[prev in list] [next in list] [prev in thread] [next in thread]
List: swatch-users
Subject: Swatch-users Digest, Vol 10, Issue 5
From: swatch-users-request () ucsb ! edu
Date: 2003-02-13 20:00:17
[Download RAW message or body]
Send Swatch-users mailing list submissions to
swatch-users@ucsb.edu
To subscribe or unsubscribe via the World Wide Web, visit
http://ucsb.edu/mailman/listinfo/swatch-users
or, via email, send a message with subject or body 'help' to
swatch-users-request@ucsb.edu
You can reach the person managing the list at
swatch-users-owner@ucsb.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Swatch-users digest..."
Today's Topics:
1. Re: Installing swatch (Ed Schmollinger)
2. Some patches (Chuck Berg)
3. Re: Installing swatch (=?iso-8859-1?q?Euriel=20Gomez?=)
4. Re: [logs] swatchrc file (Ed Schmollinger)
----------------------------------------------------------------------
Date: Wed, 12 Feb 2003 13:49:59 -0600
From: Ed Schmollinger <schmolli@frozencrow.org>
To: Euriel Gomez <greuriel@yahoo.com.mx>
Cc: swatch-users@ucsb.edu
Subject: Re: [Swatch-users] Installing swatch
Message-ID: <20030212194959.GA18195@frozencrow.org>
In-Reply-To: <20030210163336.27839.qmail@web20502.mail.yahoo.com>
References: <20030210163336.27839.qmail@web20502.mail.yahoo.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
MIME-Version: 1.0
Precedence: list
Message: 1
On Mon, Feb 10, 2003 at 10:33:36AM -0600, Euriel Gomez wrote:
> Probably this is a common email for newbies in swatch, but I have been trying to \
> install swatch and I haven't so much success, I have installed the CPAN modules, \
> but I got this error.
> [root@mrtg swatch-3.0.4]# make test
> PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
> 'blib/lib', 'blib/arch')" t/*.t
> t/01cpan_modules....Can't locate File/Tail.pm in @INC (@INC contains: /opt/softw
Are you sure you installed all of the CPAN modules? That is about what
you'd expect to see if you hadn't installed File::Tail. Try doing a
"perl -MCPAN -e 'install File::Tail'" and see if that helps.
--
Ed Schmollinger - schmolli@frozencrow.org
Do not meddle in the affairs of wizards, for
you are crunchy and good with ketchup.
[Attachment #3 (application/pgp-signature)]
[Attachment #4 (--0-1022923854-1045082217=:61616)]
I have a patch against swatch that fixes some small problems that were
quite annoying, and adds some small features that are quite useful.
If anyone notices any bugs I've introduced please let me know.
This patch is against version 3.1b020712, from
ftp://ftp.stanford.edu/general/security-tools/swatch/snapshots/swatch-3.1b020712.tar.gz
What I have done is:
Added support for m4 configurations. Processes a file with m4 if its name
ends in .m4 or --m4-config is given. --m4-define=name=value can be used to
define m4 macros (for example to use as configurable parameters in your
configuration). You probably need the GNU m4.
Parsing of comments, quoted text, and the comma field separator should now
behave reasonably. You can put a comma or a # inside quotes, and continue a
line with backslash. A # also does not begin a comment if whitespace does
not precede it. Existing config files may need to be changed because of
this, but I promise it is worth it (assuming no bugs). There is no
guarantee this will work in every case, but some things that were previously
impossible are now easy.
Watchfor and ignore blocks, so that a config file with many patterns can
be much cleaner.
watchfor {
/one line/
/another line/
/more lines/
/don't forget/ && /that you can do this/
}
echo
I changed the tail command from tail -1 -f to tail -n 1 -f to work around a bug
in GNU tail. This may break the command for other tails. I guess we lose no
matter what with this. Was there a good reason File::Tail isn't the default
anymore?
I fixed "perlcode", which is a great new feature with 3.1 that lets you embed
arbitrary perl code at any point within the script.
