1
1
##########################################################################
2
# $Id: named,v 1.58 2009/06/02 14:55:45 mike Exp $
2
# $Id: named,v 1.62 2011/01/06 22:53:00 stefan Exp $
3
3
##########################################################################
5
# Revision 1.62 2011/01/06 22:53:00 stefan
6
# add: deferred zone transfers
7
# fix: TTL differs in rdataset
9
# Revision 1.61 2010/09/18 17:35:00 stefan
10
# add: bad zone transfer request
12
# Revision 1.60 2010/05/10 00:25:00 stefan
13
# fix: clients-per-query,
14
# add: more lines to ignore, refused notify, client query denied, retry
15
# limit exceeded, too many open file, no SOA, checkhints
17
# Revision 1.59.1 2010/05/04 22:25:00 stefan
18
# More refresh: and RCODE handling
5
20
# Revision 1.58 2009/06/02 14:55:45 mike
6
21
# Fedora patch from Ivan Varekova -mgt
110
125
## Logwatch project reserves the right to not accept such
111
126
## contributions. If you have made significant
112
127
## contributions to this script and want to claim
113
## copyright please contact logwatch-devel@logwatch.org.
128
## copyright please contact logwatch-devel@lists.sourceforge.net.
114
129
#########################################################
116
131
use Logwatch ':ip';
199
214
($ThisLine =~ /binding TCP socket: address in use/) or
200
215
($ThisLine =~ /dbus_mgr initialization failed. D-BUS service is disabled./) or
201
216
($ThisLine =~ /dbus_svc_add_filter failed/) or
202
($ThisLine =~ /isc_log_open 'named.run' failed: permission denied/) or
203
($ThisLine =~ /weak RSASHA1 \(5\) key found \(exponent=3\)/) or
204
($ThisLine =~ /Bad file descriptor/) or
217
($ThisLine =~ /isc_log_open 'named.run' failed: permission denied/) or
218
($ThisLine =~ /weak RSASHA1 \(5\) key found \(exponent=3\)/) or
219
($ThisLine =~ /Bad file descriptor/) or
205
220
($ThisLine =~ /open: .*: file not found/) or
206
($ThisLine =~ /queries: client [0-9.#:]* view localhost_resolver: query: .* IN .*/) or
221
($ThisLine =~ /queries: client [\.0-9a-fA-F#:]* view localhost_resolver: query: .* IN .*/) or
207
222
($ThisLine =~ /zone .*: NS '.*' is a CNAME \(illegal\)/) or
208
223
($ThisLine =~ /zone .*: zone serial unchanged. zone may fail to transfer to slaves/) or
209
224
($ThisLine =~ /zone .*: loading from master file .* failed/) or
212
227
($ThisLine =~ /.*: unexpected end of input/) or
213
228
($ThisLine =~ /too many timeouts resolving '.*' .*: disabling EDNS/) or
214
229
($ThisLine =~ /too many timeouts resolving '.*' .*: reducing the advertised EDNS UDP packet size to .* octets/) or
215
($ThisLine =~ /reloading zones succeeded/)
216
# too many timeouts resolving 'ns-ext.nrt1.isc.org/AAAA' (in '.'?): disabling EDNS: 3 Time(s)
230
($ThisLine =~ /reloading zones succeeded/) or
231
($ThisLine =~ /success resolving '.*' \(in '.*'?\) after disabling EDNS/) or
232
($ThisLine =~ /success resolving '.*' \(in '.*'?\) after reducing the advertised EDNS UDP packet size to 512 octets/) or
233
($ThisLine =~ /the working directory is not writable/) or
234
($ThisLine =~ /using default UDP\/IPv[46] port range: \[[0-9]*, [0-9]*\]/) or
235
($ThisLine =~ /adjusted limit on open files from [0-9]* to [0-9]*/) or
236
($ThisLine =~ /using up to [0-9]* sockets/) or
237
($ThisLine =~ /built with/) or
238
($ThisLine =~ /TTL differs in rdataset, adjusting [0-9]* -> [0-9]*/) or
239
($ThisLine =~ /max open files \([0-9]*\) is smaller than max sockets \([0-9]*\)/) or
240
($ThisLine =~ /clients-per-query (?:de|in)creased to .*/) or
241
($ThisLine =~ /^must-be-secure resolving '.*': .*/) or
242
($ThisLine =~ /^(error \()?no valid (DS|KEY|RRSIG)\)? resolving '.*': .*/) or
243
($ThisLine =~ /^not insecure resolving '.*': .*/) or
244
($ThisLine =~ /^validating \@0x[[:xdigit:]]+: .* DS: must be secure failure/) or
245
($ThisLine =~ /^(error \()?broken trust chain\)? resolving '.*': .*/) or
246
($ThisLine =~ /journal file [^ ]* does not exist, creating it/) or
247
($ThisLine =~ /serial number \(\d+\) received from master/) or
248
($ThisLine =~ /zone is up to date/) or
249
($ThisLine =~ /refresh in progress, refresh check queued/) or
250
($ThisLine =~ /refresh: NODATA response from master/) or
251
($ThisLine =~ /update with no effect/) or
252
# ignore this line because the following line describes the error
253
($ThisLine =~ /unexpected error/)
