1c19800e8SDoug Rabson#! /usr/pkg/bin/perl 2c19800e8SDoug Rabson# -*- mode: perl; perl-indent-level: 8 -*- 3c19800e8SDoug Rabson# 4*ae771770SStanislav Sedov# Copyright (c) 2003 Kungliga Tekniska Högskolan 5c19800e8SDoug Rabson# (Royal Institute of Technology, Stockholm, Sweden). 6c19800e8SDoug Rabson# All rights reserved. 7c19800e8SDoug Rabson# 8c19800e8SDoug Rabson# Redistribution and use in source and binary forms, with or without 9c19800e8SDoug Rabson# modification, are permitted provided that the following conditions 10c19800e8SDoug Rabson# are met: 11c19800e8SDoug Rabson# 12c19800e8SDoug Rabson# 1. Redistributions of source code must retain the above copyright 13c19800e8SDoug Rabson# notice, this list of conditions and the following disclaimer. 14c19800e8SDoug Rabson# 15c19800e8SDoug Rabson# 2. Redistributions in binary form must reproduce the above copyright 16c19800e8SDoug Rabson# notice, this list of conditions and the following disclaimer in the 17c19800e8SDoug Rabson# documentation and/or other materials provided with the distribution. 18c19800e8SDoug Rabson# 19c19800e8SDoug Rabson# 3. Neither the name of the Institute nor the names of its contributors 20c19800e8SDoug Rabson# may be used to endorse or promote products derived from this software 21c19800e8SDoug Rabson# without specific prior written permission. 22c19800e8SDoug Rabson# 23c19800e8SDoug Rabson# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24c19800e8SDoug Rabson# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25c19800e8SDoug Rabson# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26c19800e8SDoug Rabson# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27c19800e8SDoug Rabson# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28c19800e8SDoug Rabson# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29c19800e8SDoug Rabson# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30c19800e8SDoug Rabson# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31c19800e8SDoug Rabson# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32c19800e8SDoug Rabson# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33c19800e8SDoug Rabson# SUCH DAMAGE. 34c19800e8SDoug Rabson# 35*ae771770SStanislav Sedov# $Id$ 36c19800e8SDoug Rabson# 37c19800e8SDoug Rabson# kdc-log-analyze - Analyze a KDC log file and give a report on the contents 38c19800e8SDoug Rabson# 39c19800e8SDoug Rabson# Note: The parts you want likely want to customize are the variable $notlocal, 40c19800e8SDoug Rabson# the array @local_network_re and the array @local_realms. 41c19800e8SDoug Rabson# 42c19800e8SDoug Rabson# Idea and implemetion for MIT Kerberos was done first by 43c19800e8SDoug Rabson# Ken Hornstein <kenh@cmf.nrl.navy.mil>, this program wouldn't exists 44c19800e8SDoug Rabson# without his help. 45c19800e8SDoug Rabson# 46c19800e8SDoug Rabson 47c19800e8SDoug Rabsonuse strict; 48c19800e8SDoug Rabsonuse Sys::Hostname; 49c19800e8SDoug Rabson 50c19800e8SDoug Rabsonmy $notlocal = 'not SU'; 51c19800e8SDoug Rabsonmy @local_realms = ( "SU.SE" ); 52c19800e8SDoug Rabsonmy @local_networks_re = 53c19800e8SDoug Rabson ( 54c19800e8SDoug Rabson "130\.237", 55c19800e8SDoug Rabson "193\.11\.3[0-9]\.", 56c19800e8SDoug Rabson "130.242.128", 57c19800e8SDoug Rabson "2001:6b0:5:" 58c19800e8SDoug Rabson ); 59c19800e8SDoug Rabson 60c19800e8SDoug Rabsonmy $as_req = 0; 61c19800e8SDoug Rabsonmy %as_req_addr; 62c19800e8SDoug Rabsonmy %as_req_addr_nonlocal; 63c19800e8SDoug Rabsonmy %as_req_client; 64c19800e8SDoug