1 #!/usr/bin/perl
3 # Copyright (C) 2003 Jonathan Middleton <jjm@ixtab.org.uk
4 # Copyright (C) 2001 Paul Slootman <paul@debian.org>
6 # This file is part of Logcheck.
8 # Logcheck is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 2 of the License, or
11 # (at your option) any later version.
13 # Logcheck is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with Logcheck; if not, write to the Free Software
20 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 use strict;
23 use warnings;
24 my ($size, $logfile, $offsetfile);
25 use Getopt::Std;
26 use File::Basename;
27 my %opts = ();
29 # process args and switches
30 my ($TEST_MODE) = 0;
31 getopts("f:o:t", \%opts);
33 # try to detect plain logtail invocation without switches
34 if (!$opts{f} && $#ARGV != 0 && $#ARGV != 1) {
35 print STDERR "No logfile to read. Use -f [LOGFILE].\n";
36 exit 66;
37 } elsif ($#ARGV == 0) {
38 $logfile = $ARGV[0];
39 $offsetfile = $opts{o};
40 } elsif ($#ARGV == 1) {
41 ($logfile, $offsetfile) = ($ARGV[0], $ARGV[1]);
42 } else {
43 ($logfile, $offsetfile) = ($opts{f}, $opts{o});
44 }
46 if ($opts{t}) {
47 $TEST_MODE = 1;
48 }
51 sub print_from_offset {
52 my ($filename, $offset) = @_;
53 # this subroutine prints the contents of the file named $filename,
54 # starting offset $offset.
55 #print "print_from_offset $filename, $offset\n";
56 unless (open(LOGFILE, $filename)) {
57 print STDERR "File $logfile cannot be read: $!\n";
58 exit 66;
59 }
61 seek(LOGFILE, $offset, 0);
63 while (<LOGFILE>) {
64 print $_;
65 }
67 $size = tell LOGFILE;
68 close LOGFILE;
69 return $size;
70 }
72 sub mtime {
73 my ($filename) = @_;
74 my $mtime = 0;
75 unless (-e $filename && ($mtime = ((stat($filename))[8])) ) {
76 print STDERR "Cannot get $filename mtime: $!\n";
77 exit 65;
78 }
79 return $mtime;
80 }
82 sub inode {
83 my ($filename) = @_;
84 my $inode = 0;
85 unless (-e $filename && ($inode = ((stat($filename))[1])) ) {
86 print STDERR "Cannot get $filename inode: $!\n";
87 exit 65;
88 }
89 return $inode;
90 }
92 sub get_directory_contents {
93 my ($filename) = @_;
94 my $dirname = dirname($filename);
95 unless (opendir(DIR, $dirname)) {
96 print STDERR "Cannot open directory $dirname: $!\n";
97 exit 65;
98 }
99 my @direntries = readdir(DIR);
100 closedir DIR;
101 return @direntries;
102 }
104 sub determine_rotated_logfile {
105 my ($filename,$inode) = @_;
106 my $rotated_filename;
107 # this subroutine tries to guess to where a given log file was
108 # rotated. Its magic is mainly taken from logcheck's logoutput()
109 # function with dateext magic added.
111 #print "determine_rotated_logfile $filename $inode\n";
112 for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
113 my $func = do $codefile;
114 if (!$func) {
115 print STDERR "cannot compile $codefile: $!";
116 exit 68;
117 }
118 $rotated_filename = $func->($filename);
119 last if $rotated_filename;
120 }
121 #if ($rotated_filename) {
122 # print "rotated_filename $rotated_filename (". inode($rotated_filename). ")\n";
123 #} else {
124 # print "no rotated file found\n";
125 #}
126 if ($rotated_filename && -e "$rotated_filename" && inode($rotated_filename) == $inode) {
127 return $rotated_filename;
128 } else {
129 return "";
130 }
131 }
133 if (! -f $logfile) {
134 print STDERR "File $logfile cannot be read: $!\n";
135 exit 66;
136 }
137 unless ($offsetfile) {
138 # offsetfile not given, use .offset/$logfile in the same directory
139 $offsetfile = $logfile . '.offset';
140 }
142 my ($inode, $ino, $offset) = (0, 0, 0);
144 if ($offsetfile) {
145 # If offset file exists, open and parse it.
146 if (open(OFFSET, $offsetfile)) {
147 $_ = <OFFSET>;
148 if (defined $_) {
149 chomp $_;
150 $inode = $_;
151 $_ = <OFFSET>;
152 if (defined $_) {
153 chomp $_;
154 $offset = $_;
155 }
156 }
157 }
159 # determine log file inode and size
160 unless (($ino,$size) = (stat($logfile))[1,7]) {
161 print STDERR "Cannot get $logfile file size: $!\n";
162 exit 65;
163 }
165 if ($inode == $ino) {
166 # inode is still the same
167 exit 0 if $offset == $size; # short cut
168 if ($offset > $size) {
169 $offset = 0;
170 print "***************\n";
171 print "*** WARNING ***: Log file $logfile is smaller than last time checked!\n";
172 print "*************** This could indicate tampering.\n";
173 }
174 }
176 if ($inode != $ino) {
177 # this is the interesting case: inode has changed.
178 # So the file might have been rotated. We need to print the
179 # entire file.
180 # Additionally, we might want to see whether we can find the
181 # previous instance of the file and to process it from here.
182 #print "inode $inode, ino $ino\n";
183 my $rotatedfile = determine_rotated_logfile($logfile,$inode);
184 if ( $rotatedfile ) {
185 print_from_offset($rotatedfile,$offset);
186 }
187 # print the actual file from beginning
188 $offset = 0;
189 }
190 }
192 $size = print_from_offset($logfile,$offset);
194 # update offset, unless test mode
195 unless ($TEST_MODE) {
196 unless (open(OFFSET, ">", $offsetfile)) {
197 print STDERR "File $offsetfile cannot be created. Check your permissions: $!\n";
198 exit 73;
199 }
200 print OFFSET "$ino\n$size\n";
201 close OFFSET;
202 }
203 exit 0;