My config file is at http://www.encinc.com/~chuck/swatch.conf.m4.txt, as an
example of what to do with all this stuff. This patch is also at
http://www.encinc.com/~chuck/swatch-3.1b020712-cb1.patch.txt
--- /home/cberg/swatch-3.1b020712/swatch 2002-07-12 13:24:37.000000000 -0400
+++ swatch 2003-02-10 01:06:06.210179000 -0500
@@ -31,6 +31,8 @@
[ [ B<--examine> I<file_to_examine> ]
| [ B<--read-pipe> I<program_to_pipe_from> ]
| [ B<--tail> I<file_to_tail> ] ]
+[ B<--m4-config> ]
+[ B<--m4-define> I<definition> ]
[ B<--daemon> ]
[ B<--use-cpan-file-tail> ]
[ B<--awk-field-notation> ]
@@ -340,10 +342,13 @@
use POSIX ":sys_wait_h";
use Date::Parse;
use Date::Format;
+use Text::ParseWords;
use vars qw(
$awk_field_syntax
$opt_config_file
+ $opt_m4_config
+ @opt_m4_define
$opt_daemon
$opt_date_loc
$opt_debug_level
@@ -389,7 +394,7 @@
my $Now = 0; # The current time in Unix seconds. Gets set when set_restart_time is called
my $thCounter = 0;
my $tail_program_name = ''; # We'll try to find it in the PATH later
-my $tail_args = '-1 -f';
+my $tail_args = '-n 1 -f';
$awk_field_syntax = 0;
my $USAGE = qq/
@@ -398,6 +403,8 @@
Options:
--config-file=FILENAME Use FILENAME for configuration.
--old-style-config Parse a pre-version 3 configuration.
+ --m4-config Process config file with m4 first.
+ --m4-define=DEFINITION Pass argument to m4 --define
--restart-time=[+]HH:MM[AM|PM] Send a HUP signal to swatch at the specified time.
--input-record-separator=REGEX Specify an what should be used to separate "lines."
--help Display this message.
@@ -410,7 +417,7 @@
/;
my $AUTHOR = "E. Todd Atkins <Todd.Atkins\@StanfordAlumni.ORG>";
-$VERSION = "3.1b020712";
+$VERSION = "3.1b020712-cb1";
my $BUILD_DATE = "12 July 2002";
sub print_version {
@@ -427,6 +434,8 @@
die "$USAGE" if not GetOptions(
"awk-field-syntax!" => \$awk_field_syntax,
"config-file|c=s" => \$opt_config_file,
+ "m4-config" => \$opt_m4_config,
+ "m4-define:s" => \@opt_m4_define,
"daemon" => \$opt_daemon,
"date-loc|date-location=s" => \$opt_date_loc,
"debug-level=i" => $opt_debug_level,
@@ -529,6 +538,24 @@
my $value;
my $fh;
my @records;
+ my $in_block;
+ my @pattern_list;
+
+# for the <$fh> loop, pushes $rec onto @records if necessary.
+ sub flush_records {
+ if (@pattern_list) {
+ foreach (@pattern_list) {
+ my %tmprec=%$rec;
+ $tmprec{pattern}=$_;
+ push @records, \%tmprec;
+ }
+ $rec = ();
+ undef @pattern_list;
+ } elsif (defined $rec->{pattern}) {
+ push @records, $rec;
+ $rec = ();
+ }
+ }
if ( not -r $filename ) {
warn "$Me: cannot read $filename\n";
@@ -536,37 +563,75 @@
return(default_config());
}
- $fh = new FileHandle "$filename", "r";
- if (not defined $fh) {
- warn "$Me: cannot open $filename: $!\n";
- exit 1;
+# handle m4 config files
+ $opt_m4_config=1 if( $filename =~ /\.m4$/);
+ if($opt_m4_config) {
+ my $m4_defines="";
+ foreach my $def (@opt_m4_define) {
+ $m4_defines.=($m4_defines?" ":"")." --define=$def";
+ }
+ $fh = new FileHandle "m4 --synclines $m4_defines $filename|";
+ die "$Me: m4 $filename failed: $!\n" if(not defined $fh);
+ } else {
+ $fh = new FileHandle "$filename", "r";
+ die "$Me: cannot open filename: $!\n" if(not defined $fh);
}
+ my $multi_line; # to remember lines continued with backslash
while (<$fh>) {
my($key, $val);
chomp;
- s/^\s+//; ## strip off leading blank space
- s/\s+$//; ## strip off trailing blank space
- ### Skip comments blank lines ###
- next if (/^\#/ or /^\s*$/);
+# backslash continuation is done first
+ if(/\\$/) {
+ $multi_line .= $_;
+ $multi_line =~ s/\\$//;
+ next;
+ }
+
+ if(defined($multi_line)) {
+ $_=$multi_line.$_;
+ undef($multi_line);
+ }
- s/\#.*$//; ## strip trailing comments
+# strip off leading blank space
+ s/^\s+//;
- if (/\s*=\s*/) {
- $key = (split(/\s*[= ]\s*/))[0];