Rabsonmy %as_req_server; 65c19800e8SDoug Rabsonmy %addr_uses_des; 66c19800e8SDoug Rabsonmy %princ_uses_des; 67c19800e8SDoug Rabsonmy $five24_req = 0; 68c19800e8SDoug Rabsonmy %five24_req_addr; 69c19800e8SDoug Rabsonmy %five24_req_addr_nonlocal; 70c19800e8SDoug Rabsonmy %five24_req_server; 71c19800e8SDoug Rabsonmy %five24_req_client; 72c19800e8SDoug Rabsonmy $as_req_successful = 0; 73c19800e8SDoug Rabsonmy $as_req_error = 0; 74c19800e8SDoug Rabsonmy $no_such_princ = 0; 75c19800e8SDoug Rabsonmy %no_such_princ_princ; 76c19800e8SDoug Rabsonmy %no_such_princ_addr; 77c19800e8SDoug Rabsonmy %no_such_princ_addr_nonlocal; 78c19800e8SDoug Rabsonmy $as_req_etype_odd = 0; 79c19800e8SDoug Rabsonmy %bw_addr; 80c19800e8SDoug Rabsonmy $pa_alt_princ_request = 0; 81c19800e8SDoug Rabsonmy $pa_alt_princ_verify = 0; 82c19800e8SDoug Rabsonmy $tgs_req = 0; 83c19800e8SDoug Rabsonmy %tgs_req_addr; 84c19800e8SDoug Rabsonmy %tgs_req_addr_nonlocal; 85c19800e8SDoug Rabsonmy %tgs_req_client; 86c19800e8SDoug Rabsonmy %tgs_req_server; 87c19800e8SDoug Rabsonmy $tgs_xrealm_out = 0; 88c19800e8SDoug Rabsonmy %tgs_xrealm_out_realm; 89c19800e8SDoug Rabsonmy %tgs_xrealm_out_princ; 90c19800e8SDoug Rabsonmy $tgs_xrealm_in = 0; 91c19800e8SDoug Rabsonmy %tgs_xrealm_in_realm; 92c19800e8SDoug Rabsonmy %tgs_xrealm_in_princ; 93c19800e8SDoug Rabsonmy %enctype_session; 94c19800e8SDoug Rabsonmy %enctype_ticket; 95c19800e8SDoug Rabsonmy $restarts = 0; 96c19800e8SDoug Rabsonmy $forward_non_forward = 0; 97c19800e8SDoug Rabsonmy $v4_req = 0; 98c19800e8SDoug Rabsonmy %v4_req_addr; 99c19800e8SDoug Rabsonmy %v4_req_addr_nonlocal; 100c19800e8SDoug Rabsonmy $v4_cross = 0; 101c19800e8SDoug Rabsonmy %v4_cross_realm; 102c19800e8SDoug Rabsonmy $v5_cross = 0; 103c19800e8SDoug Rabsonmy %v5_cross_realm; 104c19800e8SDoug Rabsonmy $referrals = 0; 105c19800e8SDoug Rabsonmy %referral_princ; 106c19800e8SDoug Rabsonmy %referral_realm; 107c19800e8SDoug Rabsonmy %strange_tcp_data; 108c19800e8SDoug Rabsonmy $http_malformed = 0; 109c19800e8SDoug Rabsonmy %http_malformed_addr; 110c19800e8SDoug Rabsonmy $http_non_kdc = 0; 111c19800e8SDoug Rabsonmy %http_non_kdc_addr; 112c19800e8SDoug Rabsonmy $tcp_conn_timeout = 0; 113c19800e8SDoug Rabsonmy %tcp_conn_timeout_addr; 114c19800e8SDoug Rabsonmy $failed_processing = 0; 115c19800e8SDoug Rabsonmy %failed_processing_addr; 116c19800e8SDoug Rabsonmy $connection_closed = 0; 117c19800e8SDoug Rabsonmy %connection_closed_addr; 118c19800e8SDoug Rabsonmy $pa_failed = 0; 119c19800e8SDoug Rabsonmy %pa_failed_princ; 120c19800e8SDoug Rabsonmy %pa_failed_addr; 121c19800e8SDoug Rabsonmy %ip; 122c19800e8SDoug Rabson 123c19800e8SDoug Rabson$ip{'4'} = $ip{'6'} = 0; 124c19800e8SDoug Rabson 125c19800e8SDoug Rabsonwhile (<>) { 126c19800e8SDoug Rabson process_line($_); 127c19800e8SDoug Rabson} 128c19800e8SDoug Rabson 129c19800e8SDoug Rabsonprint "Kerberos KDC Log Report for ", 130c19800e8SDoug Rabson hostname, " on ", scalar localtime, "\n\n"; 131c19800e8SDoug Rabson 132c19800e8SDoug Rabsonprint "General Statistics\n\n"; 133c19800e8SDoug Rabson 134c19800e8SDoug Rabsonprint "\tNumber of IPv4 requests: $ip{'4'}\n"; 135c19800e8SDoug Rabsonprint "\tNumber of IPv6 requests: $ip{'6'}\n\n"; 136c19800e8SDoug Rabson 137c19800e8SDoug Rabsonprint "\tNumber of restarts: $restarts\n"; 138c19800e8SDoug Rabsonprint "\tNumber of V4 requests: $v4_req\n"; 139c19800e8SDoug Rabsonif ($v4_req > 0) { 140c19800e8SDoug Rabson print "\tTop ten IP addresses performing V4 requests:\n"; 141c19800e8SDoug Rabson