function checkProcess1()
{
$unix = new unix();
$pid = $unix->PIDOF_PATTERN("bin/process1");
if ($pid < 5) {
return null;
}
$process1 = $unix->PROCCESS_TIME_MIN($pid);
$mem = $unix->PROCESS_MEMORY($pid);
Myevents("process1: {$pid} ({$process1} mn) memory:{$mem} Mb", __FUNCTION__);
if ($mem > 30) {
@copy("/var/log/artica-postfix/process1.debug", "/var/log/artica-postfix/process1.killed" . time() . ".debug");
system("/bin/kill -9 {$pid}");
email_events("artica process1 (process1) Killed", "Process1 use too much memory {$mem} MB", "watchdog");
}
if ($process1 > 2) {
@copy("/var/log/artica-postfix/process1.debug", "/var/log/artica-postfix/process1.killed" . time() . ".debug");
system("/bin/kill -9 {$pid}");
email_events("artica process1 (process1) Killed", "Process1 run since {$process1} Pid: {$pid} and exceed 2 minutes live", "watchdog");
}
}
function smtp_hack_perform($servername, $array, $matches)
{
if ($servername == "127.0.0.1") {
return;
}
$NAME_SERVICE_NOT_KNOWN = $array["NAME_SERVICE_NOT_KNOWN"];
$SASL_LOGIN = $array["SASL_LOGIN"];
$USER_UNKNOWN = $array["USER_UNKNOWN"];
$RBL = $array["RBL"];
$BLOCKED_SPAM = $array["BLOCKED_SPAM"];
$ADDRESS_NOT_LISTED = $array["ADDRESS_NOT_LISTED"];
if ($NAME_SERVICE_NOT_KNOWN == null) {
$NAME_SERVICE_NOT_KNOWN = 0;
}
if ($SASL_LOGIN == null) {
$SASL_LOGIN = 0;
}
if ($USER_UNKNOWN == null) {
$USER_UNKNOWN = 0;
}
if ($RBL == null) {
$RBL = 0;
}
if ($BLOCKED_SPAM == null) {
$BLOCKED_SPAM = 0;
}
if ($ADDRESS_NOT_LISTED == null) {
$ADDRESS_NOT_LISTED = 0;
}
//$EnablePostfixAutoBlock=$sock->GET_INFO("EnablePostfixAutoBlock");
$text = "\n\tRule matched: {$matches}\n\t--------------------------------------------------------\n\tNAME_SERVICE_NOT_KNOWN attempts:\t{$NAME_SERVICE_NOT_KNOWN}\n\tSASL_LOGIN attempts:\t{$SASL_LOGIN}\n\tRBL attempts:\t{$RBL}\n\tUSER_UNKNOWN attempts:\t{$USER_UNKNOWN}\n\tADDRESS_NOT_LISTED attempts:\t{$ADDRESS_NOT_LISTED}\n\tBLOCKED_SPAM attempts:\t{$BLOCKED_SPAM}";
$md = array("IP" => $servername, "MATCHES" => $matches, "EVENTS" => $text, "DATE" => date("Y-m-d H:i:s"));
$serialize = serialize($md);
$md5 = md5($serialize);
@mkdir("/var/log/artica-postfix/smtp-hack", 0666, true);
@file_put_contents("/var/log/artica-postfix/smtp-hack/{$md5}.hack", $serialize);
events("SMTP Hack: {$servername} matches {$matches} {$text}");
if (!$GLOBALS["SMTP_HACKS_NOTIFIED"][$servername]) {
$GLOBALS["SMTP_HACKS_NOTIFIED"][$servername] = true;
email_events("[SMTP HACK]: {$servername} match rules", $text, 'postfix');
}
}
function nss_parser($buffer){
if(preg_match('#nss_wins.+?failed to bind to server\s+(.+?)\s+with\s+dn="(.+?)"\s+Error:\s+Invalid credentials#',$buffer,$re)){
$file="/etc/artica-postfix/croned.1/nss_parser.Invalidcredentials.error";
events("nss_wins:: Invalid credentials");
if(IfFileTime($file)){
email_events("System error NSS cannot bind to {$re[1]}: Invalid credentials","NSS Wins claim \"$buffer\"",'system');
}
WriteFileCache($file);
return;
}
events_not_filtered("nss_wins:: Not Filtered:\"$buffer\"");
}
function smtp_hack_perform($servername, $array, $matches)
{
if ($servername == "127.0.0.1") {
return;
}
if ($GLOBALS["EnablePostfixAutoBlock"] == 0) {
return;
}
$NAME_SERVICE_NOT_KNOWN = $array["NAME_SERVICE_NOT_KNOWN"];
$SASL_LOGIN = $array["SASL_LOGIN"];
$USER_UNKNOWN = $array["USER_UNKNOWN"];
$RBL = $array["RBL"];
$BLOCKED_SPAM = $array["BLOCKED_SPAM"];
$ADDRESS_NOT_LISTED = $array["ADDRESS_NOT_LISTED"];
if ($NAME_SERVICE_NOT_KNOWN == null) {
$NAME_SERVICE_NOT_KNOWN = 0;
}
if ($SASL_LOGIN == null) {
$SASL_LOGIN = 0;
}
if ($USER_UNKNOWN == null) {
$USER_UNKNOWN = 0;
}
if ($RBL == null) {
$RBL = 0;
}
if ($BLOCKED_SPAM == null) {
$BLOCKED_SPAM = 0;
}
if ($ADDRESS_NOT_LISTED == null) {
$ADDRESS_NOT_LISTED = 0;
}
//$EnablePostfixAutoBlock=$sock->GET_INFO("EnablePostfixAutoBlock");
