Alaskan oil spill can be used to suck the fat out of your thighs & upper lip?"

More information about the Alt.sources.d mailing list