topten(\%v4_req_addr); 142c19800e8SDoug Rabson} 143c19800e8SDoug Rabsonif (int(keys %v4_req_addr_nonlocal) > 0) { 144c19800e8SDoug Rabson print "\tTop ten $notlocal IP addresses performing V4 requests:\n"; 145c19800e8SDoug Rabson topten(\%v4_req_addr_nonlocal); 146c19800e8SDoug Rabson 147c19800e8SDoug Rabson} 148c19800e8SDoug Rabsonprint "\n"; 149c19800e8SDoug Rabson 150c19800e8SDoug Rabsonprint "\tNumber of V4 cross realms (krb4 and 524) requests: $v4_cross\n"; 151c19800e8SDoug Rabsonif ($v4_cross > 0) { 152c19800e8SDoug Rabson print "\tTop ten realms performing V4 cross requests:\n"; 153c19800e8SDoug Rabson topten(\%v4_cross_realm); 154c19800e8SDoug Rabson} 155c19800e8SDoug Rabsonprint "\n"; 156c19800e8SDoug Rabson 157c19800e8SDoug Rabsonprint "\tNumber of V45 cross realms requests: $v5_cross\n"; 158c19800e8SDoug Rabsonif ($v5_cross > 0) { 159c19800e8SDoug Rabson print "\tTop ten realms performing V4 cross requests:\n"; 160c19800e8SDoug Rabson topten(\%v5_cross_realm); 161c19800e8SDoug Rabson} 162c19800e8SDoug Rabsonprint "\n"; 163c19800e8SDoug Rabson 164c19800e8SDoug Rabsonprint "\tNumber of failed lookups: $no_such_princ\n"; 165c19800e8SDoug Rabsonif ($no_such_princ > 0) { 166c19800e8SDoug Rabson print "\tTop ten IP addresses failing to find principal:\n"; 167c19800e8SDoug Rabson topten(\%no_such_princ_addr); 168c19800e8SDoug Rabson print "\tTop ten $notlocal IP addresses failing find principal:\n"; 169c19800e8SDoug Rabson topten(\%no_such_princ_addr_nonlocal); 170c19800e8SDoug Rabson print "\tTop ten failed to find principals\n"; 171c19800e8SDoug Rabson topten(\%no_such_princ_princ); 172c19800e8SDoug Rabson} 173c19800e8SDoug Rabsonprint "\n"; 174c19800e8SDoug Rabson 175c19800e8SDoug Rabsonprint "\tBandwidth pigs:\n"; 176c19800e8SDoug Rabsontopten(\%bw_addr); 177c19800e8SDoug Rabsonprint "\n"; 178c19800e8SDoug Rabson 179c19800e8SDoug Rabsonprint "\tStrange TCP data clients: ", int(keys %strange_tcp_data),"\n"; 180c19800e8SDoug Rabsontopten(\%strange_tcp_data); 181c19800e8SDoug Rabsonprint "\n"; 182c19800e8SDoug Rabson 183c19800e8SDoug Rabsonprint "\tTimeout waiting on TCP requests: ", $tcp_conn_timeout,"\n"; 184c19800e8SDoug Rabsonif ($tcp_conn_timeout > 0) { 185c19800e8SDoug Rabson print "\tTop ten TCP timeout request clients\n"; 186c19800e8SDoug Rabson topten(\%tcp_conn_timeout_addr); 187c19800e8SDoug Rabson} 188c19800e8SDoug Rabsonprint "\n"; 189c19800e8SDoug Rabson 190c19800e8SDoug Rabsonprint "\tFailed processing requests: ", $failed_processing,"\n"; 191c19800e8SDoug Rabsonif ($failed_processing > 0) { 192c19800e8SDoug Rabson print "\tTop ten failed processing request clients\n"; 193c19800e8SDoug Rabson topten(\%failed_processing_addr); 194c19800e8SDoug Rabson} 195c19800e8SDoug Rabsonprint "\n"; 196c19800e8SDoug Rabson 197c19800e8SDoug Rabsonprint "\tConnection closed requests: ", $connection_closed,"\n"; 198c19800e8SDoug Rabsonif ($connection_closed > 0) { 199c19800e8SDoug Rabson print "\tTop ten connection closed request clients\n"; 200c19800e8SDoug Rabson topten(\%connection_closed_addr); 201c19800e8SDoug Rabson} 202c19800e8SDoug Rabsonprint "\n"; 203c19800e8SDoug Rabson 204c19800e8SDoug Rabsonprint "\tMalformed HTTP requests: ", $http_malformed,"\n"; 205c19800e8SDoug Rabsonif ($http_malformed > 0) { 206c19800e8SDoug Rabson print "\tTop ten malformed HTTP request clients\n"; 207c19800e8SDoug Rabson topten(\%http_malformed_addr); 208c19800e8SDoug Rabson} 209c19800e8SDoug Rabsonprint "\n"; 210c19800e8SDoug Rabson 