218
255
# Don't care about these...
234
271
$ShutdownNamedFail++;
235
272
} elsif ( ($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: zone transfer '(.+)' denied/ ) ) {
236
273
$DeniedZoneTransfers{$Host}{$Zone}++;
274
} elsif ( ($Zone) = ( $ThisLine =~ /zone (.+) zone transfer deferred due to quota/ ) ) {
275
$DeferredZoneTransfers{$Zone}++;
237
276
} elsif ( ($Zone) = ( $ThisLine =~ /cache zone \"(.*)\" loaded/ ) ) {
238
277
$ZoneLoaded{"cache $Zone"}++;
239
278
} elsif ( ($Zone) = ( $ThisLine =~ /cache zone \"(.*)\" .* loaded/ ) ) {
260
299
$ZoneReceivedNotify{$Zone}++;
261
300
} elsif ( ($Zone) = ( $ThisLine =~ /zone (.*): notify from .* up to date/ ) ) {
262
301
$ZoneReceivedNotify{$Zone}++;
302
} elsif ( ($Zone) = ( $ThisLine =~ /zone (.+)\/IN: refused notify from non-master/ ) ) {
303
$ZoneRefusedNotify{$Zone}++;
304
# } elsif ( ($Rhost,$Ldom,$Reason) = ( $ThisLine =~ /client ([\d\.a-fA-F:]+) bad zone transfer request: '(.+)': (.+)$/ ) ) {
305
} elsif ( ($Rhost,$Ldom,$Reason) = ( $ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+: bad zone transfer request: '(.+)\/IN': (.+)/ ) ) {
306
$BadZone{$Reason}{"$Rhost ($Ldom)"}++;
263
307
} elsif ( ($Host) = ( $ThisLine =~ /([^ ]+) has CNAME and other data \(invalid\)/ ) ) {
264
308
push @CNAMEAndOther, $Host;
265
309
} elsif ( ($File,$Line,$Entry,$Error) = ( $ThisLine =~ /dns_master_load: ([^:]+):(\d+): ([^ ]+): (.+)$/ ) ) {
280
324
} elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query \(cache\) denied/ ) ) {
281
325
$FullClient = LookupIP ($Client);
282
326
$DeniedQuery{$FullClient}++;
283
} elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+:(?: view ([^ ]+):)? update '(.*)' denied/)) {
327
} elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query '.*\/IN' denied/ ) ) {
328
$FullClient = LookupIP ($Client);
329
$DeniedQueryNoCache{$FullClient}++;
330
} elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+:(?: view ([^ ]+):)? update '(.*)' denied/)) {
284
331
$ViewName = ($ViewName ? "/$ViewName" : "");
285
332
$UpdateDenied{"$Rhost ($Ldom$ViewName)"}++;
286
333
} elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update forwarding '(.*)' denied/)) {
297
344
$MasterFailure{"$Zone from $Host"}{$Reason}++;
298
345
} elsif ( ($Zone) = ($ThisLine =~ /zone ([^\/]+)\/.+: refresh: non-authoritative answer from master/)) {
