File: pluto

package info (click to toggle)
logwatch 7.14-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 3,572 kB
  • sloc: perl: 8,290; sh: 354; makefile: 38
file content (326 lines) | stat: -rw-r--r-- 12,497 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
 

########################################################
# Please file all bug reports, patches, and feature
# requests under:
#      https://sourceforge.net/p/logwatch/_list/tickets
# Help requests and discusion can be filed under:
#      https://sourceforge.net/p/logwatch/discussion/
########################################################

##########################################################################
# Note (8/28/2005, BL):
#
# This script was apparently written for FreeS/WAN, which is no longer
# supported (see http://www.freeswan.org).  But it also appears to work
# with Openswan (http://www.openswan.org), which is described as a code
# fork of FreeS/WAN.
#
# Also, notice that in this script, many variables are set, but not
# printed.  And many logged statements are filtered by this script.
#
# So this script would probably benefit from an update to clean it up
# and ensure full compatibility with the newer Openswan.
##########################################################################

# This is a scanner for logwatch that processes FreeSWAN's
# <http://www.freeswan.org/> Pluto log files and attempts to
# make some sense out of them.
#
# Please CC suggestions to mcr@freeswan.org and/or design@lists.freeswan.org

# the vendorID hash maps vendor IDs to products. VendorIDs are hashs of
# internal stuff from each vendor. Grow this table as you encounter new
# products.

#######################################################
## Copyright (c) 2008 Kirk Bauer
## Covered under the included MIT/X-Consortium License:
##    http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms.  If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions.  If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
use strict;

#Init String Container
my (
$baddelete,     $ipaddr,    $ipport,
$lastattempt,   $oldinfo,   $phase2,
$rest,          $stateinfo, $today,
$vid
);
#Init Hashes
my (
%badexch,           %conns,                         %crlUpdate,
%crlUpdateSince,    %ipsecSAs,                      %loglines,
%maxattempts,       %peerID,
%peerIP,            %quickmode,                     %rekeyfail,
%rekeyfailI1,       %rekeyfailQI1,                  %rekeyfailQR1,
%rekeyfailR1,       %rekeyfail_ICMPunreachable,     %rekeyfail_notknown,
%rekeysuccess,      %relevantlog,                   %setupfail,
%statechain,        %xauthsuccess,
%vendorID
);

my $debug=0;
$vendorID{"p....}..&..i...5..............................."}="KAME/Racoon";

while(<>) {
# May  4 04:04:33 abigail Pluto[24170]: "abigail-istari" #1479: ISAKMP SA expired (LATEST!)

   chop;
   my ($month,$day,undef,undef,$process,$conn,$msg)=split(/ +/,$_,7);
   $today="$month $day";

   next unless ($process =~ /pluto/i);
   my $iserror=0;

   if ($conn eq "ERROR:") {
      $iserror = 1;
      (undef,$conn,$msg)=split(/ +/,$msg,3);
   }

   $loglines{$today}++;

   print STDERR "Msg: $msg\n" if $debug>1;

   if($msg =~ /([^\#]*)\#(\d*)\:(.*)/) {
      $ipaddr    = $1;
      $stateinfo = $2;
      $rest      = $3;
   } elsif($msg =~ /no Phase 1 state for Delete/) {
      # baddelete not currently used
      #$baddelete++;
      next;
   } elsif($msg =~ /from ([^:]*)\:([^:]*)\: Main Mode message is part of an unknown exchange/) {
      $ipaddr = $1;
      $ipport = $2;
      $badexch{"[$ipaddr]:$ipport"}++;
      next;
   } else {
      print STDERR "Failed to decode: $msg (of $_)\n" if $debug;
      next;
   }

   #  print STDERR "conn: $conn IP: $ipaddr STATE: $stateinfo\n" if $debug;

   $conn =~ s/\"(.*)\"/$1/;
   $conn =~ s/\[\d\]$//;

   $conns{$conn}++;
   if(!defined($peerIP{"$conn|$ipaddr"})) {
      #print STDERR "Adding $ipaddr to $conn\n" if $debug;
      $peerIP{$conn}=$peerIP{$conn}.$ipaddr." ";
   }
   $peerIP{"$conn|$ipaddr"}++;

   # This code no longer seems to be active
   #$stateobjects{$stateinfo}++;
   #if(!defined($peer{$stateinfo}) && length($ipaddr)>0) {
   #   $peer{$stateinfo}=$ipaddr;
   #}