211c19800e8SDoug Rabsonprint "\tHTTP non kdc requests: ", $http_non_kdc,"\n"; 212c19800e8SDoug Rabsonif ($http_non_kdc > 0) { 213c19800e8SDoug Rabson print "\tTop ten HTTP non KDC request clients\n"; 214c19800e8SDoug Rabson topten(\%http_non_kdc_addr); 215c19800e8SDoug Rabson} 216c19800e8SDoug Rabsonprint "\n"; 217c19800e8SDoug Rabson 218c19800e8SDoug Rabsonprint "Report on AS_REQ requests\n\n"; 219c19800e8SDoug Rabsonprint "Overall AS_REQ statistics\n\n"; 220c19800e8SDoug Rabson 221c19800e8SDoug Rabsonprint "\tTotal number: $as_req\n"; 222c19800e8SDoug Rabson 223c19800e8SDoug Rabsonprint "\nAS_REQ client/server statistics\n\n"; 224c19800e8SDoug Rabson 225c19800e8SDoug Rabsonprint "\tDistinct IP Addresses performing requests: ", 226c19800e8SDoug Rabson int(keys %as_req_addr),"\n"; 227c19800e8SDoug Rabsonprint "\tOverall top ten IP addresses\n"; 228c19800e8SDoug Rabsontopten(\%as_req_addr); 229c19800e8SDoug Rabson 230c19800e8SDoug Rabsonprint "\tDistinct non-local ($notlocal) IP Addresses performing requests: ", 231c19800e8SDoug Rabson int(keys %as_req_addr_nonlocal), "\n"; 232c19800e8SDoug Rabsonprint "\tTop ten non-local ($notlocal) IP address:\n"; 233c19800e8SDoug Rabsontopten(\%as_req_addr_nonlocal); 234c19800e8SDoug Rabson 235c19800e8SDoug Rabsonprint "\n\tPreauth failed for for: ", $pa_failed, " requests\n"; 236c19800e8SDoug Rabsonif ($pa_failed) { 237c19800e8SDoug Rabson print "\tPreauth failed top ten IP addresses:\n"; 238c19800e8SDoug Rabson topten(\%pa_failed_addr); 239c19800e8SDoug Rabson print "\tPreauth failed top ten principals:\n"; 240c19800e8SDoug Rabson topten(\%pa_failed_princ); 241c19800e8SDoug Rabson} 242c19800e8SDoug Rabson 243c19800e8SDoug Rabsonprint "\n\tDistinct clients performing requests: ", 244c19800e8SDoug Rabson int(keys %as_req_client), "\n"; 245c19800e8SDoug Rabsonprint "\tTop ten clients:\n"; 246c19800e8SDoug Rabsontopten(\%as_req_client); 247c19800e8SDoug Rabson 248c19800e8SDoug Rabsonprint "\tDistinct services requested: ", int(keys %as_req_server), "\n"; 249c19800e8SDoug Rabsonprint "\tTop ten requested services:\n"; 250c19800e8SDoug Rabsontopten(\%as_req_server); 251c19800e8SDoug Rabson 252c19800e8SDoug Rabsonprint "\n\n\nReport on TGS_REQ requests:\n\n"; 253c19800e8SDoug Rabsonprint "Overall TGS_REQ statistics\n\n"; 254c19800e8SDoug Rabsonprint "\tTotal number: $tgs_req\n"; 255c19800e8SDoug Rabson 256c19800e8SDoug Rabsonprint "\nTGS_REQ client/server statistics\n\n"; 257c19800e8SDoug Rabsonprint "\tDistinct IP addresses performing requests: ", 258c19800e8SDoug Rabson int(keys %tgs_req_addr), "\n"; 259c19800e8SDoug Rabsonprint "\tOverall top ten IP addresses\n"; 260c19800e8SDoug Rabsontopten(\%tgs_req_addr); 261c19800e8SDoug Rabson 262c19800e8SDoug Rabsonprint "\tDistinct non-local ($notlocal) IP Addresses performing requests: ", 263c19800e8SDoug Rabson int(keys %tgs_req_addr_nonlocal), "\n"; 264c19800e8SDoug Rabsonprint "\tTop ten non-local ($notlocal) IP address:\n"; 265c19800e8SDoug Rabsontopten(\%tgs_req_addr_nonlocal); 266c19800e8SDoug Rabson 267c19800e8SDoug Rabsonprint "\tDistinct clients performing requests: ", 268c19800e8SDoug Rabson int(keys %tgs_req_client), "\n"; 269c19800e8SDoug Rabsonprint "\tTop ten clients:\n"; 270c19800e8SDoug Rabsontopten(\%tgs_req_client); 271c19800e8SDoug Rabson 272c19800e8SDoug Rabsonprint "\tDistinct services requested: ", int(keys %tgs_req_server), "\n"; 273c19800e8SDoug Rabsonprint "\tTop ten requested services:\n"; 274c19800e8SDoug Rabsontopten(\%tgs_req_server); 