#!/bin/sh # File : chk_auditlog.sh # By : Maarten.deBoer@Atos.net, 110929 # Subject : Script to the NetApp-filer auditlog-file for Authorisation errors('AUTH:error, root-login & root-usage #(0.2) : Added root use & ZIP #(0.3) : Added MONFILTER, LOG #(0.4) : Added USAGE, AULOGFILES #(0.5) : Mod. for RHEL6 (mailx -a) #(0.6) : Mod's # PGM="`basename $0|cut -d\. -f1`" VERSION="0.6" TMP="/tmp/${PGM}.$$" HOSTNAME="`hostname|cut -d\. -f1`" FILERS="${HOME}/etc/filers" SSH="/usr/bin/ssh -n" PING="/bin/ping" MAIL=1 MAILTO="maarten.deboer@atos.net" FILTER="[?]*" ZIP="/usr/bin/gzip" MONFILTER="Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec" LOG="${HOME}/log/${PGM}.log" AULOGFILES=5 USAGE() { echo "Usage: $PGM [options] " echo " Version: ${VERSION}" echo " options:" echo " -a : Amount of auditlogfiles (${AULOGFILES})" echo " -d : Do (no options will exit script)" echo " -f : filter Filername (${FILTER})" echo " -h : this help" echo " -m : filter Monthfilter (${MONFILTER})" echo " -n : do NOT send mail" echo " -V : Version" echo " -x : set -x" echo " --help : this help" echo " --mailto : change MAILTO address & do send mail (${MAILTO})" echo " --nomail : do NOT send mail" } ## MAIN # Check options if [ ${#} -eq 0 ]; then echo "No option(s) given. So not to know what to do. Exiting..."; echo; USAGE; exit 1 fi while [ ${#} -ge 1 ] do case $1 in -d) echo; shift ;; -n | --nomail) MAIL="" ;; --mailto) MAILTO=$2; MAIL=1; shift ;; -a) AULOGFILES=$2; shift ;; -f) FILTER=$2; shift ;; -h | --help) USAGE; exit 1 ;; -m) MONFILTER=$2; shift ;; -V) echo "${PGM}: v${VERSION}"; exit 3 ;; -x) set -x ;; *) echo "Option $1 not known."; USAGE; exit 1 ;; esac shift done echo "`date` Start."| tee -a ${LOG} echo "AULOGFILES=${AULOGFILES}, FILTER=${FILTER}, MONFILTER=${MONFILTER}"| tee -a ${LOG} echo "FILERS=${FILERS}" # Start getting info for FILER in `cat ${FILERS}|grep -v \^#|grep ${FILTER}|awk -F\; '{print $1}'` do echo "`date` Filer ${FILER} ..."|tee -a ${LOG}|tee -a ${TMP} ${PING} -c 1 ${FILER} 1> /dev/null 2>&1 EC=$? if [ ${EC} -eq 0 ]; then NR=${AULOGFILES} NR=`expr $NR + 1` while [ ${NR} -gt 0 ] do NR=`expr $NR - 1` echo "Getting auditlog.${NR} ..." ${SSH} ${FILER} rdfile /etc/log/auditlog.${NR} >> ${TMP}.${FILER} done echo "Getting auditlog ..." ${SSH} ${FILER} rdfile /etc/log/auditlog >> ${TMP}.${FILER} echo "====== Unsuccesful logins + Unauthorised access by FilerView+OS(ONTAP) = Authorisation errors('AUTH:error' in auditlogs) ======" | tee -a ${TMP} grep 'AUTH:error' ${TMP}.${FILER}|egrep -e "${MONFILTER}"|tee -a ${TMP} echo "====== root-login ('root@' in auditlogs) ======" | tee -a ${TMP} grep 'root@' ${TMP}.${FILER}|egrep -e "${MONFILTER}"|tee -a ${TMP} echo "====== root-usage (': root:' in auditlogs) ======" | tee -a ${TMP}_root-usage.asc grep ': root:' ${TMP}.${FILER}|egrep -e "${MONFILTER}"|tee -a ${TMP}_root-usage.asc if [ ${MAIL} ]; then cp ${TMP} /tmp/${PGM}-${FILER}.asc date|mailx -a /tmp/${PGM}-${FILER}.asc -s ":${HOSTNAME}:Check authentication (in auditlogs) of filer ${FILER} [${PGM} v${VERSION}]" ${MAILTO} rm /tmp/${PGM}-${FILER}.asc # cat ${TMP}|unix2dos|uuencode ${PGM}-${FILER}.txt|mailx -s ":${HOSTNAME}:Check authentication (in auditlogs) of filer ${FILER} [${PGM} v${VERSION}]" ${MAILTO} cp ${TMP}_root-usage.asc /tmp/${PGM}-${FILER}_root-usage.asc ${ZIP} /tmp/${PGM}-${FILER}_root-usage.asc date|mailx -a /tmp/${PGM}-${FILER}_root-usage.asc.gz -s ":${HOSTNAME}:Check root-usage (in auditlogs) of filer ${FILER} [${PGM} v${VERSION}]" ${MAILTO} rm /tmp/${PGM}-${FILER}_root-usage.* # cat ${TMP}_root-usage.asc|${ZIP} - -c|uuencode ${PGM}-${FILER}_root-usage.zip|mailx -s ":${HOSTNAME}:Check root-usage (in auditlogs) of filer ${FILER} [${PGM} v${VERSION}]" ${MAILTO} echo " Mailed to ${MAILTO}" | tee -a ${LOG} fi # ${MAIL} # cleanup rm ${TMP} rm ${TMP}_root-usage.asc rm ${TMP}.${FILER} else echo "`date` Filer ${FILER} access (ping) ERROR"|tee -a ${LOG}|tee -a ${TMP} fi # [ ${EC} -eq 0 ]; then done echo "`date` Ended." | tee -a ${LOG} exit 0