$text = "\n\tRule matched: {$matches}\n\t--------------------------------------------------------\n\tNAME_SERVICE_NOT_KNOWN attempts:\t{$NAME_SERVICE_NOT_KNOWN}\n\tSASL_LOGIN attempts:\t{$SASL_LOGIN}\n\tRBL attempts:\t{$RBL}\n\tUSER_UNKNOWN attempts:\t{$USER_UNKNOWN}\n\tADDRESS_NOT_LISTED attempts:\t{$ADDRESS_NOT_LISTED}\n\tBLOCKED_SPAM attempts:\t{$BLOCKED_SPAM}";
$md = array("IP" => $servername, "MATCHES" => $matches, "EVENTS" => $text, "DATE" => date("Y-m-d H:i:s"));
$serialize = serialize($md);
$md5 = md5($serialize);
@mkdir("{$GLOBALS["ARTICALOGDIR"]}/smtp-hack", 0666, true);
$cmd = "{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["iptables"]} -A INPUT -s {$servername} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\" >/dev/null 2>&1";
events($cmd);
shell_exec($cmd);
$cmd = "{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["iptables"]} -A INPUT -s {$servername} -p tcp --destination-port 465 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
events($cmd);
shell_exec($cmd);
$cmd = "{$GLOBALS["NOHUP_PATH"]} {$GLOBALS["iptables"]} -A INPUT -s {$servername} -p tcp --destination-port 587 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
events($cmd);
shell_exec($cmd);
@file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/smtp-hack/{$md5}.hack", $serialize);
$GLOBALS["CLASS_UNIX"]->THREAD_COMMAND_SET("{$GLOBALS["PHP5_BIN"]} " . dirname(__FILE__) . "/exec.postfix.iptables.php --compile");
events("SMTP Hack: {$servername} matches {$matches} {$text}");
if (!$GLOBALS["SMTP_HACKS_NOTIFIED"][$servername]) {
$GLOBALS["SMTP_HACKS_NOTIFIED"][$servername] = true;
email_events("[SMTP HACK]: {$servername} match rules", $text, 'postfix');
}
}
function Kernel_parser($buffer)
{
// KERNEL //
if (preg_match("#kernel:\\s+\\[([0-9]+)\\..*?\\]\\s+.*?invoked oom-killer#", $buffer, $re)) {
if ($GLOBALS["NOOUTOFMEMORYREBOOT"] != 1) {
$uptime = $GLOBALS["CLASS_UNIX"]->uptime();
exec("{$GLOBALS["PS_BIN"]} aux 2>&1", $resultsa);
email_events("Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted.\n" . @implode("\n", $resultsa), 'system');
if ($GLOBALS["SQUID_INSTALLED"]) {
squid_admin_mysql(0, "Memory full: [" . __LINE__ . "] System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted\n" . @implode("\n", $resultsa), __FILE__, __LINE__);
}
UcarpDown();
shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
return;
}
}
if (preg_match("#kernel.*?Out of memory: kill process#", $buffer, $re)) {
if ($GLOBALS["NOOUTOFMEMORYREBOOT"] != 1) {
$uptime = $GLOBALS["CLASS_UNIX"]->uptime();
exec("{$GLOBALS["PS_BIN"]} aux 2>&1", $resultsa);
email_events("Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted.\n" . @implode("\n", $resultsa), 'system');
if ($GLOBALS["SQUID_INSTALLED"]) {
squid_admin_mysql(0, "Memory full:[" . __LINE__ . "] System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted\n" . @implode("\n", $resultsa), __FILE__, __LINE__);
}
UcarpDown();
shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
return;
}
}
if (preg_match("#kernel.*?invoked oom-killer#", $buffer, $re)) {
if ($GLOBALS["NOOUTOFMEMORYREBOOT"] != 1) {
$uptime = $GLOBALS["CLASS_UNIX"]->uptime();
exec("{$GLOBALS["PS_BIN"]} aux 2>&1", $resultsa);
email_events("Memory full: System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted.\n" . @implode("\n", $resultsa), 'system');
if ($GLOBALS["SQUID_INSTALLED"]) {
squid_admin_mysql(0, "Memory full: [" . __LINE__ . "] System will be rebooted after running after {$uptime}", "System claim \"{$buffer}\" the operating system will be rebooted\n" . @implode("\n", $resultsa), __FILE__, __LINE__);
}
UcarpDown();
shell_exec("{$GLOBALS["SHUTDOWN_BIN"]} -rF now");
return;
}
}
}
function smtp_hack_perform($servername,$array,$matches){
if($servername=="127.0.0.1"){return;}
//email_events("SMTP HACKING !!!!","Build iptables rule \"iptables -I INPUT -s {$re[1]} -j DROP\" for {$re[1]}!\nlast error: $buffer","postfix");