   # ignore following
   next if($rest =~ /ISAKMP SA expired/);
   next if($rest =~ /responding to Main Mode/);
   next if($rest =~ /responding to Quick Mode/);
   next if($rest =~ /IPsec SA expired/);
   next if($rest =~ /ignoring informational payload, type IPSEC_INITIAL_CONTACT/);
   next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling public value with leading zero/);
   next if($rest =~ /regenerating DH private secret to avoid Pluto 1.0 bug handling shared secret with leading zero/);
   next if($rest =~ /shared DH secret has leading zero -- triggers Pluto 1.0 bug/);
   next if($rest =~ /(received|ignoring) Delete SA(|\(0x.*\)) payload/);
   next if($rest =~ /received and ignored informational message/);
   next if($rest =~ /discarding duplicate packet; already STATE_MAIN_../);
   next if($rest =~ /discarding duplicate packet; already STATE_QUICK_../);
   next if($rest =~ /deleting state \(STATE_MAIN_..\)/);
   next if($rest =~ /deleting state \(STATE_QUICK_..\)/);
   next if($rest =~ /Quick Mode .. message is unacceptable because it uses a previously used Message ID/);
   next if($rest =~ /deleting connection .* instance with peer .*/);
   next if($rest =~ /dropping and reinitiating exchange to avoid Pluto 1.0 bug handling DH shared secret with leading zero byte/);
   next if($rest =~ /KE has 191 byte DH public value; 192 required/);
   next if($rest =~ /retransmitting in response to duplicate packet; already STATE_MAIN_../);
   next if($rest =~ /(Main mode p|P)eer ID is /);
   next if($rest =~ /transition from state .* to state/);
   next if($rest =~ /NAT-Traversal: Result using/);
   next if($rest =~ /no crl from issuer/);
   next if($rest =~ /I am sending (a certificate request|my cert)/);
   next if($rest =~ /no suitable connection for peer/);
   next if($rest =~ /sending encrypted notification/);
   next if($rest =~ /enabling possible NAT-traversal with method/);
   next if($rest =~ /(received|ignoring) Vendor ID payload/);
   next if($rest =~ /ignoring unknown Vendor ID payload/);
   next if($rest =~ /Dead Peer Detection \(RFC 3706\): enabled/);
   next if($rest =~ /DPD: No response from peer - declaring peer dead/);
   next if($rest =~ /DPD Error: could not find newest phase 1 state/);
   next if($rest =~ /Informational Exchange message is invalid because it has a previously used Message ID/);
   next if($rest =~ /discarding packet received during asynchronous work \(DNS or crypto\) in STATE_(MAIN|QUICK)_../);
   next if($rest =~ /STATE_(MAIN|QUICK)_[RI][1-3]: sent [MQ][RI][1-3], expecting [MQ][IR][1-3]/);
   next if($rest =~ /STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/);
   next if($rest =~ /down-client output/);
   next if($rest =~ /(restore|update)resolvconf-client output/);
   next if($rest =~ /transform .* ignored/);
   next if($rest =~ /multiple DH groups were set in aggressive mode\./);
   next if($rest =~ /received mode cfg reply/);
   next if($rest =~ /modecfg: Sending IP request/);
   next if($rest =~ /setting .* address to/);
   next if($rest =~ /STATE_XAUTH_I1: XAUTH client - awaiting CFG_set/);
   next if($rest =~ /initiating Aggressive Mode/);
   next if($rest =~ /Aggressive mode peer ID is/);
   next if($rest =~ /protocol\/port in Phase \d ID Payload must be/);
   next if($rest =~ /XAUTH: Bad Message: /);
   next if($rest =~ /XAUTH: Answering XAUTH challenge with user/);
   next if($rest =~ /Received IP4|DNS|subnet /);
   next if($rest =~ /sendto on .* to .* failed in delete notify/);
   $relevantlog{"$today"}++;

   print STDERR "Rest is $rest\n" if $debug>1;

   # but process these.
   if($rest =~ /initiating Main Mode to replace \#(.*)/) {
      $oldinfo = $1;
      $statechain{$conn.$stateinfo}="$conn|$oldinfo";
      next;

   } elsif($rest =~ /initiating Main Mode/) {
      $statechain{$conn.$stateinfo}="$conn";
      next;

   } elsif($rest =~ /initiating Quick Mode (.*) to replace \#(.*)/) {
      $oldinfo = $2;
      $phase2  = $1;
      $statechain{"$conn|$stateinfo"}="$conn|$oldinfo";
      $quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
      next;

