# LogWatch + remote machine

## jedi_master_ss

i couldn't find anything about this on the forums or on the wiki. I already have syslogd (on openwrt) setup to talk to syslog-ng (on a gentoo linux boxen) and i have logwatch running on the gentoo machine

I was wondering if anyone has ever gotten a config script setup to properly parse the output from dropbear and dnsmasq

Since i couldn't find anything written anywhere helpful i started creating my own but i ran into some issues:

```

--------------------- DropBear Begin ------------------------

 Failed logins from these:

    82.226.38.244 (mar92-6-82-226-38-244.fbx.proxad.net): 18 times

       root: 18 times

    202.111.175.116: 2 times

       root: 2 times

 Users logging in through sshd:

    root:

       192.168.1.228 (Yuuzhan.lan):

          (all): HASH(0x81e4c14) times

       192.168.1.108 (Atlantis.lan):

          (all): HASH(0x81e4ba8) times

 ---------------------- DropBear End -------------------------

```

  the output from the sucessfull logins is not properly output and yes it seemed someone was trying to have fun w/ the router the previous day

this is a copy the script i started to create some of which i copied directly from the sshd file

/usr/share/logwatch/scripts/services/dropbear:

```
use strict;

use Logwatch ':all';

my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;

my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;

my %Users = ();

my %IllegalUsers = ();

my %TooManyFailures = ();

my %NoIdent = ();

my %BindFailed = ();

my %BadLogins = ();

my %NoRevMap = ();

my %RefusedConnections = ();

my %RefusedAuthentication = ();

my %DisconnectReceived = ();

my %RootLogin = ();

my %PamReleaseFail = ();

my %PamError = ();

my %ShadowInfo = ();

my %TTYModesFail = ();

my %LoginLock = ();

my %PostPonedAuth = ();

my %LockedAccount = ();

my %AllowUsers = ();

my %NoShellUsers = ();

my %DeprecatedOption = ();

my %MisMatch = ();

my @BadRSA = ();

my @Scanned = ();

my @OtherList = ();

my $sftpRequests = 0;

my $NetworkErrors = 0;

my $Kills = 0;

my $Starts = 0;

my $NetworkErrors = 0;

while (defined(my $ThisLine = <STDIN>)) {

   chomp($ThisLine);

   if (($ThisLine =~ /^pam_end: NULL pam handle passed/ )) {

      #We Don't care about these

   }

   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^password auth succeeded for '(\S+)' from ([\d\.:a-f]+) : (\d+)/))

   {

      $Users{$User}{$Host}{"(all)"}++;

   }

   elsif ( my ($User,$Host,$Port) = ($ThisLine =~ /^bad password attempt for '(\S+)' from ([\d\.:a-f]+):(\d+)/))

   {

      $BadLogins{$Host}{$User}++;

   }

}

#############################################################

if (keys %BadLogins){

   print "\nFailed logins from these:\n";

   foreach my $ip (sort SortIP keys %BadLogins) {

      my $name = LookupIP($ip);

      my $totcount = 0;

      foreach my $user (keys %{$BadLogins{$ip}}) {

            $totcount += $BadLogins{$ip}{$user};

      }

      my $plural = ($totcount > 1) ? "s" : "";

      print "   $name: $totcount time$plural\n";

      if ($Detail >= 5) {

         my $sort = CountOrder(%{$BadLogins{$ip}});

         foreach my $user (sort $sort keys %{$BadLogins{$ip}}) {

            my $val = $BadLogins{$ip}{$user};

            my $plural = ($val > 1) ? "s" : "";

            print "      $user: $val time$plural\n";

         }

      }

   }

}

if (keys %Users) {

   print "\nUsers logging in through sshd:\n";

   foreach my $user (sort {$a cmp $b} keys %Users) {

      print "   $user:\n";

      my $totalSort = TotalCountOrder(%{$Users{$user}}, \&SortIP);

      foreach my $ip (sort $totalSort keys %{$Users{$user}}) {

         my $name = LookupIP($ip);

         if ($Detail >= 20) {

            print "      $name:\n";

            my $sort = CountOrder(%{$Users{$user}{$ip}});

            foreach my $method (sort $sort keys %{$Users{$user}{$ip}}) {

               my $val = $Users{$user}{$ip};

               my $plural = ($val > 1) ? "s" : "";

               print "         $method: $val time$plural\n";

            }

         } else {

            my $val = (values %{$Users{$user}{$ip}})[0];

            my $plural = ($val > 1) ? "s" : "";

            print "      $name: $val time$plural\n";

         }

      }

   }

}

```

i wanted to be able parse out when someone was trying to attack my router from when someone legitimately logged in and also to log all those IP's aswell as log all the DHCP leases since I needed to use WEP128 instead of WPA due to some WDS issues. Just incase some one was attempting to steal bandwidth.

the following is normal output from the syslogd on the router:

```
May 12 21:31:33 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.160 00:14:bf:25:33:79

May 12 21:31:34 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.160 00:14:bf:25:33:79

May 12 21:40:55 192.168.1.1 -- MARK --

May 12 21:40:55 192.168.1.1 -- MARK --

May 12 21:41:00 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.165 00:0f:66:77:10:cb

May 12 21:41:00 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.165 00:0f:66:77:10:cb MadHatter

May 12 21:41:51 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.150 00:14:bf:bd:4d:af

May 12 21:41:51 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.150 00:14:bf:bd:4d:af Kuma

May 12 21:46:37 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.186 00:14:a5:20:d8:a9

May 12 21:46:37 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.186 00:14:a5:20:d8:a9 Annie

May 12 21:47:22 192.168.1.1 dropbear[1080]: Child connection from 202.111.175.116:59632

May 12 21:47:22 192.168.1.1 dropbear[1080]: exit before auth: Failed to get remote version

May 12 21:50:27 192.168.1.1 dropbear[1081]: Child connection from 202.111.175.116:45822

May 12 21:50:31 192.168.1.1 dropbear[1081]: login attempt for nonexistent user from 202.111.175.116:45822

May 12 21:50:33 192.168.1.1 dropbear[1081]: exit before auth: Disconnect received

May 12 21:50:33 192.168.1.1 dropbear[1082]: Child connection from 202.111.175.116:46017

May 12 21:50:36 192.168.1.1 dropbear[1082]: login attempt for nonexistent user from 202.111.175.116:46017

May 12 21:50:36 192.168.1.1 dropbear[1083]: Child connection from 202.111.175.116:46346

May 12 21:50:37 192.168.1.1 dropbear[1082]: exit before auth: Disconnect received

May 12 21:50:38 192.168.1.1 dropbear[1084]: Child connection from 202.111.175.116:46441

May 12 21:50:40 192.168.1.1 dropbear[1083]: bad password attempt for 'root' from 202.111.175.116:46346

May 12 21:50:41 192.168.1.1 dropbear[1083]: exit before auth (user 'root', 1 fails): Disconnect received

May 12 21:50:41 192.168.1.1 dropbear[1084]: login attempt for nonexistent user from 202.111.175.116:46441

May 12 21:50:41 192.168.1.1 dropbear[1085]: Child connection from 202.111.175.116:46737

May 12 21:50:42 192.168.1.1 dropbear[1084]: exit before auth: Disconnect received

May 12 21:50:42 192.168.1.1 dropbear[1086]: Child connection from 202.111.175.116:46882

May 12 21:50:44 192.168.1.1 dropbear[1087]: Child connection from 202.111.175.116:47249

May 12 21:50:44 192.168.1.1 dropbear[1085]: bad password attempt for 'root' from 202.111.175.116:46737

May 12 21:50:45 192.168.1.1 dropbear[1085]: exit before auth (user 'root', 1 fails): Disconnect received

May 12 21:50:46 192.168.1.1 dropbear[1088]: Child connection from 202.111.175.116:47350

May 12 21:50:46 192.168.1.1 dropbear[1086]: login attempt for nonexistent user from 202.111.175.116:46882

May 12 21:50:47 192.168.1.1 dropbear[1086]: exit before auth: Exited normally

May 12 21:50:47 192.168.1.1 dropbear[1087]: exit before auth: Exited normally

May 12 21:50:48 192.168.1.1 dropbear[1088]: exit before auth: Exited normally

May 12 22:00:55 192.168.1.1 -- MARK --

May 12 22:00:55 192.168.1.1 -- MARK --

May 12 22:03:23 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.108 00:11:24:79:2c:8c

May 12 22:03:23 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.108 00:11:24:79:2c:8c Atlantis

May 12 22:20:55 192.168.1.1 -- MARK --

May 12 22:20:55 192.168.1.1 -- MARK --

May 12 22:24:27 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.228 00:12:17:86:66:a6

May 12 22:24:27 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.228 00:12:17:86:66:a6 Yuuzhan

May 12 22:38:35 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.104 00:09:5b:0a:2f:02

May 12 22:38:35 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.104 00:09:5b:0a:2f:02 linux

May 12 22:40:55 192.168.1.1 -- MARK --

May 12 22:40:56 192.168.1.1 -- MARK --

May 12 23:00:56 192.168.1.1 -- MARK --

May 12 23:00:56 192.168.1.1 -- MARK --

May 12 23:20:56 192.168.1.1 -- MARK --

May 12 23:20:56 192.168.1.1 -- MARK --

May 12 23:40:56 192.168.1.1 -- MARK --

May 12 23:40:56 192.168.1.1 -- MARK --

May 13 00:00:56 192.168.1.1 -- MARK --

May 13 00:00:56 192.168.1.1 -- MARK --

May 13 00:20:56 192.168.1.1 -- MARK --

May 13 00:20:56 192.168.1.1 -- MARK --

May 13 00:35:10 192.168.1.1 dnsmasq[562]: DHCPREQUEST(br0) 192.168.1.213 00:10:b5:0f:5b:ba

May 13 00:35:10 192.168.1.1 dnsmasq[562]: DHCPACK(br0) 192.168.1.213 00:10:b5:0f:5b:ba compaq400

May 13 00:36:55 192.168.1.1 dropbear[1089]: Child connection from 192.168.1.228:3254

May 13 00:37:02 192.168.1.1 dropbear[1089]: password auth succeeded for 'root' from 192.168.1.228:3254

May 13 00:37:41 192.168.1.1 dropbear[1089]: exit after auth (root): Exited normally

May 13 00:37:51 192.168.1.1 dropbear[1093]: Child connection from 192.168.1.228:3256

May 13 00:37:56 192.168.1.1 dropbear[1093]: password auth succeeded for 'root' from 192.168.1.228:3256

May 13 00:39:47 192.168.1.1 dropbear[1093]: exit after auth (root): Exited normally

```

----------

