Logwitch v3.0

Home | Set Up | Advanced Use | License | Code Documentation


root@jamjar:/usr/local/logwitch#  ./logwitch.lua --help
 logwitch v3.0   a forensic log search and report tool
 ./logwitch.lua -cron - record this run in log files and write report since previous run to file
 ./logwitch.lua  - print report since last run to screen
 ./logwitch.lua -mod <module> - print report since last run for a single module
 ./logwitch.lua -grep <module> <search term>  - ignore previous runs and check all the module's
  logs for an ip address

 <module> should not include .lua extension
 licensed under GPL v3

There is an example report file created by a cron job at 06:15:01 AM here . And then some six hours later...


root@jamjar:/usr/local/logwitch#  date
Wed Dec 24 02:32:51 PM GMT 2025
root@jamjar:/usr/local/logwitch# ./logwitch.lua 


auth
=====
auth.log
--------
14:28:01.866388+00:00 jamjar su[178597]: pam_unix(su:session): session opened for user root(uid=
0) by david(uid=1001)

bind
=====
bind.log
--------
 07:11:24 rate-limit: 44.201.1.55/32 
 07:11:24 query-errors:  44.201.1.55
 07:11:33 rate-limit: 44.201.1.55/32 
 07:11:33 query-errors:  44.201.1.55 *** 5
 07:31:48 rate-limit: 750 
 07:36:15 query-errors:  134.122.121.84 *** 6
 07:36:15 rate-limit: 134.122.121.84/32
 07:36:15 query-errors:  134.122.121.84 *** 19
 08:13:58 query-errors:  139.162.208.30
 09:11:55 query-errors:  37.140.164.30
 09:41:36 query-errors:  165.227.62.247
 09:46:25 query-errors:  5.180.41.62
 10:11:50 query-errors:  185.73.23.133
 10:39:54 query-errors:  192.210.187.83
 13:00:38 query-errors:  165.154.157.35
 13:31:42 rate-limit: 44.204.127.161/32 
 13:31:42 query-errors:  44.204.127.161 *** 6
 13:37:43 rate-limit: 100.48.206.47/32 
 13:37:43 query-errors:  100.48.206.47 *** 7
 14:21:18 query-errors:  199.45.154.191
 14:21:19 query-errors:  199.45.155.92

dovecot
========
mail.log
--------

exim4
======
rejectlog
---------
08:40:41  F=<chat@jamescryer.com>  RELAY attempt 69.5.189.21

fail2ban
=========
fail2ban.log
------------
07:11:25 [named-refused-tcp] Ban 44.201.1.55
07:36:15 [named-refused-tcp] Ban 134.122.121.84
08:13:59 [named-refused-tcp] Ban 139.162.208.30
08:40:41 [exim] Found 69.5.189.21, bad - 2025-12-24 08:40:41, 1 # -> 2.0, Ban
08:40:41 [exim] Ban 69.5.189.21
08:40:41 [exim] Increase Ban 69.5.189.21 (2 # 2h -> 2025-12-24 10:40:41)
09:11:55 [named-refused-tcp] Ban 37.140.164.30
09:41:37 [named-refused-tcp] Ban 165.227.62.247
09:46:25 [named-refused-tcp] Ban 5.180.41.62
09:46:26 [named-refused-tcp] Increase Ban 5.180.41.62 (4 # 2d -> 2025-12-26 09:46:25)
13:00:39 [named-refused-tcp] Ban 165.154.157.35
13:31:43 [named-refused-tcp] Ban 44.204.127.161
13:37:44 [named-refused-tcp] Ban 100.48.206.47
14:21:18 [named-refused-tcp] Ban 199.45.154.191
14:21:19 [named-refused-tcp] Ban 199.45.155.92

tomcat
=======
localhost_access_log.2025-12-24.txt
-----------------------------------
07:57:08  - 2604:a880:400:d1:0:3:7227:5001
08:57:34  - 2a02:c7c:4a32:1800:c70a:e284:15a3:8bcf
09:05:15  - 2607:ff10:c8:594:0:0:0:6 *** 3
10:47:34  - 2a14:7c1:0:0:0:0:0:2 *** 2
11:15:24  - 2a02:c7c:4a32:1800:b6fd:65ea:1479:fca8
12:12:02  - 94.15.22.155 *** 2
13:09:47  - 2001:470:1:332:0:0:0:148 *** 3
13:11:10  - 2001:470:1:332:0:0:0:155
13:11:11  - 2001:470:1:332:0:0:0:148
13:11:11  - 2001:470:1:332:0:0:0:156
13:11:11  - 2001:470:1:332:0:0:0:14f
13:11:12  - 2001:470:1:332:0:0:0:155
13:11:12  - 2001:470:1:332:0:0:0:152
13:11:12  - 2001:470:1:332:0:0:0:14f
13:11:12  - 2001:470:1:332:0:0:0:156
13:11:13  - 2001:470:1:332:0:0:0:151
13:11:13  - 2001:470:1:332:0:0:0:150
13:12:56  - 2001:470:1:332:0:0:0:14f
13:13:10  - 2001:470:1:332:0:0:0:14b
13:13:51  - 2001:470:1:332:0:0:0:148 *** 8
14:18:08  - 2001:470:1:c84:0:0:0:11
14:18:44  - 2001:470:1:c84:0:0:0:6c
14:26:50  - 2a02:c7c:4a32:1800:d5e7:4b60:a5d5:dca3

Hmm! I'm looking at the bind section of that update and not falling in love with 134.122.121.84, but at least we see him/her/it in the fail2ban section also. Back at that cron report though we see even worse from 141.98.83.48; let's take a closer look:


root@jamjar:/usr/local/logwitch# ./logwitch.lua -grep bind 141.98.83.48

bind
=====
bind.log.7.gz
----------
 04:48:17 query-errors:  141.98.83.48
 21:31:35 query-errors:  141.98.83.48
bind.log.6.gz
----------
bind.log.5.gz
----------
bind.log.4.gz
----------
bind.log.3.gz
----------
bind.log.2.gz
----------
 02:44:48 query-errors:  141.98.83.48 *** 15
 03:33:59 query-errors:  141.98.83.48 *** 5
 03:36:24 query-errors:  141.98.83.48 *** 99
bind.log.1
----------
 05:07:39 query-errors:  141.98.83.48
 07:04:40 query-errors:  141.98.83.48
 07:29:15 query-errors:  141.98.83.48
 08:13:29 query-errors:  141.98.83.48 *** 5
 10:05:43 query-errors:  141.98.83.48
 10:37:53 query-errors:  141.98.83.48 *** 9
 00:08:08 query-errors:  141.98.83.48 *** 88
bind.log
--------
 00:43:07 query-errors:  141.98.83.48 *** 11

Uggh! I think it's time to give bind and fail2ban a breather, so once and for all:


root@jamjar:/usr/local/logwitch# ufw insert 28 deny in on eth0 from 141.98.83.48 to any port 53 
Rule inserted
root@jamjar:/usr/local/logwitch#