//shell_exec("iptables -I INPUT -s {$re[1]} -j DROP");
//events("SMTP Hack: -> iptables -I INPUT -s {$re[1]} -j DROP");
$NAME_SERVICE_NOT_KNOWN=$array["NAME_SERVICE_NOT_KNOWN"];
$SASL_LOGIN=$array["SASL_LOGIN"];
$USER_UNKNOWN=$array["USER_UNKNOWN"];
$RBL=$array["RBL"];
$BLOCKED_SPAM=$array["BLOCKED_SPAM"];
$ADDRESS_NOT_LISTED=$array["ADDRESS_NOT_LISTED"];
if($NAME_SERVICE_NOT_KNOWN==null){$NAME_SERVICE_NOT_KNOWN=0;}
if($SASL_LOGIN==null){$SASL_LOGIN=0;}
if($USER_UNKNOWN==null){$USER_UNKNOWN=0;}
if($RBL==null){$RBL=0;}
if($BLOCKED_SPAM==null){$BLOCKED_SPAM=0;}
if($ADDRESS_NOT_LISTED==null){$ADDRESS_NOT_LISTED=0;}
//$EnablePostfixAutoBlock=$sock->GET_INFO("EnablePostfixAutoBlock");
$text="
Rule matched: $matches
--------------------------------------------------------
NAME_SERVICE_NOT_KNOWN attempts:\t$NAME_SERVICE_NOT_KNOWN
SASL_LOGIN attempts:\t$SASL_LOGIN
RBL attempts:\t$RBL
USER_UNKNOWN attempts:\t$USER_UNKNOWN
ADDRESS_NOT_LISTED attempts:\t$ADDRESS_NOT_LISTED
BLOCKED_SPAM attempts:\t$BLOCKED_SPAM";
$md=array(
"IP"=>$servername,
"MATCHES"=>$matches,
"EVENTS"=>$text,
"DATE"=>date("Y-m-d H:i:s")
);
$serialize=serialize($md);
$md5=md5($serialize);
@mkdir("/var/log/artica-postfix/smtp-hack",0666,true);
@file_put_contents("/var/log/artica-postfix/smtp-hack/$md5.hack",$serialize);
events("SMTP Hack: $servername matches $matches $text");
if(!$GLOBALS["SMTP_HACKS_NOTIFIED"][$servername]){
$GLOBALS["SMTP_HACKS_NOTIFIED"][$servername]=true;
email_events("[SMTP HACK]: $servername match rules",$text,'postfix');
}
}
function Parseline($buffer)
{
$buffer = trim($buffer);
if (preg_match("#artica-filter#", $buffer)) {
return true;
}
if (preg_match("#postfix\\/#", $buffer)) {
return true;
}
if (preg_match("#CRON\\[#", $buffer)) {
return true;
}
if (preg_match("#: CACHEMGR:#", $buffer)) {
return true;
}
if (preg_match("#exec\\.postfix-logger\\.php:#", $buffer)) {
return true;
}
if (preg_match("#artica-install\\[#", $buffer)) {
return true;
}
if (preg_match("#monitor action done#", $buffer)) {
return true;
}
if (preg_match("#monitor service.+?on user request#", $buffer)) {
return true;
}
if (preg_match("#CRON\\[.+?\\(root\\).+CMD#", $buffer)) {
return true;
}
if (preg_match("#winbindd\\[.+?winbindd_listen_fde_handler#", $buffer)) {
return true;
}
if (preg_match('#smbd\\[.+Ignoring unknown parameter\\s+"hide_unwriteable_files"#', $buffer, $re)) {
events("SAMBA unknown parameter hide_unwriteable_files");
$file = "/etc/artica-postfix/croned.1/hide_unwriteable_files";
if (IfFileTime($file)) {
email_events("Samba unknown parameter hide_unwriteable_files", "Samba claim \"{$buffer}\" Artica will correct the configuration file", 'system');
shell_exec(LOCATE_PHP5_BIN2() . " /usr/share/artica-postfix/exec.samba.php --fix-HideUnwriteableFiles &");
@file_put_contents($file, "#");
}
return true;
}
if (preg_match('#load_usershare_shares: directory\\s+(.+?)\\s+is not owned by root or does not have the sticky bit#', $buffer, $re)) {
events("SAMBA load_usershare_shares {$re[1]}");
$file = "/etc/artica-postfix/croned.1/load_usershare_shares";
if (IfFileTime($file)) {
email_events("Samba load_usershare_shares permissions issues", "Samba claim \"{$buffer}\" Artica will correct the filesystem directory", 'system');
shell_exec("chmod 1775 {$re['1']}/ &");
shell_exec("chmod chmod +t {$re['1']}/ &");
@file_put_contents($file, "#");
}
return true;
}
if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)TROUBLE\\s+in child_init_hook:#", $buffer, $re)) {
events("AMAVIS TROUBLE in child_init_hook");
$file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
if (IfFileTime($file)) {
email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
shell_exec('/etc/init.d/artica-postfix restart amavis &');
@file_put_contents($file, "#");
}
return true;
}
if (preg_match("#amavis\\[.+?:\\s+\\(.+?\\)_DIE:\\s+Suicide in child_init_hook#", $buffer, $re)) {
events("AMAVIS TROUBLE in child_init_hook");
$file = "/etc/artica-postfix/croned.1/amavis." . md5("AMAVIS:TROUBLE in child_init_hook");
if (IfFileTime($file)) {
email_events("Amavis child error", "Amavis claim \"{$buffer}\" the amavis daemon will be restarted", 'postfix');
shell_exec('/etc/init.d/artica-postfix restart amavis &');
@file_put_contents($file, "#");
}
return true;
}
if (preg_match("#smbd_audit:\\s+(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\\|(.+?)\$#", $buffer, $re)) {
events("{$re[5]}/{$re[8]} in xapian queue");
WriteXapian("{$re[5]}/{$re[8]}");
return true;
}
if (preg_match("#squid\\[.+?comm_old_accept:\\s+FD\\s+15:.+?Invalid argument#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/comm_old_accept.FD15";
if (IfFileTime($file)) {
events("comm_old_accept FD15 SQUID");
email_events("Squid File System error", "SQUID claim \"{$buffer}\" the squid service will be restarted", 'system');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
WriteFileCache($file);
return;
} else {
events("comm_old_accept FD15 SQUID");
return;
}
}
if (preg_match("#dansguardian.+?:\\s+Error connecting to proxy#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/squid.tostart.error";
if (IfFileTime($file, 2)) {
events("Squid not available...! Artica will start squid");
email_events("Proxy error", "DansGuardian claim \"{$buffer}\", Artica will start squid ", 'system');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart squid-cache');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix start dansguardian');
WriteFileCache($file);
return;
} else {
events("Proxy error, but take action after 10mn");
return;
}
}
if (preg_match("#zarafa-server.+?INNODB engine is disabled#", $buffer)) {
$file = "/etc/artica-postfix/croned.1/zarafa.INNODB.engine";
if (IfFileTime($file, 2)) {
events("Zarafa innodb errr");
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart mysql');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart zarafa');
WriteFileCache($file);
return;
} else {
events("Zarafa innodb err, but take action after 10mn");
return;
}
}
if (preg_match("#(.+?)\\[.+?segfault at.+?error.+?in.+?\\[#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/segfault.{$re[1]}";
if (IfFileTime($file, 10)) {
events("{$re[1]}: segfault");
email_events("{$re[1]}: segfault", "Kernel claim \"{$buffer}\" ", 'system');
WriteFileCache($file);
return;
}
}
if (preg_match("#kernel:.+?Out of memory:\\s+kill\\s+process\\s+#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kernel.Out.of.memory";
if (IfFileTime($file, 1)) {
events("Out of memory -> REBOOT !!!");
email_events("Out of memory ! server will be rebooted", "Kernel claim \"{$buffer}\" the server will be rebooted", 'system');
WriteFileCache($file);
shell_exec("/etc/init.d/artica-postfix stop");
shell_exec("reboot");
return;
}
}
if (preg_match("#winbindd\\[.+?failed to bind to server\\s+(.+?)\\s+with dn.+?Error: Can.+?contact LDAP server#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/winbindd.ldap.failed";
if (IfFileTime($file, 10)) {
events("winbindd -> LDAP FAIELD");
email_events("LDAP server is unavailable", "Samba claim \"{$buffer}\" artica will try to restart LDAP server ", 'system');
WriteFileCache($file);
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart ldap');
return;
}
}
if (preg_match("#winbindd\\[.+?resolve_name: unknown name switch type lmhost#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/winbindd.lmhost.failed";
if (IfFileTime($file, 10)) {
events("winbindd -> lmhost failed");
WriteFileCache($file);
THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.samba.php --fix-lmhost");
return;
}
}
if (preg_match("#nmbd\\[.+?become_logon_server_success: Samba is now a logon server for workgroup (.+?)\\s+on subnet\\s+([A-Z0-9\\._-]+)#", $buffer, $re)) {
