CentOS-6 – LogWatch Cyrus-IMAPD Script Was CentOS-6 – LogWatch

Home » CentOS » CentOS-6 – LogWatch Cyrus-IMAPD Script Was CentOS-6 – LogWatch
CentOS No Comments

There was not, and so I wrote this. Given I know little or nothing of Perl beyond the bare fact of its existence no doubt there are better ways to get the results I obtained. But this is tested on CentOS-6
with cyrus-imapd.2.3.16-13.el6_6,

It only handles IMAP logins so anyone using POP3 or Sieve needs to add there own code for those. And, because this is e-mail, linewraps/breaks in the code below may not be exactly as required and do need to be hand checked and corrected.

#!/usr/bin/perl
###################################################################
# logwatch script for cyrus-imapd-2.3.16
# looks for imaps and lmtpunix services in /var/log/maillog
###################################################################

###################################################################
#     script: /etc/logwatch/scripts/services/cyrus-imapd
#     author: James B. Byrne 
#       date: 2015-09-16
#   revision: v1.0.1 - 2015-09-17
#
#   requires: /etc/logwatch/conf/services/cyrus-imapd.conf
# containing>
#
# > Title = "CYRUS IMAPD"
# > LogFile = maillog
# > *OnlyService = (imaps|lmtpunix)
# > *RemoveHeaders #
#  based on Sebastian Hagedorn  2004
###################################################################

$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};

#
#  Process log file on stdin
#

while ( defined( $ThisLine =  ) ) {
  chomp( $ThisLine );

use feature "switch";

  given( $ThisLine ) {

    when ( /accepted connection/ ) {
      # Ignore
    }

    when ( /^badlogin: (.+) \[(.+)\] (\w+) (.+) (SASL.*authentication failure:.+)/ ) {
      #print( "Bad Login: " . $ThisLine . "\n" );
      #$ThisLine =~ /^badlogin: (.+) \[(.+)\] (\w+) (.+)
(SASL.*authentication failure:.+)/;
      #print( "BAD LOGIN PARSE: " . $1 . " : " . $2 . " : " . $3 . " :
" . $4 . " : " . $5 . "\n");
      $IMAPbadlogin++;
      $IMAPbadmech{$3}++;
      $IMAPbadip{$2}++;
      $IMAPbaduser{$4}++
    }

    when ( /DBMSG:/ ) {
      # Ignore
    }

    when ( /Delivered:/ ) {
      # Ignore
    }

    when ( /dupelim:/ ) {
      # Ignore
    }

    when ( /duplicate_check:/ ) {
      # Ignore
    }

    when ( /duplicate_mark:/ ) {
      # Ignore
    }

    when ( /executed/ ) {
      # Ignore
    }

    when ( /Expunged/ ) {
      # Ignore
    }

    when ( /imapd:Loading hard-coded DH parameters/ ) {
      # Ignore
    }

    when ( /lmtp connection preauth/ ) {
      # Ignore
    }

    when ( /^login: (.+) \[(.+)\] (\w+) (.+) User logged in/ ) {
#      print( "LOGIN PARSE: " . $1 . " : " . $2 . " : " . $3 . " : " .
$4 . "\n");
      $IMAPlogin++;
      $IMAPmech{$4}++;
      $IMAPuser{$3}++;
      $IMAPip{$2}++;
    }

    when ( /IOERROR: fstating sieve script/ ) {
      # Ignore
    }

    when ( /mystore: committing txn/ ) {
      $LMTPStore++;
    }

    when ( /mystore: starting/ ) {
      # Ignore
    }

    when ( /open: / ) {
      # Ignore
    }

    when ( /seen_db: / ) {
      # Ignore
    }

    when ( /skiplist: checkpointed/ ) {
      # Ignore
    }

    when ( /SQUAT/ ) {
      # ignore
    }

    when ( /SSL_accept/ ) {
      # ignore
    }

    when ( /starttls/ ) {
	    $IMAPTLS++;
    }

    # Save this till the end
    when ( /ERROR/ ) {
      push @ErrorList, "$ThisLine\n";
    }

    default {
      # Report any unmatched entries...
      push @OtherList, "$ThisLine\n";
    }
  }

  # Process next stdin
  next;
}


# Report


if ( $LMTPStore ) {
	print "   Mails stored: " . $LMTPStore . "\n";
}


if ( $IMAPlogin ) {
	print "\n   IMAP:\n";
	print "     Number of logins: " . $IMAPlogin . "\n";
  if ( %IMAPmech ) {
    print( "\n       By mechanism\n" );
  }
	foreach $mech ( sort ( keys %IMAPmech ) ) {
	  print( "       . . . using " . $mech . ": " . "$IMAPmech{$mech}\n" );
  }
  if ( %IMAPuser ) {
    print( "\n       By user\n" );
  }
  foreach $user ( sort ( keys %IMAPuser ) ) {
    print( "       . . . from " . $user . ": " . $IMAPuser{$user} .
"\n" );
  }
  if ( %IMAPip ) {
    print( "\n       By origin\n" );
  }
  foreach $addr ( sort ( keys %IMAPip ) ) {
    print( "       . . . from " . $addr . ": " . $IMAPip{$addr} . "\n" );
  }

  if ( $IMAPbadlogin ) {
	  print "\n     Number of failed logins: " . $IMAPbadlogin . "\n";
  if ( %IMAPbaduser ) {
    print( "\n       By user\n" );
  }
    foreach $user ( sort ( keys %IMAPbaduser ) ) {
      print( "       . . . from " . $user . ": " . $IMAPbaduser{$user}
. "\n" );
    }
  if ( %IMAPbadip ) {
    print( "\n       By origin\n" );
  }
    foreach $addr ( sort ( keys %IMAPbadip ) ) {
      print( "       . . . from " . $addr . ": " . $IMAPbadip{$addr} .
"\n" );
    }
  }

  if ( $IMAPTLS ) {
	    print "\n     Number of sessions using TLS: " . $IMAPTLS . "\n";
	}
}


if ( $#ErrorList >= 0 ) {
   print "\n**Error Messages**\n";
   print @ErrorList;
}

if ( $#OtherList >= 0 ) {
   print "\n**Unmatched Entries**\n";
   print @OtherList;
}

exit(0);