275c19800e8SDoug Rabson 276c19800e8SDoug Rabsonprint "\n\n\nReport on 524_REQ requests:\n\n"; 277c19800e8SDoug Rabson 278c19800e8SDoug Rabsonprint "\t524_REQ client/server statistics\n\n"; 279c19800e8SDoug Rabson 280c19800e8SDoug Rabsonprint "\tDistinct IP Addresses performing requests: ", 281c19800e8SDoug Rabson int(keys %five24_req_addr),"\n"; 282c19800e8SDoug Rabsonprint "\tOverall top ten IP addresses\n"; 283c19800e8SDoug Rabsontopten(\%five24_req_addr); 284c19800e8SDoug Rabson 285c19800e8SDoug Rabsonprint "\tDistinct non-local ($notlocal) IP Addresses performing requests: ", 286c19800e8SDoug Rabson int(keys %five24_req_addr_nonlocal), "\n"; 287c19800e8SDoug Rabsonprint "\tTop ten non-local ($notlocal) IP address:\n"; 288c19800e8SDoug Rabsontopten(\%five24_req_addr_nonlocal); 289c19800e8SDoug Rabson 290c19800e8SDoug Rabsonprint "\tDistinct clients performing requests: ", int(keys %five24_req_client), "\n"; 291c19800e8SDoug Rabsonprint "\tTop ten clients:\n"; 292c19800e8SDoug Rabsontopten(\%five24_req_client); 293c19800e8SDoug Rabson 294c19800e8SDoug Rabsonprint "\tDistinct services requested: ", int(keys %five24_req_server), "\n"; 295c19800e8SDoug Rabsonprint "\tTop ten requested services:\n"; 296c19800e8SDoug Rabsontopten(\%five24_req_server); 297c19800e8SDoug Rabsonprint "\n"; 298c19800e8SDoug Rabson 299c19800e8SDoug Rabsonprint "Cross realm statistics\n\n"; 300c19800e8SDoug Rabson 301c19800e8SDoug Rabsonprint "\tNumber of cross-realm tgs out: $tgs_xrealm_out\n"; 302c19800e8SDoug Rabsonif ($tgs_xrealm_out > 0) { 303c19800e8SDoug Rabson print "\tTop ten realms used for out cross-realm:\n"; 304c19800e8SDoug Rabson topten(\%tgs_xrealm_out_realm); 305c19800e8SDoug Rabson print "\tTop ten principals use out cross-realm:\n"; 306c19800e8SDoug Rabson topten(\%tgs_xrealm_out_princ); 307c19800e8SDoug Rabson} 308c19800e8SDoug Rabsonprint "\tNumber of cross-realm tgs in: $tgs_xrealm_in\n"; 309c19800e8SDoug Rabsonif ($tgs_xrealm_in > 0) { 310c19800e8SDoug Rabson print "\tTop ten realms used for in cross-realm:\n"; 311c19800e8SDoug Rabson topten(\%tgs_xrealm_in_realm); 312c19800e8SDoug Rabson print "\tTop ten principals use in cross-realm:\n"; 313c19800e8SDoug Rabson topten(\%tgs_xrealm_in_princ); 314c19800e8SDoug Rabson} 315c19800e8SDoug Rabson 316c19800e8SDoug Rabsonprint "\n\nReport on referral:\n\n"; 317c19800e8SDoug Rabson 318c19800e8SDoug Rabsonprint "\tNumber of referrals: $referrals\n"; 319c19800e8SDoug Rabsonif ($referrals > 0) { 320c19800e8SDoug Rabson print "\tTop ten referral-ed principals:\n"; 321c19800e8SDoug Rabson topten(\%referral_princ); 322c19800e8SDoug Rabson print "\tTop ten to realm referrals:\n"; 323c19800e8SDoug Rabson topten(\%referral_realm); 324c19800e8SDoug Rabson} 325c19800e8SDoug Rabson 326c19800e8SDoug Rabsonprint "\n\nEnctype Statistics:\n\n"; 327c19800e8SDoug Rabsonprint "\tTop ten session enctypes:\n"; 328c19800e8SDoug Rabsontopten(\%enctype_session); 329c19800e8SDoug Rabsonprint "\tTop ten ticket enctypes:\n"; 330c19800e8SDoug Rabsontopten(\%enctype_ticket); 331c19800e8SDoug Rabson 332c19800e8SDoug Rabsonprint "\tDistinct IP addresses using DES: ", int(keys %addr_uses_des), "\n"; 333c19800e8SDoug Rabsonprint "\tTop IP addresses using DES:\n"; 334c19800e8SDoug Rabsontopten(\%addr_uses_des); 335c19800e8SDoug Rabsonprint "\tDistinct principals using DES: ", int(keys %princ_uses_des), "\n"; 336c19800e8SDoug Rabsonprint "\tTop ten principals using DES:\n"; 337c19800e8SDoug Rabsontopten(\%princ_uses_des); 338c19800e8SDoug Rabson 339c19800e8SDoug Rabsonprint "\n"; 340c19800e8SDoug Rabson 341c19800e8SDoug Rabsonprintf("Requests to forward non-forwardable ticket: $forward_non_forward\n"); 342c19800e8SDoug Rabson 343c19800e8SDoug Rabson 344c19800e8SDoug Rabsonexit 0; 345c19800e8SDoug Rabson 346c19800e8SDoug Rabsonmy $last_addr = ""; 347c19800e8SDoug Rabsonmy $last_principal = ""; 348c19800e8SDoug Rabson 349c19800e8SDoug Rabsonsub process_line { 350c19800e8SDoug Rabson local($_) = @_; 351c19800e8SDoug Rabson # 352c19800e8SDoug Rabson # Eat these lines that are output as a result of startup (but 353c19800e8SDoug Rabson # log the number of restarts) 354c19800e8SDoug Rabson # 355c19800e8SDoug Rabson if (/AS-REQ \(krb4\) (.*) from IPv([46]):([0-9\.:a-fA-F]+) for krbtgt.*$/){ 356c19800e8SDoug Rabson $v4_req++; 357c19800e8SDoug Rabson $v4_req_addr{$3}++; 358c19800e8SDoug Rabson $v4_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); 359c19800e8SDoug Rabson $last_addr = $3; 360c19800e8SDoug Rabson $last_principal = $1; 361c19800e8SDoug Rabson $ip{$2}++; 362c19800e8SDoug Rabson } elsif (/AS-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) { 363c19800e8SDoug Rabson $as_req++; 364c19800e8SDoug Rabson $as_req_client{$1}++; 365c19800e8SDoug Rabson $as_req_server{$4}++; 366c19800e8SDoug Rabson $as_req_addr{$3}++; 367c19800e8SDoug Rabson $as_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); 368c19800e8SDoug Rabson $last_addr = $3; 369c19800e8SDoug Rabson $last_principal = $1; 370c19800e8SDoug Rabson $ip{$2}++; 371c19800e8SDoug Rabson } elsif (/TGS-REQ \(krb4\)/) { 372c19800e8SDoug Rabson #Nothing 373c19800e8SDoug Rabson } elsif (/TGS-REQ (.+) from IPv([46]):([0-9\.:a-fA-F]+) for (.*?)( \[.*\]){0,1}$/) { 374c19800e8SDoug Rabson $tgs_req++; 375c19800e8SDoug Rabson $tgs_req_client{$1}++; 376c19800e8SDoug Rabson $tgs_req_server{$4}++; 377c19800e8SDoug Rabson $tgs_req_addr{$3}++; 378c19800e8SDoug Rabson $tgs_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); 379c19800e8SDoug Rabson $last_addr = $3; 380c19800e8SDoug Rabson $last_principal = $1; 381c19800e8SDoug Rabson $ip{$2}++; 382c19800e8SDoug Rabson 383c19800e8SDoug Rabson my $source = $1; 384c19800e8SDoug Rabson my $dest = $4; 385c19800e8SDoug Rabson 386c19800e8SDoug Rabson if (!islocalrealm($source)) { 387c19800e8SDoug Rabson $tgs_xrealm_in++; 388c19800e8SDoug Rabson $tgs_xrealm_in_princ{$source}++; 389c19800e8SDoug Rabson if ($source =~ /[^@]+@([^@]+)/ ) { 390c19800e8SDoug Rabson $tgs_xrealm_in_realm{$1}++; 391c19800e8SDoug Rabson } 392c19800e8SDoug Rabson } 393c19800e8SDoug Rabson if ($dest =~ /krbtgt\/([^@]+)@[^@]+/) { 394c19800e8SDoug Rabson if (!islocalrealm($1)) { 395c19800e8SDoug Rabson $tgs_xrealm_out++; 396c19800e8SDoug Rabson $tgs_xrealm_out_realm{$1}++; 397c19800e8SDoug Rabson $tgs_xrealm_out_princ{$source}++; 398c19800e8SDoug Rabson } 399c19800e8SDoug Rabson } 400c19800e8SDoug Rabson } elsif (/524-REQ (.*) from IPv([46]):([0-9\.:a-fA-F]+) for (.*)$/) { 401c19800e8SDoug Rabson $five24_req++; 402c19800e8SDoug Rabson $five24_req_client{$1}++; 403c19800e8SDoug Rabson $five24_req_server{$4}++; 404c19800e8SDoug Rabson $five24_req_addr{$3}++; 405c19800e8SDoug Rabson $five24_req_addr_nonlocal{$3}++ if (!islocaladdr($3)); 406c19800e8SDoug Rabson $last_addr = $3; 407c19800e8SDoug Rabson $last_principal = $1; 408c19800e8SDoug Rabson $ip{$2}++; 409c19800e8SDoug Rabson } elsif (/TCP data of strange type from IPv[46]:([0-9\.:a-fA-F]+)/) { 410c19800e8SDoug Rabson $strange_tcp_data{$1}++; 411c19800e8SDoug Rabson } elsif (/Lookup (.