#!/bin/ksh # $Id: syslog,v 1.7 2011/08/19 15:53:19 ksb Exp $ # We're a netlint plugin that records syslog host depends. (ksb) # We go to the trouble to lookup the IP we see, for the reporter. #****p* netlint/syslog # NAME # syslog # DESCRIPTION # Hosts can send syslog(3) messages to peer servers to consolidate reports or # trade some network bandwidth for disk resources. If the target host doesn't # allow incoming syslog or doesn't exist then we have a netlint error. # SITE POLICY # The file ~netlint/lib/syslog contains a mk spell to check an IP against # site policy. For out-going (TO) lines we cast: # mk -smTo -dnode -DIP="list" syslog # where node is the name of the node we send to, and list is a list of IP # addresses we saw for that name (from the clients resolver). # # For listen addresses we cast: # mk -smListen -dip syslog # where ip is the local IP we are bound to. We don't send 127.0.0.1, because # that clutters the files and is hardly worth checking. # # If the file ~netlint/lib/syslog is executable we run it with the same # parameters as the plugin. Any output is viewed as local policy comments on # the syslog configuration. Zero length output is ignored. #*** # We might be getting a bad IP from someplace (Trap what you've seen). PROGNAME=`basename $0` : ${CARP:=echo} : ${MYNAME:=`hostname`} : ${NSLOOKUP:=`case _\`uname -s\` in _Linux) echo "nslookup -sil" ;; _*) echo "nslookup" ;; esac`} : ${IP_LIST:=`$NSLOOKUP $MYNAME 2>/dev/null | egrep "^Addr[es]*:[ ]*" | sed -e '1d' -e 's,^Addr[es]*: *,,' -e 'y/,/ /' -e 's,[ ][ ]*, ,'`} export CARP IP_LIST if [ _"$1" = _"-V" ]; then echo "$PROGNAME: "'$Id: syslog,v 1.7 2011/08/19 15:53:19 ksb Exp $' echo "$PROGNAME: IP list" $IP_LIST exit 0 fi #****a* syslog/SYSLOG_MISSING # NAME # SYSLOG_MISSING # FORMAT # SYSLOG_MISSING: path # DESCRIPTION # Netlint could not find syslog.conf in any of: # * $SYSLOG_CONF # * /etc/syslog.conf # IMPACT # This is always and error unless site policy states otherwise. #*** # Just like a C program, open the file, (ksb) # strip commens and all but the last column, report the @host parts, # close it, then go crazy with awk. : ${SYSLOG_CONF:=/etc/syslog.conf} exec 3<$SYSLOG_CONF || { ${CARP} "SYSLOG_MISSING: $SYSLOG_CONF" exit 0 } sed 0<&3 \ -e 's/#.*//' \ -e 's/^.* //' \ -e 's/^[ ]*//' | tr ',' '\012' | sed -n -e 's/^@//p' | xapply -f -i/dev/null "$NSLOOKUP"' %1 | tr -d "," | awk -F: "BEGIN { inResult = 1; doPrint = 0; } \$1 ~ /^Addr[es]*/ { if (0 == inResult) inResult = 1; else inResult = 0; doPrint = inResult; if (0 != doPrint) { print \$2; } next; } NF != 1 { doPrint = 0; } { if (doPrint) { print \$1; } }" | sed -e "s/^[ ]*//" -e "s/[ ][ ]/ /g" | tr " " "\012" | sort -u| sed -e "s/\\(.*\\)/%1 \\1/"' - | #****a* syslog/SYSLOG_TO # NAME # SYSLOG_TO # FORMAT # SYSLOG_TO: host ip # DESCRIPTION # This host is configured to send some messages to the specified host. The IP # is netlint's best guess at the addresses the node would try for that host # using nslookup or host. # IMPACT # Forwarding syslog messages to a dead IP, or to a host that is not willing # to process the message is a serious gap in infrastructure. Lost messages # are always bad for the site, overall. These issues should be remediated # before any critical alerts are lost. # SEE ALSO # SYSLOG_LISTEN #*** xapply -f '${CARP} SYSLOG_TO: "%1"' - exec 3<&- # phase II find out if we are listening for other syslog traffic case _`uname -s` in _SunOS) WHCOL='$1' ;; _*) WHCOL='$4' ;; esac netstat -na | awk "$WHCOL ~ /[*0-9][.:]514$/ { print $WHCOL; }" | sed -e 's/[.:]514$//' -e 's/0\.0\.0\.0/*/' | sed -e "s/\*/$IP_LIST/" | tr ' ' '\012' | grep -v '^127\.0\.0\.[0-9]*$' | sort -u | grep . | #****a* syslog/SYSLOG_LISTEN # NAME # SYSLOG_LISTEN # FORMAT # SYSLOG_LISTEN: ip # DESCRIPTION # The list of network interfaces from which syslogd might accept client # messages. # Site policy might match clients to servers to assure that no node logs to # a dead IP or service. # SEE ALSO # SYSLOG_TO #*** xapply -f '${CARP} SYSLOG_LISTEN: "%1"' - exit 0