email_events("Samba (file sharing) started domain {$re[1]}/{$re[2]}", "Samba notice: \"{$buffer}\"", 'system');
return;
}
if (preg_match("#zarafa-server.+?Unable to connect to database.+?MySQL server on.+?([0-9\\.]+)#", $buffer)) {
$file = "/etc/artica-postfix/croned.1/zarafa.MYSQL.CONNECT";
if (IfFileTime($file, 2)) {
events("Zarafa Mysql Error errr");
email_events("MailBox server unable connect to database", "Zarafa server claim \"{$buffer}\" ", 'mailbox');
WriteFileCache($file);
return;
} else {
events("MailBox server unable connect to database but take action after 10mn");
return;
}
}
if (preg_match("#winbindd:\\s+Exceeding\\s+[0-9]+\\s+client\\s+connections.+?no idle connection found#", $buffer)) {
$file = "/etc/artica-postfix/croned.1/Winbindd.connect.error";
if (IfFileTime($file, 2)) {
events("winbindd Error connections");
email_events("Winbindd exceeding connections", "Samba server claim \"{$buffer}\" \nArtica will restart samba", 'system');
shell_exec('/etc/init.d/artica-postfix restart samba &');
WriteFileCache($file);
return;
} else {
events("Winbindd exceeding connections take action after 10mn");
return;
}
}
// -------------------------------------------------------------------- MONIT
if (preg_match("#'(.+?)'\\s+total mem amount of\\s+([0-9]+).+?matches resource limit#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/mem.{$re[1]}.monit";
if (IfFileTime($file, 15)) {
events("{$re[1]} limit memory exceed");
email_events("{$re[1]}: memory limit", "Monitor claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("{$re[1]} limit memory exceed, but take action after 10mn");
return;
}
}
if (preg_match("#monit\\[.+?'(.+?)'\\s+trying to restart#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
if (IfFileTime($file, 5)) {
events("{$re[1]} was restarted");
email_events("{$re[1]}: stopped, try to restart", "Monitor claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("{$re[1]}: stopped, try to restart, but take action after 10mn");
return;
}
}
if (preg_match("#monit\\[.+?'(.+?)'\\s+process is not running#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/restart.{$re[1]}.monit";
if (IfFileTime($file, 5)) {
events("{$re[1]} was stopped");
email_events("{$re[1]}: stopped", "Monitor claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("{$re[1]}: stopped, but take action after 10mn");
return;
}
}
if (preg_match("#pdns\\[.+?:\\s+binding UDP socket to.+?Address already in use#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/restart.pdns.bind.error";
if (IfFileTime($file, 5)) {
events("PowerDNS: Unable to bind UDP socket");
email_events("PowerDNS: Unable to bind UDP socket", "Artica will restart PowerDNS", 'system');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart pdns');
WriteFileCache($file);
return;
} else {
events("PowerDNS: Unable to bind UDP socket: but take action after 10mn");
return;
}
}
if (preg_match("#cpu system usage of ([0-9\\.]+)% matches#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/cpu.system.monit";
if (IfFileTime($file, 15)) {
events("cpu exceed");
email_events("cpu warning {$re[1]}%", "Monitor claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("cpu exceed, but take action after 10mn");
return;
}
}
if (preg_match("#monit.+?'(.+)'\\s+start:#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/monit.start.{$re[1]}";
if (IfFileTime($file, 5)) {
events("{$re[1]} start");
email_events("{$re[1]} starting", "Monitor currently starting service {$re[1]}", 'system');
WriteFileCache($file);
return;
} else {
events("{$re[1]} start, but take action after 10mn");
return;
}
}
if (preg_match("#monit\\[.+?:\\s+'(.+?)'\\s+process is running with pid\\s+([0-9]+)#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/monit.run.{$re[1]}";
if (IfFileTime($file, 5)) {
events("{$re[1]} running");
email_events("{$re[1]} now running pid {$re[2]}", "Monitor report {$buffer}", 'system');
WriteFileCache($file);
return;
} else {
events("{$re[1]} running, but take action after 10mn");
return;
}
}
if (preg_match("#nmbd.+?:\\s+Cannot sync browser lists#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/samba.CannotSyncBrowserLists.error";
if (IfFileTime($file)) {
events("Samba cannot sync browser list, remove /var/lib/samba/wins.dat");
@unlink("/var/lib/samba/wins.dat");
WriteFileCache($file);
} else {
events("Samba error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#freshclam.+?:\\s+Database updated \\(([0-9]+)\\s+signatures\\) from .+?#", $buffer, $re)) {
email_events("ClamAV Database Updated {$re[1]} signatures", "{$buffer}", 'update');
return;
}
if (preg_match("#squid.+?:\\s+essential ICAP service is down after an options fetch failure:\\s+icap:\\/\\/:1344\\/av\\/respmod#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/squid.icap1.error";
if (IfFileTime($file)) {
email_events("Kaspersky for Squid Down", "{$buffer}", 'system');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix start kav4proxy');
THREAD_COMMAND_SET('squid -k reconfigure');
WriteFileCache($file);
return;
} else {
events("KAV4PROXY error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#KASERROR.+?NOLOGID.+?Can.+?find user mailflt3#", $buffer)) {
$file = "/etc/artica-postfix/croned.1/KASERROR.NOLOGID.mailflt3";
if (IfFileTime($file)) {
THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --mailflt3');
WriteFileCache($file);
return;
} else {
events("KASERROR error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#lmtp.+?status=deferred.+?lmtp\\]:.+?(No such file or directory|Too many levels of symbolic links)#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/cyrus.lmtp.failed";
if (IfFileTime($file)) {
email_events("cyrus-imapd socket error", "Postfix claim \"{$buffer}\", Artica will restart cyrus", 'system');
THREAD_COMMAND_SET('/usr/share/artica-postfix/bin/artica-install --cyrus-checkconfig');
THREAD_COMMAND_SET('/etc/init.d/artica-postfix restart imap');
THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.postfix.main.cf.php --imap-sockets");
cyrus_socket_error($buffer, $re[1] . "lmtp");
WriteFileCache($file);
return;
} else {
events("CYRUS error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#dhcpd: DHCPREQUEST for (.+?)\\s+from\\s+(.+?)\\s+\\((.+?)\\)\\s+via#", $buffer, $re)) {
events("DHCPD: IP:{$re[1]} MAC:({$re[2]}) computer name={$re[3]}-> exec.dhcpd-leases.php");
THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.dhcpd-leases.php --single-computer {$re[1]} {$re[2]} {$re[3]}");
return;
}
if (preg_match("#rsyncd\\[.+?:\\s+recv.+?\\[(.+?)\\].+?([0-9]+)\$#", $buffer, $re)) {
$file = md5($buffer);
@mkdir('/var/log/artica-postfix/rsync', null, true);
$f["IP"] = $re[1];
$f["DATE"] = date('Y-m-d H:00:00');
$f["SIZE"] = $re[2];
@file_put_contents("/var/log/artica-postfix/rsync/{$file}", serialize($f));
}
if (preg_match("#kavmilter.+?Can.+?t load keys: No active key#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kavmilter.key.failed";
if (IfFileTime($file)) {
email_events("Kaspersky Antivirus Mail license error", "KavMilter claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#kavmd.+?Can.+?t load keys:.+?#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kavmd.key.failed";
if (IfFileTime($file)) {
email_events("Kaspersky Antivirus Mail license error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("Kaspersky Antivirus Mail license error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#kavmd.+?ERROR Engine problem#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kavmd.engine.failed";
if (IfFileTime($file)) {
email_events("Kaspersky Antivirus Mail Engine error", "Kaspersky Antivirus Mail claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("Kaspersky Antivirus Mail Engine error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#kavmilter.+?WARNING.+?Your AV signatures are older than#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kavmilter.upd.failed";