*) failed: No such entry in the database/) { 412c19800e8SDoug Rabson $no_such_princ++; 413c19800e8SDoug Rabson $no_such_princ_addr{$last_addr}++; 414c19800e8SDoug Rabson $no_such_princ_addr_nonlocal{$last_addr}++ if (!islocaladdr($last_addr)); 415c19800e8SDoug Rabson $no_such_princ_princ{$1}++; 416c19800e8SDoug Rabson } elsif (/Lookup .* succeeded$/) { 417c19800e8SDoug Rabson # Nothing 418c19800e8SDoug Rabson } elsif (/Malformed HTTP request from IPv[46]:([0-9\.:a-fA-F]+)$/) { 419c19800e8SDoug Rabson $http_malformed++; 420c19800e8SDoug Rabson $http_malformed_addr{$1}++; 421c19800e8SDoug Rabson } elsif (/TCP-connection from IPv[46]:([0-9\.:a-fA-F]+) expired after [0-9]+ bytes/) { 422c19800e8SDoug Rabson $tcp_conn_timeout++; 423c19800e8SDoug Rabson $tcp_conn_timeout_addr{$1}++; 424c19800e8SDoug Rabson } elsif (/Failed processing [0-9]+ byte request from IPv[46]:([0-9\.:a-fA-F]+)/) { 425c19800e8SDoug Rabson $failed_processing++; 426c19800e8SDoug Rabson $failed_processing_addr{$1}++; 427c19800e8SDoug Rabson } elsif (/connection closed before end of data after [0-9]+ bytes from IPv[46]:([0-9\.:a-fA-F]+)/) { 428c19800e8SDoug Rabson $connection_closed++; 429c19800e8SDoug Rabson $connection_closed_addr{$1}++; 430c19800e8SDoug Rabson } elsif (/HTTP request from IPv[46]:([0-9\.:a-fA-F]+) is non KDC request/) { 431c19800e8SDoug Rabson $http_non_kdc++; 432c19800e8SDoug Rabson $http_non_kdc_addr{$1}++; 433c19800e8SDoug Rabson } elsif (/returning a referral to realm (.*) for server (.*) that was not found/) { 434c19800e8SDoug Rabson $referrals++; 435c19800e8SDoug Rabson $referral_princ{$2}++; 436c19800e8SDoug Rabson $referral_realm{$1}++; 437c19800e8SDoug Rabson } elsif (/krb4 Cross-realm (.*) -> (.*) disabled/) { 438c19800e8SDoug Rabson $v4_cross++; 439c19800e8SDoug Rabson $v4_cross_realm{$1."->".$2}++; 440c19800e8SDoug Rabson } elsif (/524 cross-realm (.*) -> (.*) disabled/) { 441c19800e8SDoug Rabson $v4_cross++; 442c19800e8SDoug Rabson $v4_cross_realm{$1."->".$2}++; 443c19800e8SDoug Rabson } elsif (/cross-realm (.*) -> (.*): no transit through realm (.*)/) { 444c19800e8SDoug Rabson } elsif (/cross-realm (.*) -> (.*) via \[([^\]]+)\]/) { 445c19800e8SDoug Rabson $v5_cross++; 446c19800e8SDoug Rabson $v5_cross_realm{$1."->".$2}++; 447c19800e8SDoug Rabson } elsif (/cross-realm (.*) -> (.*)/) { 448c19800e8SDoug Rabson $v5_cross++; 449c19800e8SDoug Rabson $v5_cross_realm{$1."->".$2}++; 450c19800e8SDoug Rabson } elsif (/sending ([0-9]+) bytes to IPv[46]:([0-9\.:a-fA-F]+)/) { 451c19800e8SDoug Rabson $bw_addr{$2} += $1; 452c19800e8SDoug Rabson } elsif (/Using ([-a-z0-9]+)\/([-a-z0-9]+)/) { 453c19800e8SDoug Rabson $enctype_ticket{$1}++; 454c19800e8SDoug Rabson $enctype_session{$2}++; 455c19800e8SDoug Rabson 456c19800e8SDoug Rabson my $ticket = $1; 457c19800e8SDoug Rabson my $session = $2; 458c19800e8SDoug Rabson 459c19800e8SDoug Rabson if ($ticket =~ /des-cbc-(crc|md4|md5)/) { 460c19800e8SDoug Rabson $addr_uses_des{$last_addr}++; 461c19800e8SDoug Rabson $princ_uses_des{$last_principal}++; 462c19800e8SDoug Rabson } 463c19800e8SDoug Rabson 464c19800e8SDoug Rabson } elsif (/Failed to decrypt PA-DATA -- (.+)$/) { 465c19800e8SDoug Rabson $pa_failed++; 466c19800e8SDoug Rabson $pa_failed_princ{$last_principal}++; 467c19800e8SDoug Rabson $pa_failed_addr{$last_addr}++; 468c19800e8SDoug Rabson 469c19800e8SDoug Rabson } elsif (/Request to forward non-forwardable ticket/) { 470c19800e8SDoug Rabson $forward_non_forward++; 471c19800e8SDoug Rabson } elsif (/HTTP request:/) { 472c19800e8SDoug Rabson } elsif (/krb_rd_req: Incorrect network address/) { 473c19800e8SDoug Rabson } elsif (/krb_rd_req: Ticket expired \(krb_rd_req\)/) { 474c19800e8SDoug Rabson } elsif (/Ticket expired \(.