299
346
$NonAuthoritative{$Zone}++;
300
} elsif ( ($ThisLine =~ /unexpected RCODE \((.*)\) resolving/) ){
347
} elsif ( ($Zone) = ($ThisLine =~ /zone ([^\/]+)\/.+: refresh: retry limit for master \S+ exceeded/) ) {
348
$RetryLimit{$Zone}++;
349
} elsif ( ($ThisLine =~ /(?:error \()?unexpected RCODE\)? \(?(.*?)\)? resolving/) ){
301
350
$UnexpRCODE{$1}++;
302
} elsif ( ($ThisLine =~ /FORMERR resolving '[^ ]+: [0-9.#]+/) ) {
351
} elsif ( ($ThisLine =~ /(?:error \()?FORMERR\)? resolving '[^ ]+: [.0-9a-fA-F:#]+/) or
352
($ThisLine =~ /DNS format error from [^ ]+ resolving [^ ]+( for client [^ ]+)?: .*/) ) {
303
353
chomp($ThisLine);
304
354
$FormErr{$ThisLine}++;
305
355
} elsif ( ($ThisLine =~ /found [0-9]* CPU(s)?, using [0-9]* worker thread(s)?/) ) {
314
364
(($ErrorText) = ($ThisLine =~ /^(.* REQUIRE.* failed.*)$/)) or
315
365
(($ErrorText) = ($ThisLine =~ /(.*: fatal error)/)) ) {
316
366
$NError{$ErrorText}++;
317
} elsif ( ($From,$Log) = ($ThisLine =~ /invalid command from ([.0-9]*)#[0-9]*: (.*)/) ) {
367
} elsif ( (($ErrorText) = ($ThisLine =~ /^(internal_accept: fcntl\(\) failed: Too many open files)/)) or
368
(($ErrorText) = ($ThisLine =~ /^(socket: too many open file descriptors)/)) ) {
369
$ErrOpenFiles{$ErrorText}++;
370
} elsif ( ($From,$Log) = ($ThisLine =~ /invalid command from ([\.0-9a-fA-F:]*)#[0-9]*: (.*)/) ) {
318
371
$CCMessages{"$From,$Log"}++;
319
372
} elsif ( (($Log) = ($ThisLine =~ /(freezing .*zone.*)/)) or
320
373
(($Log) = ($ThisLine =~ /(thawing .*zone.*)/)) ) {
323
376
$UnknownCCCommands{$CCC}++;
324
377
} elsif (($CCC) = ($ThisLine =~ /received control channel command '(.*)'/)) {
325
378
$CCCommands{$CCC}++;
326
} elsif (($Name,$Address) = ($ThisLine =~ /network unreachable resolving '(.*)': (.*)/)) {
379
} elsif (($Name,$Address) = ($ThisLine =~ /(?:error \()?network unreachable\)? resolving '(.*)': (.*)/)) {
327
380
$NUR{$Name}{$Address}++;
328
} elsif (($Name,$Address) = ($ThisLine =~ /host unreachable resolving '(.*)': (.*)/)) {
381
} elsif (($Name,$Address) = ($ThisLine =~ /(?:error \()?host unreachable\)? resolving '(.*)': (.*)/)) {
329
382
$HUR{$Name}{$Address}++;
383
} elsif (($Client) = ($ThisLine =~ /client ([\da-fA-F.:]+)(?:#\d*:)? notify question section contains no SOA/)) {