- ($val = substr($_, length($key))) =~ s/^\s*=\s*//;
- } else {
- $key = (split())[0];
- ($val = substr($_, length($key))) =~ s/^\s*//;
+# adjust line counter
+ if($opt_m4_config && /^#line (\d+)/) {
+ $.=$1;
}
- if ($key =~ /^(watchfor|waitfor|ignore)$/i) {
- $i++;
- if (defined $rec->{pattern}) {
- push @records, $rec;
- $rec = ();
+
+# skip comments and blank lines
+ next if (/^\#/ or /^\s*$/);
+
+# skip comments, ignoring those in quotes or not lead by whitespace
+ s%^(("(\\.|[^"\\])*"|'(\\.|[^'\\])*'|[^#"'\\]*|\S#)*)\s#.*%$1%g;
+
+# strip off trailing blank space
+ s/\s+$//;
+
+ ($key,$val)=split(/\s*=\s*|\s+/, $_, 2);
+
+ if ($in_block) {
+ if($_ eq "}") {
+ $in_block=0;
+ } elsif(not is_valid_pattern($_)) {
+ die "$Me: error in pattern \"$_\" on line $. of $filename\n";
+ } else {
+ push @pattern_list, $_;
}
+ } elsif ($key =~ /^(watchfor|ignore)$/i) {
+ $i++;
+
+ flush_records;
+ if ($val eq "{") {
+ $rec->{keyword}=lc $key;
+ $in_block=1;
+ undef @pattern_list;
+ }
+
if (not is_valid_pattern($val)) {
die "$Me: error in pattern \"$val\" on line $. of $filename\n";
}
@@ -576,20 +641,17 @@
}
} elsif ($key =~ /perlcode/i) {
my $depth = 1;
- if ($val =~ /(\d+)\s+(.*)$/) { # put perlcode at a given depth
+ if ($val =~ /^\s*(\d+)\s(.*)$/) { # put perlcode at a given depth
$depth = $1;
$val = $2;
}
if ($depth == 0 or $depth == 1) {
$i++;
- if (defined $rec->{pattern}) {
- push @records, $rec;
- $rec = ();
- }
+ flush_records;
$rec->{keyword} = lc($key);
$rec->{depth} = $depth;
$rec->{value} = $val if (length($val));
- push @records, $rec;
+ push @records, $rec;
$rec = ();
} else {
push(@{$rec->{actions}}, { action => lc($key),
@@ -605,10 +667,10 @@
}
}
undef $fh;
- if (defined $rec->{pattern}) {
- push @records, $rec;
- $rec = ();
+ if(defined($multi_line)) {
+ warn "$Me: unexpected end of file in $filename (last line ended in backslash)\n";
}
+ flush_records;
## Sanity Check: If the config file did not contain anything useful then
## we need to return the default configuration.
@@ -1381,14 +1443,17 @@
my %options;
my $have_opts = 0;
- foreach my $v (split(/,/, $optstr)) {
+ my @v=parse_line(",", 0, $optstr);
+ if($optstr && !defined(@v)) {
+ warn "$Me: error parsing line: $key $optstr\n";
+ return "";
+ }
+ foreach my $v (@v) {
if ($v =~ /(\w+)\s*=\s*"?(\S+[^"]*)/) {
$options{uc $1} = $2;
} else {
my $opt = $v;
$opt =~ s/@/\\@/g;
- $opt =~ s/^['" ]*//;
- $opt =~ s/['" ]*$//;
if ($actinfo->{$key}{'def_arg'} eq 'MODES') {
push(@{$options{$actinfo->{$key}{'def_arg'}}}, $opt);
} else {
@@ -1413,7 +1478,8 @@
}
$opts .= " ], ";
} else {
- $opts .= "\'$k\' => \"$options{$k}\", "; # if (defined $options{$k});
+ $opts .= ", " if($opts);
+ $opts .= "\'$k\' => \"$options{$k}\""; # if (defined $options{$k});
}
}
}
@@ -1498,8 +1564,8 @@
foreach my $a_ref (@{$ref->{actions}}) {
my $act = $a_ref->{action};
- if ($act eq 'perlcode' and $a_ref->{depth} == 3) {
- $code .= "\t$a_ref->{value}\n";
+ if ($act eq 'perlcode') {
+ $code .= "\t$a_ref->{value}\n" if $a_ref->{depth} == 3;
} elsif ($act eq 'continue') {
$do_continue = 1;
} elsif ($act eq 'quit') {
------------------------------
Date: Wed, 12 Feb 2003 14:36:57 -0600 (CST)
From: =?iso-8859-1?q?Euriel=20Gomez?= <greuriel@yahoo.com.mx>
To: swatch-users@ucsb.edu
Subject: Re: [Swatch-users] Installing swatch
Message-ID: <20030212203657.61703.qmail@web20503.mail.yahoo.com>
In-Reply-To: <20030212194959.GA18195@frozencrow.org>
Content-Type: multipart/alternative; boundary="0-1022923854-1045082217=:61616"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Message: 3
Hi Ed,
Thank you ! .. Your suggestion worked, I would bet the whole modules were installed \
in my machine, however I could see the opposite. Thanks for your kind help.