if (IfFileTime($file)) {
email_events("Kaspersky Antivirus Mail AV signatures are older", "KavMilter claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("Kaspersky Antivirus update license error:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#dansguardian.+?Error compiling regexp#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/dansguardian.compiling.regexp";
if (IfFileTime($file)) {
email_events("Dansguardian failed to start", "Dansguardian claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("Dansguardian failed to start:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#kavmilter.+?Invalid value specified for SendmailPath#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kavmilter.SendmailPath.Invalid";
if (IfFileTime($file)) {
events("Check SendmailPath for kavmilter");
THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --SendmailPath");
WriteFileCache($file);
return;
} else {
events("Check SendmailPath for kavmilter:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#KAVMilter Error.+?Group.+?Default.+?has error#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/kavmilter.Default.error";
if (IfFileTime($file)) {
events("Check Group default for kavmilter");
THREAD_COMMAND_SET("{$GLOBALS["LOCATE_PHP5_BIN"]} /usr/share/artica-postfix/exec.kavmilter.php --default-group");
WriteFileCache($file);
return;
} else {
events("Check Group default for kavmilter:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#kavmilter.+?Message INFECTED from (.+?)\\(remote:\\[(.+?)\\).+?with\\s+(.+?)\$#", $buffer, $re)) {
events("KAVMILTER INFECTION <{$re[1]}> {$re[2]}");
infected_queue("kavmilter", trim($re[1]), trim($re[2]), trim($re[3]));
return;
}
if (preg_match("#pdns\\[.+?\\[LdapBackend.+?Ldap connection to server failed#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/pdns.ldap.error";
if (IfFileTime($file)) {
events("PDNS LDAP FAILED");
email_events("PowerDNS ldap connection failed", "PowerDNS claim \"{$buffer}\"", 'system');
WriteFileCache($file);
return;
} else {
events("PDNS FAILED:{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#master.+?cannot find executable for service.+?sieve#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/cyrus.sieve.error";
if (IfFileTime($file)) {
events("Check sieve path");
THREAD_COMMAND_SET("/usr/share/artica-postfix/bin/artica-install --reconfigure-cyrus");
WriteFileCache($file);
return;
} else {
events("Check sieve path error :{$buffer}, but take action after 10mn");
return;
}
}
if (preg_match("#smbd\\[.+?write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer#", $buffer, $re)) {
$file = "/etc/artica-postfix/croned.1/samba.Error.Connection.reset.by.peer.error";
if (IfFileTime($file)) {
events("Check sieve Error Connection reset by peer");
$text[] = "Your MS Windows computers should not have access to the server cause network generic errors";
$text[] = "- Check these parameters:";
$text[] = "- Check if Apparmor or SeLinux are disabled on the server.";
$text[] = "- Check your hard drives by this command-line: hdparm -tT /dev/sda(0-9)";
$text[] = "- Check that 137|138|139|445 ports is open from workstation to this server";
$text[] = "- Check network switch or hub connection between this server and your workstations.";
$text[] = "- Try to add this registry key [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Disk]\n\t\"TimeOutValue\"=dword:0000003c";
email_events("Samba network error", "Samba claim \"{$buffer}\"\n" . implode("\n", $text), 'system');
WriteFileCache($file);
return;
} else {
events("Check sieve Error Connection reset by peer :{$buffer}, but take action after 10mn");
return;
}
}
events("Not Filtered:\"{$buffer}\"");
}
