4
print " title = \"Syslog picviz analysis\";\n";
7
print " relative = \"1\";\n";
10
print " timeline t [label=\"Time\"];\n"; # Time
11
print " string m [label=\"Machine\"];\n"; # Machine
12
print " string s [label=\"Service\"];\n"; # Service
13
print " string pam [label=\"Module\"];\n"; # PAM Module
14
print " string srcuser [label=\"Src user\"];\n"; # User
15
print " string dstuser [label=\"Dst user\"];\n"; # User
22
$line =~ s/\"/\\"/g; # We escape our quotes
23
$line =~ s/&//g; # We escape our quotes
24
$line =~ s/<//g; # We escape our quotes
25
$line =~ s/>//g; # We escape our quotes
27
#Jul 1 22:39:02 quinificated CRON[3392]: pam_unix(cron:session): session opened for user root by (uid=0)
28
#Jul 1 22:44:33 quinificated su[3444]: pam_unix(su:session): session opened for user root by toady(uid=0)
29
#Jul 2 07:14:33 quinificated kdm: :0[3267]: pam_unix(kdm:session): session opened for user toady by (uid=0)
30
if ($line =~ m/\w+ ?\d+ (\d+:\d+:\d+) ([\w-.]+) (\w+)[\[|:].*: (\S+)\(.*\): session opened for user (\w+) by(.*)\(.*/) {
38
if ($s !~ m/CRON/) { # I don't care of cron tasks (this is how you should attack me ;-) )
40
if ($dstuser =~ m/root/) {
41
print " t=\"$t\",m=\"$m\",s=\"$s\",pam=\"$pam\",srcuser=\"$srcuser\",dstuser=\"$dstuser\" [color=\"red\"];\n";
43
print " t=\"$t\",m=\"$m\",s=\"$s\",pam=\"$pam\",srcuser=\"$srcuser\",dstuser=\"$dstuser\";\n";