I will start to setup swatch on my machine :D
Have a great day Admins.
Ed Schmollinger <schmolli@frozencrow.org> wrote:On Mon, Feb 10, 2003 at 10:33:36AM \
-0600, Euriel Gomez wrote:
> Probably this is a common email for newbies in swatch, but I have been trying to \
> install swatch and I haven't so much success, I have installed the CPAN modules, \
> but I got this error.
> [root@mrtg swatch-3.0.4]# make test
> PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0,
> 'blib/lib', 'blib/arch')" t/*.t
> t/01cpan_modules....Can't locate File/Tail.pm in @INC (@INC contains: /opt/softw
Are you sure you installed all of the CPAN modules? That is about what
you'd expect to see if you hadn't installed File::Tail. Try doing a
"perl -MCPAN -e 'install File::Tail'" and see if that helps.
---------------------------------
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
[Attachment #7 (text/html)]
<P>Hi Ed,
<P>
<P>Thank you ! .. Your suggestion worked, I would bet the whole modules were \
installed in my machine, however I could see the opposite. <P>Thanks for your kind \
help. <P>
<P>I will start to setup swatch on my machine :D
<P>
<P>Have a great day Admins.
<P> <B><I>Ed Schmollinger <schmolli@frozencrow.org></I></B> wrote:
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px \
solid">On Mon, Feb 10, 2003 at 10:33:36AM -0600, Euriel Gomez wrote:<BR>> Probably \
this is a common email for newbies in swatch, but I have been trying to install \
swatch and I haven't so much success, I have installed the CPAN modules, but I got \
this error.<BR>> <BR>> [root@mrtg swatch-3.0.4]# make test<BR>> \
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" \
"test_harness(0,<BR>> 'blib/lib', 'blib/arch')" t/*.t<BR>> \
t/01cpan_modules....Can't locate File/Tail.pm in @INC (@INC contains: \
/opt/softw<BR><BR>Are you sure you installed all of the CPAN modules? That is about \
what<BR>you'd expect to see if you hadn't installed File::Tail. Try doing a<BR>"perl \
-MCPAN -e 'install File::Tail'" and see if that helps.<BR><BR></BLOCKQUOTE><p><br><hr \
size=1><b>Do You Yahoo!?</b><br> <a href="http://net.yahoo.com.mx"><b>Yahoo! \
Net</b></a>: La mejor conexión a internet y 25MB extra a tu correo por <a \
href="http://net.yahoo.com.mx/">$100 al mes</a>.<br>
[Attachment #8 (--HcAYCG3uE/tztfnV)]
On Thu, Feb 13, 2003 at 03:19:04PM +0000, swatch swatch wrote:
> I have read on some posts that the 'throttle' command has bugs. It hasn't
> worked for me yet. Do you know if there is a fix? I assume my config file
> is OK?
>
>
> #PIX DENY SSH LOGIN
> watchfor /%PIX-3-315001/ and /x.x.x.x/
> echo bold
> exec echo $0 | mail -s 'DENIED SSH LOGIN' me@mycompany.com
> throttle 01:00
The throttle bugs I've heard of are all having to do with change in the
year and month field. Just wondering, but did you mean to throttle at
the hour (01:00) marker, or at the minute (00:01:00) marker? The other
thing about throttle is that if you want to throttle on anything that
matches your watchfor statement, you need to specify
throttle 01:00, use=regex
instead. Otherwise it only throttles identical messages. It is common
for sshd to log a port number in addition to an IP address, so sshd
messages do not tend to work with throttle unless you use regex
throttling.
--
Ed Schmollinger - schmolli@frozencrow.org
Behold the warranty...the bold print giveth and the fine print taketh away.
[Attachment #11 (application/pgp-signature)]
------------------------------
_______________________________________________
Swatch-users mailing list
Swatch-users@ucsb.edu
http://ucsb.edu/mailman/listinfo/swatch-users
End of Swatch-users Digest, Vol 10, Issue 5
*******************************************
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic