#!/usr/bin/perl
# 6/1/2004 Author: Joe Barbish, I bequeath this perl script to public domain.
# It can be copied and distributed for free by anyone to anyone by any manner.
###########################################################
# Script name abuse.ipflog.rotate.pl 
# This is an special purpose script for controlling when the
# ipfilter ipmon log gets rotated. rc.conf starts ipmon in
# daemon mode and loges to the local0 facility of syslog.conf
# The ipf rules are setup to log every occurrence of an packet
# being blocked. The abuse.myisp.pl and abuse.dshield.pl
# scripts read the ipf log file and email reports containing
# the ip address of all unsolicited packets attacking my system.
#
# The ipf log file name is /var/log/security, the trigger to rotate
# it is based on file size, IE: rotate when file size > 100K
# On some days the logs may rotate 2 or 3 time with the potential
# to happen even more if under an Dos attack. The normal newsyslog.conf
# rotated the security log once an hour which means the file could far
# exceed the 100k rotate size up to the point of consuming all the
# free space in /var causing the system to abend.
#
# To have explicit control over the rotating of the security log file
# to insure it does not consume all free disk space and that the abuse
# reporting scripts get run against all log records, developed an
# custom rotate process which this script is the driver.
#   
# The etc/crontab file runs this /root/bin/abuse.ipflog.rotate.pl script
# every 10 minutes. The security file is defined in it's own
# /etc/newsyslog.conf named /etc/newsyslog.ipflog.conf so the 
# normal hourly cron rotate does not effect the security file.  
#
# This script issues the
# newsyslog -v -f /etc/newsyslog.ipflog.conf /var/log/security
# command. If the security file size is greater than 50k as
# defined for the security file in /etc/newsyslog.ipflog.conf,
# then the log will be rotated and the
# abuse.myisp.pl and abuse.dshield.pl and abuse.public.ISP.pl 
# scripts get run against the security.0 file.
#
###########################################################
# For testing ipflog.rotate.pl -v1 turns on logic trace displays
use Getopt::Std;
getopts("v:s:");
$trace=$opt_v;
# The newsyslog -v command will output one of the followings
# messages depending on weather the log meets the rotate 
# file size trigger in the newsyslog.ipflog.conf file 
#    
#/var/log/test <10>: size (Kb): 76 [10] --> trimming log....
#/var/log/test <10>: size (Kb): 76 [100] --> skipping
debug("exec newsyslog cmd\n");
# run the newsyslog command in verbose mode , pointing to the
# special newsyslog.conf file and put the verbose o/p messages
# into temp file to be used to determine if log was rotated.
system("newsyslog -v -f /etc/newsyslog.ipflog.conf /var/log/security > /var/log/rotate.msg");
debug("Loading rotate.msg\n");
# read verbose message file and load into script variable 
open(IN,"/var/log/rotate.msg");
$line=<IN>;  
chop($line);
close(IN);
system("rm /var/log/rotate.msg"); # done with file, delete it
debug("rotate msg = $line\n");
# parse line to extract relevant field
@f=split(/\s+/,$line);
$rotated=$f[7];
debug("rotated = $rotated\n");
if ($rotated eq "trimming")
   {
     debug("log rotated\n");
    # Go to sleep to allow rotate to finish, then run custom scripts.
      sleep 10; # wait 10 seconds
      system("/root/bin/abuse.dshield.pl");
      system("/root/bin/abuse.myisp.pl");
      system("/root/bin/abuse.public.ISP0.pl");
   }
else
   {
     debug("log not rotated\n");
   }
exit;
# subroutine to do ready trace for debugging logic.
sub debug
{
  if ($trace==1)
  { print(STDERR @_); }
}