8 if ($ARGV[0]=~ m/^-h$|^--help$/i){
11 &help unless $ARGV[0]=~ m/^-r$|^--report$|^-s$|^--summary$|^-t$|^--top$/;
14 push @argv, shift @ARGV;
19 my ($timestamp,$sec,$mail,$date,$alerthost,$datasource,$rule,$level,$description,
24 $stats{$alerthost}{mail}{$mail}++;
25 $stats{$alerthost}{alerthost}{$alerthost}++;
26 $stats{$alerthost}{datasource}{$datasource}++;
27 $stats{$alerthost}{rule}{$rule}++;
28 $stats{$alerthost}{level}{$level}++;
29 $stats{$alerthost}{description}{$description}++;
30 if (defined $srcip) { $stats{$alerthost}{srcip}{$srcip}++; }
31 if (defined $user) { $stats{$alerthost}{user}{$user}++; }
34 if (m/^\*\* Alert ([0-9]+).([0-9]+):(.*)$/){
38 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)->(.*)$/){
42 }elsif ( m/^([0-9]+\s\w+\s[0-9]+\s[0-9]+:[0-9]+:[0-9]+)\s(.*?)$/){
46 }elsif ( m/Rule: ([0-9]+) \(level ([0-9]+)\) -> (.*)$/ ){
50 }elsif ( m/Src IP: (.*)$/){
52 }elsif ( m/User: (.*)$/){
60 if ($argv[0]=~ m/^-r$|^--report$/i){
62 }elsif ($argv[0]=~ m/^-s$|^--summary$/){
64 }elsif ($argv[0]=~ m/^-t$|^--top$/){
65 $argv[1]= $argv[1] ? $argv[1] : 'srcip' ;
66 &top(\%stats,$argv[1]);
72 print "OSSEC report tool $VERSION\n";
73 print "Licensed under GPL\n";
74 print "Contributor Meir Michanie\n";
79 print "$0 [-h|--help] # This text you read now\n";
80 print "$0 [-r|--report] # prints a report for each element\n";
81 print "$0 [-s|--summary] # prints a summary report\n";
82 print "$0 [-t|--top] <field> #prints the top list\n";
85 print "$0\tOSSEC report tool $VERSION\n";
86 print " $0 is a GNU style program.\nIt reads from STDIN and write to stdout. ";
87 print "This gives you the advantage to use it in pipes.\n";
89 print " cat ossec-alerts-05.log | $0 -r | mail root -s 'OSSEC detailed report'\n";
90 print " cat ossec-alerts-05.log | $0 -s | mail root -s 'OSSEC summary report'\n";
91 print " cat ossec-alerts-05.log | $0 -t srcip | head -n 15 | mail root -s 'OSSEC top 15 offenders report'\n";
92 print " Crontab entry:\n";
93 print "58 23 * * * (cat ossec-alerts-05.log | $0 -s)\n";
99 my ($stat,$key,$value);
101 =============================================================================
103 =============================================================================
104 |Alerthost | Stat | Key | Count |
105 =============================================================================
110 |@<<<<<<<<<<|@<<<<<<<<<<<|@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<|@######|
111 $alerthost,$stat,$key,$value
114 foreach(sort keys %{$statref}){
116 foreach(sort keys %{${$statref}{$alerthost}}){
118 foreach(sort keys %{${$statref}{$alerthost}{$stat}}){
120 $value=${$statref}{$alerthost}{$stat}{$key};
130 my ($stat,$key,$value);
131 foreach(sort keys %{$statref}){
133 foreach(sort keys %{${$statref}{$alerthost}}){
135 foreach(sort keys %{${$statref}{$alerthost}{$stat}}){
137 $value=${$statref}{$alerthost}{$stat}{$key};
138 $totals{$stat}{$key}+=$value;
142 format TOPSUMREPORT =
143 =================================================================
145 =================================================================
146 |Stat | Key | Count |
147 =================================================================
152 |@<<<<<<<<<<<|@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<|@######|
156 foreach(sort keys %totals){
158 foreach(sort keys %{$totals{$stat}}){
160 $value=$totals{$stat}{$key};
167 my ($statref,$stat)=@_;
168 my (%totals,%mytest);
170 foreach(keys %{$statref}){
172 foreach( keys %{${$statref}{$alerthost}{$stat}}){
174 $value=${$statref}{$alerthost}{$stat}{$key};
175 $totals{$stat}{$key}+=$value;
178 foreach (keys %{$totals{$stat}}){
179 $mytest{$totals{$stat}{$_}}=$_;
181 foreach (sort {$b <=> $a} keys %mytest){
182 print "$mytest{$_} => $_\n";