*\)/) { 475c19800e8SDoug Rabson } elsif (/krb_rd_req: Can't decode authenticator \(krb_rd_req\)/) { 476c19800e8SDoug Rabson } elsif (/Request from wrong address/) { 477c19800e8SDoug Rabson # XXX 478c19800e8SDoug Rabson } elsif (/UNKNOWN --/) { 479c19800e8SDoug Rabson # XXX 480c19800e8SDoug Rabson } elsif (/Too large time skew -- (.*)$/) { 481c19800e8SDoug Rabson # XXX 482c19800e8SDoug Rabson } elsif (/No PA-ENC-TIMESTAMP --/) { 483c19800e8SDoug Rabson # XXX 484c19800e8SDoug Rabson } elsif (/Looking for pa-data --/) { 485c19800e8SDoug Rabson # XXX 486c19800e8SDoug Rabson } elsif (/Pre-authentication succeded -- (.+)$/) { 487c19800e8SDoug Rabson # XXX 488c19800e8SDoug Rabson } elsif (/Bad request for ([,a-zA-Z0-9]+) ticket/) { 489c19800e8SDoug Rabson # XXX 490c19800e8SDoug Rabson } elsif (/Failed to verify AP-REQ: Ticket expired/) { 491c19800e8SDoug Rabson # XXX 492c19800e8SDoug Rabson } elsif (/Client not found in database:/) { 493c19800e8SDoug Rabson # XXX 494c19800e8SDoug Rabson } elsif (/Server not found in database \(krb4\)/) { 495c19800e8SDoug Rabson } elsif (/Server not found in database:/) { 496c19800e8SDoug Rabson # XXX 497c19800e8SDoug Rabson } elsif (/newsyslog.*logfile turned over/) { 498c19800e8SDoug Rabson # Nothing 499c19800e8SDoug Rabson } elsif (/Requested flags:/) { 500c19800e8SDoug Rabson # Nothing 501c19800e8SDoug Rabson } elsif (/shutting down/) { 502c19800e8SDoug Rabson # Nothing 503c19800e8SDoug Rabson } elsif (/listening on IP/) { 504c19800e8SDoug Rabson # Nothing 505c19800e8SDoug Rabson } elsif (/commencing operation/) { 506c19800e8SDoug Rabson $restarts++; 507c19800e8SDoug Rabson } 508c19800e8SDoug Rabson # 509c19800e8SDoug Rabson # Log it if we didn't parse the line 510c19800e8SDoug Rabson # 511c19800e8SDoug Rabson else { 512c19800e8SDoug Rabson print "Unknown log file line: $_"; 513c19800e8SDoug Rabson } 514c19800e8SDoug Rabson} 515c19800e8SDoug Rabson 516c19800e8SDoug Rabsonsub topten { 517c19800e8SDoug Rabson my ($list) = @_; 518c19800e8SDoug Rabson my @keys; 519c19800e8SDoug Rabson 520c19800e8SDoug Rabson my $key; 521c19800e8SDoug Rabson 522c19800e8SDoug Rabson @keys = (sort {$$list{$b} <=> $$list{$a}} (keys %{$list})); 523c19800e8SDoug Rabson splice @keys, 10; 524c19800e8SDoug Rabson 525c19800e8SDoug Rabson foreach $key (@keys) { 526c19800e8SDoug Rabson print "\t\t$key - $$list{$key}\n"; 527c19800e8SDoug Rabson } 528c19800e8SDoug Rabson} 529c19800e8SDoug Rabson 530c19800e8SDoug Rabsonsub islocaladdr (\$) { 531c19800e8SDoug Rabson my ($addr) = @_; 532c19800e8SDoug Rabson my $net; 533c19800e8SDoug Rabson 534c19800e8SDoug Rabson foreach $net (@local_networks_re) { 535c19800e8SDoug Rabson return 1 if ($addr =~ /$net/); 536c19800e8SDoug Rabson } 537c19800e8SDoug Rabson return 0; 538c19800e8SDoug Rabson} 539c19800e8SDoug Rabson 540c19800e8SDoug Rabsonsub islocalrealm (\$) { 541c19800e8SDoug Rabson my ($princ) = @_; 542c19800e8SDoug Rabson my $realm; 543c19800e8SDoug Rabson 544c19800e8SDoug Rabson foreach $realm (@local_realms) { 545c19800e8SDoug Rabson return 1 if ($princ eq $realm); 546c19800e8SDoug Rabson return 1 if ($princ =~ /[^@]+\@${realm}/); 547c19800e8SDoug Rabson } 548c19800e8SDoug Rabson return 0; 549c19800e8SDoug Rabson} 550