function authlogs(){
include_once(dirname(__FILE__) . '/ressources/class.mysql.inc');
include_once(dirname(__FILE__) . '/ressources/class.auth.tail.inc');
include_once(dirname(__FILE__) . '/ressources/class.iptables-chains.inc');
$unix=new unix();
$pidfile="/etc/artica-postfix/pids/".basename(__FILE__).".".__FUNCTION__.".pid";
$pid=@file_get_contents($pidfile);
if($unix->process_exists($pid)){echo "Already running pid $pid\n";return;}
$q=new mysql();
foreach (glob("/var/log/artica-postfix/sshd-failed/*") as $filename) {
events("Open $filename",__FUNCTION__,__FILE__,__LINE__);
$array=unserialize(@file_get_contents($filename));
$zdate=date("Y-m-d H:i:s",basename($filename));
while (list ($ip, $uid) = each ($array)){
$hostname=gethostbyaddr($ip);
if(function_exists("geoip_record_by_name")){
$record = geoip_record_by_name($ip);
if (!$record) {ssh_events("Unable to detect country for $ip",__FUNCTION__,__FILE__,__LINE__);}else{
$Country=$record["country_name"];
}
}
$Country=addslashes($Country);
ssh_events("SSH Failed $ip $hostname ($Country)",__FUNCTION__,__FILE__,__LINE__);
$sql="INSERT IGNORE INTO auth_events (ipaddr,hostname,success,uid,zDate,Country) VALUES ('$ip','$hostname','0','$uid','$zdate','$Country')";
$q->QUERY_SQL($sql,"artica_events");
if(!$q->ok){ssh_events($q->mysql_error,__FUNCTION__,__FILE__,__LINE__);}else{@unlink($filename);}}
}
foreach (glob("/var/log/artica-postfix/sshd-success/*") as $filename) {
$array=unserialize(@file_get_contents($filename));
$zdate=date("Y-m-d H:i:s",basename($filename));
while (list ($ip, $uid) = each ($array)){
if(!isset($GLOBALS["HOSTNAME"][$ip])){$GLOBALS["HOSTNAME"][$ip]=gethostbyaddr($ip);}
$hostname=$GLOBALS["HOSTNAME"][$ip];
if(function_exists("geoip_record_by_name")){
$record = geoip_record_by_name($ip);
if (!$record) {ssh_events("Unable to detect country for $ip",__FUNCTION__,__FILE__,__LINE__);}else{
$Country=$record["country_name"];
}
}
$Country=addslashes($Country);
ssh_events("SSH Success $ip $hostname ($Country)",__FUNCTION__,__FILE__,__LINE__);
$sql="INSERT IGNORE INTO auth_events (ipaddr,hostname,success,uid,zDate,Country) VALUES ('$ip','$hostname','1','$uid','$zdate','$Country')";
$q->QUERY_SQL($sql,"artica_events");
if(!$q->ok){ssh_events($q->mysql_error,__FUNCTION__,__FILE__,__LINE__);}else{@unlink($filename);}}
}
authfw();
snort_logs();
loadavg_logs();
}
function authlogs()
{
include_once dirname(__FILE__) . '/ressources/class.mysql.inc';
include_once dirname(__FILE__) . '/ressources/class.auth.tail.inc';
include_once dirname(__FILE__) . '/ressources/class.iptables-chains.inc';
$unix = new unix();
$pidfile = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".pid";
$pid = @file_get_contents($pidfile);
if ($unix->process_exists($pid)) {
echo "Already running pid {$pid}\n";
return;
}
$q = new mysql();
$DirPath = "{$GLOBALS["ARTICALOGDIR"]}/sshd-failed";
if (!is_dir($DirPath)) {
return;
}
if (!($handle = opendir($DirPath))) {
return;
}
while (false !== ($file = readdir($handle))) {
if ($file == ".") {
continue;
}
if ($file == "..") {
continue;
}
$filename = "{$GLOBALS["ARTICALOGDIR"]}/sshd-failed/{$file}";
if (is_dir($filename)) {
continue;
}
if ($unix->file_time_min($filename) > 120) {
@unlink($filename);
continue;
}
events("Open {$filename}", __FUNCTION__, __FILE__, __LINE__);
$array = unserialize(@file_get_contents($filename));
if (!is_array($array)) {
@unlink($filename);
continue;
}
$zdate = date("Y-m-d H:i:s", basename($filename));
if (is_array($array)) {
while (list($ip, $uid) = each($array)) {
$hostname = gethostbyaddr($ip);
if (function_exists("geoip_record_by_name")) {
$record = geoip_record_by_name($ip);
if (!$record) {
ssh_events("Unable to detect country for {$ip}", __FUNCTION__, __FILE__, __LINE__);
} else {
$Country = $record["country_name"];
}
}
$Country = addslashes($Country);
$hostname = addslashes($hostname);
$uid = addslashes($uid);
ssh_events("SSH Failed {$ip} {$hostname} ({$Country})", __FUNCTION__, __FILE__, __LINE__);
$sql = "INSERT IGNORE INTO auth_events (ipaddr,hostname,success,uid,zDate,Country) VALUES ('{$ip}','{$hostname}','0','{$uid}','{$zdate}','{$Country}')";
$q->QUERY_SQL($sql, "artica_events");
if (!$q->ok) {
@unlink($filename);
}
}
}
}
foreach (glob("{$GLOBALS["ARTICALOGDIR"]}/sshd-success/*") as $filename) {
$array = unserialize(@file_get_contents($filename));
$zdate = date("Y-m-d H:i:s", basename($filename));
while (list($ip, $uid) = each($array)) {
if (!isset($GLOBALS["HOSTNAME"][$ip])) {
$GLOBALS["HOSTNAME"][$ip] = gethostbyaddr($ip);
}
$hostname = $GLOBALS["HOSTNAME"][$ip];
if (!is_file("/usr/share/GeoIP/GeoIPCity.dat")) {
_UpdateGeoip();
}
if (function_exists("geoip_record_by_name")) {
$record = geoip_record_by_name($ip);
if (!$record) {
ssh_events("Unable to detect country for {$ip}", __FUNCTION__, __FILE__, __LINE__);
} else {
$Country = $record["country_name"];
}
}
$Country = addslashes($Country);
$hostname = addslashes($hostname);
$uid = addslashes($uid);
$sql = "INSERT IGNORE INTO auth_events (ipaddr,hostname,success,uid,zDate,Country) VALUES ('{$ip}','{$hostname}','1','{$uid}','{$zdate}','{$Country}')";
ssh_events("SSH Success {$ip} {$hostname} ({$Country}) `{$sql}`", __FUNCTION__, __FILE__, __LINE__);
$q->QUERY_SQL($sql, "artica_events");
if (!$q->ok) {
ssh_events($q->mysql_error, __FUNCTION__, __FILE__, __LINE__);
} else {
@unlink($filename);
}
}
}
authfw();
snort_logs();
loadavg_logs();
clamd_mem();
}
