diff --git a/src/warden-server/bin/wardenWatchdog.pl b/src/warden-server/bin/wardenWatchdog.pl
index e706e688a7be01ea760eedce3f17b63a249c46c0..73fcb9f5ffb4fea21a88e12f014797b7b5aaa330 100755
--- a/src/warden-server/bin/wardenWatchdog.pl
+++ b/src/warden-server/bin/wardenWatchdog.pl
@@ -2,7 +2,7 @@
#
# wardenWatchdog.pl
#
-# Copyright (C) 2011-2012 Cesnet z.s.p.o
+# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
@@ -10,7 +10,7 @@ use strict;
use warnings;
use Getopt::Long;
-use FindBin qw($RealBin);
+use FindBin qw($RealBin $RealScript);
FindBin::again();
use lib "$RealBin/../lib";
use WardenWatchdog;
@@ -30,11 +30,11 @@ use WardenWatchdog;
#-------------------------------------------------------------------------------
sub help
{
- my $help =" USAGE: ./wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7
+ my $help ="$RealScript -c <conf_file_with_path> -i <interval>
+-c path and name of a file with configuration
+-i interval in days from now back to the past
- OPTIONS
- -c conf configuration file name and path
- -i interval interval in days from now back to the past
+EXAMPLE: ./wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7
";
print $help;
return 1;
diff --git a/src/warden-server/doc/README b/src/warden-server/doc/README
index e7e97305a83390ff81da43372a4f38fb51519bf8..a1bd965f84621dff7fa1a84f98b54f9d8c752521 100644
--- a/src/warden-server/doc/README
+++ b/src/warden-server/doc/README
@@ -12,6 +12,7 @@ Content
F. Miscellaneous
G. Registration of Clients
H. Status Info
+ I. Warden Watchdog
--------------------------------------------------------------------------------
A. Overall Information
@@ -42,7 +43,6 @@ A. Overall Information
INSTALL
LICENSE
README
- README.wardenWatchdog
UNINSTALL
UPDATE
warden21to22.patch
@@ -58,13 +58,13 @@ A. Overall Information
WardenCommon.pm
Warden.pm
WardenWatchdog.pm
- sh/
+ sh/
uninstall.sh
--------------------------------------------------------------------------------
B. Installation Dependencies
-
+
1. Applications:
Perl >= 5.10.1
@@ -103,25 +103,25 @@ C. Installation
$ tar xzvf warden-server-2.2.tar.gz
- 3. Run install.sh.
-
+ 3. Run install.sh.
+
For more information about install.sh options run install.sh -h
Usage: $ ./install.sh -d <directory> -k <ssl_key_file> -c <ssl_cert_file> -a <ssl_ca_file> [-s <directory>] [-hV]"
- -d <directory> installation directory
- -k <ssl_key_file> SSL certificate key file path
- -c <ssl_cert_file> SSL certificate file path
- -a <ssl_ca_file> CA certificate file path
- -s <directory> directory for symlinks to Warden server control scripts (optional)
- -h print this help
- -V print script version number and exit
+ -d <directory> installation directory
+ -k <ssl_key_file> SSL certificate key file path
+ -c <ssl_cert_file> SSL certificate file path
+ -a <ssl_ca_file> CA certificate file path
+ -s <directory> directory for symlinks to Warden server control scripts (optional)
+ -h print this help
+ -V print script version number and exit
Example: # ./install.sh -d /opt/warden-server
-k /etc/ssl/private/server.key
- -c /etc/ssl/certs/server.pem
- -a /etc/ssl/certs/bundle.pem
- -s /usr/local/bin
+ -c /etc/ssl/certs/server.pem
+ -a /etc/ssl/certs/bundle.pem
+ -s /usr/local/bin
4. Configuration files
@@ -208,16 +208,16 @@ C. Installation
--------------------------------------------------------------------------------
D. Update
- For update of the Warden server package from local machine use update.sh.
-
- For more information about update.sh options run update.sh -h
+ For update of the Warden server package from local machine use update.sh.
- Usage: $ ./update.sh -d <directory> [-hV]
+ For more information about update.sh options run update.sh -h
+
+ Usage: $ ./update.sh -d <directory> [-hV]
-d <directory> destination directory
-h print this help
-V print script version number and exit
- Example: # ./update.sh -d /opt/warden-server
+ Example: # ./update.sh -d /opt/warden-server
For more information about post-update steps see UPDATE file in 'doc'
directory.
@@ -226,16 +226,16 @@ D. Update
--------------------------------------------------------------------------------
E. Uninstallation
- For uninstallation of the Warden server package from local machine use uninstall.sh.
-
- For more information about uninstall.sh options run uninstall.sh -h
+ For uninstallation of the Warden server package from local machine use uninstall.sh.
+
+ For more information about uninstall.sh options run uninstall.sh -h
- Usage: $ ./uninstall.sh -d <directory> [-hV]
+ Usage: $ ./uninstall.sh -d <directory> [-hV]
-d <directory> uninstallation directory
-h print this help
-V print script version number and exit
- Example: # ./uninstall.sh -d /opt/warden-server
+ Example: # ./uninstall.sh -d /opt/warden-server
For more information about post-uninstallation steps see UNINSTALL file in 'doc'
directory.
@@ -356,6 +356,55 @@ H. Status Info
Function getClients is accessible via getClients.pl. Function has no input
parameters and returns detailed information about all registered clients.
+--------------------------------------------------------------------------------
+I. Warden Watchdog
+
+ Warden Watchdog is a simple script for check of an Warden server DB. You can
+ create various SQL queries (checks) for an example for events from wrong IPs,
+ for events with incomplete description or for long quiet reporting clients.
+ Then you can run watchdog by hand or a repeatedly via Cron.
+
+ If one or more events are found by a check, than predefined information
+ email is sent to a person, who is responsible for a client. You can also set
+ a different recipient of a notification email for each check with a setting
+ 'contact' field in a configuration file.
+
+ 1. Configuration file
+
+ Each configuration file for a Warden Watchdog has four important groups
+ of settings. First group is clear and contains parameters such as path
+ to Warden server configuration file, notification email subject and
+ a email server configuration. Second group called SQL preconditions is
+ an array containing SQL queries which can be executed before Warden DB
+ check. Last, fourth, group called SQL postconditions is also an array
+ which can contains SQL queries useful for a Warden DB clean up after
+ a DB check.
+
+ The second group in a configuration file is a different. It is an array
+ of hashes with a following structure and each one performs one check.
+ In a query is possible to use a '\$date' variable, which will be expanded
+ by a Watchdog on a today's date.
+
+ @sql_queries = (
+ {
+ query => '<SQL query (check) on Warden DB>';
+ text => 'Text of notification email for this DB check';
+ contact => '<email address>' # override contact from 'requestor' column
+ }
+ )
+
+ 2. Application run
+
+ You will need just a prepared configuration file and a count of days
+ back from now to the past. Warden database check from config will be
+ then run in this defined time interval.
+
+ USAGE:
+ ./wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7
+
+ CRON USAGE:
+ 33 00 * * * /full/path/watchdog/wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7 >> err.txt
+
--------------------------------------------------------------------------------
Copyright (C) 2011-2013 Cesnet z.s.p.o
diff --git a/src/warden-server/etc/warden-watchdog.conf b/src/warden-server/etc/warden-watchdog.conf
index a56eb420cf963d757bc4243c88d523fab47bc6e8..0fbf76178bba3590d3f532e2f65cf47155799b57 100644
--- a/src/warden-server/etc/warden-watchdog.conf
+++ b/src/warden-server/etc/warden-watchdog.conf
@@ -1,6 +1,9 @@
#
-# wardenWatchdog.conf - configuration file for Wachdog script
+# warden-watchdog.conf - configuration file for Wachdog script
#
+# Copyright (C) 2011-2013 Cesnet z.s.p.o
+#
+# Use of this source is governed by a BSD-style license, see LICENSE file.
#-------------------------------------------------------------------------------
# domain_name - server full domain name
@@ -10,7 +13,7 @@ $domain_name = "warden-dev.cesnet.cz";
#-------------------------------------------------------------------------------
# email_subject - ...
#-------------------------------------------------------------------------------
-$email_subject = "Kontrola stavu udalosti warden serveru na stroji $domain_name";
+$email_subject = "Database check of a Warden server ($domain_name)";
#-------------------------------------------------------------------------------
# email_server_conf - path and params of an email server for reports sending
@@ -56,10 +59,10 @@ END;');
# in a database table.
#-------------------------------------------------------------------------------
@sql_queries = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
+ {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
+ {query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
+ {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
+ {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
#-------------------------------------------------------------------------------
# sql_postcondition - array of procedures which are executed "after" main action
diff --git a/src/warden-server/lib/WardenWatchdog.pm b/src/warden-server/lib/WardenWatchdog.pm
index c6f94de3d5298bfd2df43c5c835ce85aba31c56d..cdf023af8c928b71eda24848422cf98f65f5548b 100755
--- a/src/warden-server/lib/WardenWatchdog.pm
+++ b/src/warden-server/lib/WardenWatchdog.pm
@@ -2,7 +2,7 @@
#
# WardenWatchdog.pm
#
-# Copyright (C) 2011-2012 Cesnet z.s.p.o
+# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
@@ -11,8 +11,6 @@ package WardenWatchdog;
use strict;
use warnings;
-#use Data::Dumper;
-#use WardenConf;
use DBI;
use DBD::mysql;
use DateTime;