385
} elsif (($Hint) = ($ThisLine =~ /checkhints: (.*)/) ) {
331
388
# Report any unmatched entries...
332
389
# remove PID from named messages
333
$ThisLine =~ s/(client [.0-9]+)\S+/$1/;
390
$ThisLine =~ s/(client [\.0-9a-fA-F:]+)\S+/$1/;
334
391
chomp($ThisLine);
335
392
$OtherList{$ThisLine}++;
428
if ( ( $Detail >= 5 ) and (keys %ZoneRefusedNotify) ) {
429
print "\nZones refused notify:\n";
430
foreach $ThisOne (sort {$a cmp $b} keys %ZoneRefusedNotify) {
431
print " $ThisOne: $ZoneRefusedNotify{$ThisOne} Time(s)\n";
371
435
if ( ($Detail >= 5) and (keys %ChannelAddFail) ) {
372
436
print "\nCan't add command channel:\n";
373
437
foreach $Channel (sort {$a cmp $b} keys %ChannelAddFail) {
383
447
foreach $Zone (sort {$a cmp $b} keys %MasterFailure) {
384
448
print " $Zone:\n";
385
449
foreach $Reason (sort {$a cmp $b} keys %{$MasterFailure{$Zone}}) {
386
print " $Reason: $MasterFailure{$Zone}{$Reason}++ Time(s)\n";
450
print " $Reason: $MasterFailure{$Zone}{$Reason} Time(s)\n";
395
459
foreach my $Zone (keys %{$DeniedZoneTransfers{$Host}}) {
396
460
print " $Zone: $DeniedZoneTransfers{$Host}{$Zone} Time(s)\n";
465
if ( ( $Detail >= 5 ) and (keys %DeferredZoneTransfers) ) {
466
print "\nDeferred Zone Transfers:\n";
467
foreach my $Zone (keys %DeferredZoneTransfers) {
468
print " $Zone: $DeferredZoneTransfers{$Zone} Time(s)\n";
489
if ( ( $Detail >= 10 ) and (keys %BadZone) ) {
490
print "\nBad Zone Transfer Request:\n";
491
foreach $Reason (keys %BadZone) {
492
print " Reason: $Reason\n";
493
foreach $ThisOne (sort {$a cmp $b} (keys %{$BadZone{$Reason}}) ) {
494
print " $ThisOne: $BadZone{$Reason}{$ThisOne} Time(s)\n";
419
499
if ( ( $Detail >= 5 ) and (keys %DeniedTCPClient) ) {
420
500
print "\nno more TCP clients warning:\n";
421
501
foreach $ThisOne (keys %DeniedTCPClient) {
426
506
if ( ( $Detail >= 5 ) and (keys %DeniedQuery) ) {
427
print "\nQueries (cache) that were denied:\n";
507
print "\nQueries (cached) that were denied:\n";
428
508
foreach $ThisOne (keys %DeniedQuery) {
429
509
print " from $ThisOne: $DeniedQuery{$ThisOne} Time(s)\n";
513
if ( ( $Detail >= 10 ) and (keys %DeniedQueryNoCache) ) {
514
print "\nQueries (not cached) that were denied:\n";
515
foreach $ThisOne (sort {$a cmp $b} keys %DeniedQueryNoCache) {
516
print " from $ThisOne: $DeniedQueryNoCache{$ThisOne} Time(s)\n";
433
520
if ( ( $Detail >= 10 ) and (@CNAMEAndOther) ) {
434
521
print "\nThese hosts have CNAME and other data (invalid):\n";
435
522
foreach $ThisOne (@CNAMEAndOther) {
551
if ( ($Detail >= 10) and (keys %RetryLimit) ) {
552
print "\nRetry limit exceeded for these zones:\n";
553
foreach $Zone (sort {$a cmp $b} keys %RetryLimit) {
554
print " $Zone: $RetryLimit{$Zone} Time(s)\n";
558
if ( ($Detail >= 10) and (keys %NoSOA) ) {
559
print "\nNotify question sections of these clients contained no SOA:\n";
560
foreach $Client (sort {$a cmp $b} keys %NoSOA) {
561
print " $Client: $NoSOA{$Client} Time(s)\n";
464
565
if ( ( $Detail >= 10 ) and (keys %NetworkUnreachable) ) {
465
566
print "\nNetwork is unreachable for:\n";
466
567
foreach $ThisOne (sort {$a cmp $b} keys %NetworkUnreachable) {
467
568
print " $ThisOne:\n";
468
569
foreach $Host (sort {$a cmp $b} keys %{$NetworkUnreachable{$ThisOne}}) {
469
570
print " $Host: $NetworkUnreachable{$ThisOne}{$Host} Time(s)\n";
680
if (keys %ErrOpenFiles) {
681
print "\n The following seams to be caused by the patches for CVE-2008-1447.";
682
print "\n Please update your bind.\n";
683
foreach $ThisOne (keys %ErrOpenFiles) {
684
print " " . $ThisOne . ": " . $ErrOpenFiles{$ThisOne} . " Time(s)\n";
579
688
if ((keys %CCMessages) or (keys %CCMessages2)){
580
689
print "\n Messages from control channel\n";
581
690
foreach (keys %CCMessages) {
595
704
foreach $ThisOne (keys %UnknownCCCommands) {
596
705
print " " . $ThisOne . "(unknown command): " . $CCCommands{$ThisOne} . " Time(s)\n";
710
print "\nCheckhints:\n";
711
foreach $ThisOne (sort {$a cmp $b} keys %Hints) {
712
print " " .$ThisOne .": $Hints{$ThisOne} Time(s)\n";
600
716
if (keys %OtherList) {