   } elsif($rest =~ /initiating Quick Mode (.*)/) {
      $phase2  = $1;
      $statechain{"$conn|$stateinfo"}="$conn";
      $quickmode{"$conn"}=$quickmode{"$conn"}." ".$phase2;
      next;

   } elsif($rest =~ /ISAKMP SA established/) {
      $rekeysuccess{$conn}++;
      next;

   } elsif($rest =~ /cannot respond to IPsec SA request because no connection is known for (.*)/) {
      $rekeyfail{$conn}++;
      #$rekeyfail_notknown{$1}++;

   } elsif($rest =~ /crl update is overdue since (.*)/) {

      $crlUpdate{$conn}++;
      $crlUpdateSince{$conn} = $1;
      next;

   } elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_I./) {

      $rekeyfail{$conn}++;
      #$rekeyfailQI1{$conn}++;
      next;

   } elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_QUICK_R./) {

      $rekeyfail{$conn}++;
      #$rekeyfailQR1{$conn}++;
      next;

   } elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_I./) {

      $rekeyfail{$conn}++;
      #$rekeyfailI1{$conn}++;
      next;

   } elsif($rest =~ /max number of retransmissions \((.*)\) reached STATE_MAIN_R./) {
      $rekeyfail{$conn}++;
      #$rekeyfailR1{$conn}++;
      next;

   } elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
      $rekeyfail{$conn}++;
      #$rekeyfail_ICMPunreachable{$conn}++;

   } elsif($rest =~ /ERROR: asynchronous network error report on .* for message to .* port 500, complainant .*:.*errno (.*), origin ICMP type (.*) code (.*)/) {
      $rekeyfail{$conn}++;
      #$rekeyfail_ICMPunreachable{$conn}++;

   } elsif($rest =~ /XAUTH: Successfully Authenticated/) {
      $xauthsuccess{$conn}++;

   } elsif($rest =~ /starting keying attempt (.*) of an unlimited number/) {
      $lastattempt=$1;
      if($maxattempts{$conn} < $lastattempt) {
         $maxattempts{$conn} = $lastattempt;
      }
      next;

   } elsif($rest =~ /Vendor ID: (.*)/) {
      $vid=$1;
      if(defined($vendorID{$vid})) {
         $peerID{$conn}=$vendorID{$vid};
      } else {
         $peerID{$conn}="unknown $vid";
         $vendorID{$vid}="unknown $vid at $stateinfo/$ipaddr\n";
      }
      next;
   } elsif($rest =~ /prepare-client output.*/) {
      $setupfail{$conn}++;
   } elsif(($rest =~ /sent QI2, IPsec SA established/) ||
         ($rest =~ /IPsec SA established/)) {
      $ipsecSAs{$conn}++;
      next;

   } else {
      print STDERR "UNKNOWN: $_"."\n";
   }
}

if (keys %loglines) {
   print "Overview summary of log files:\n";
   foreach my $day (keys %loglines) {
      print "\t $day had ".$loglines{$day}." entries of which ".$relevantlog{$day}." were relevant\n";
   }
}

if (keys %conns) {
   print "Summary by peer:\n";
   foreach my $conn (keys %conns) {
      print "  Peer $conn caused $conns{$conn} lines of output.\n";
      print "\tconnected from:".$peerIP{$conn}."\n";
      if(defined($peerID{$conn})) {
         print "\tVID: ".$peerID{$conn}."\n";
      }
      print "\tKeyed: ".($rekeysuccess{$conn}+0)." successes ",($rekeyfail{$conn}+0)." failures (max retries: ".($maxattempts{$conn}+0).")\n";
      print "\tIPsec SAs: ".($ipsecSAs{$conn}+0)."\n";
      if($setupfail{$conn} > 0) {
         print "\tSetup failures: ".$setupfail{$conn}."\n";
      }
      if($xauthsuccess{$conn} > 0) {
         print "\tXAUTH successful connections: ".$xauthsuccess{$conn}."\n";
      }
      if($crlUpdate{$conn} > 0) {
         print "\tOverdue CRL update since: ".$crlUpdateSince{$conn}." (".$crlUpdate{$conn}." times)\n";
      }
   }
}

if (keys %badexch) {
   print "Summary of bad peers\n";
   foreach my $badpeer (keys %badexch) {
      print "\t".$badpeer." caused ".$badexch{$badpeer}." bad exchanges\n";
   }
}

# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End: