#!/bin/bash # Future version might store stats in a flatfile DB and then show comparative values, eg +5%, -250% TEMPFILE=/tmp/dc_temp.log # Need to cat the last two logs to guarantee 24 hours of data: adjust according to your setup # zcat -f will deal with uncompressed and gzipped alike zcat -f /var/log/dovecot.log.1 /var/log/dovecot.log > $TEMPFILE # Find start hour 24 hours ago. If no match, try 25 hours, 26 hours, etc up to 48 hours # example format "May 27 06" for HOUR in $(seq 24 48) ; do # Generate the date string for that hour TRYHOUR=$( date +"%b %d %H" --date="$HOUR hours ago" ) # See if its in the temp file. If not, loop around with a different date if grep --quiet "$TRYHOUR" $TEMPFILE ; then # We matched. Exit the do loop. break fi done # Delete lines before startdate to get the working file sed -i "0,/^$TRYHOUR/d" $TEMPFILE ## Extracting Data from the tempfile. STARTDATE=$(head -n 1 $TEMPFILE | awk '{print $1 " " $2 " " $3 }') ENDDATE=$(tail -n 1 $TEMPFILE | awk '{print $1 " " $2 " " $3 }') echo "Collecting data from $STARTDATE to $ENDDATE" echo "" TOTPOPLOGIN=$(grep pop3-login $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | wc -l ) TOTIMAPLOGIN=$(grep imap-login $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | grep -v " rip=127.0." | wc -l) TOTWEBLOGIN=$(grep imap-login $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | grep " rip=127.0." | wc -l) echo "Total Logins:" echo " POP3 $TOTPOPLOGIN" echo " IMAP $TOTIMAPLOGIN" echo " Webmail $TOTWEBLOGIN" echo "" echo "Successful logins from these IPs" grep -P 'imap-login|pop3-login' $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | sed 's/.*rip=//' | cut -d ',' -f 1 | sort | uniq -c | sort -nr | head -n 5 echo "" if grep -q lport $TEMPFILE ; then echo "Successful logins on these ports" grep -P 'imap-login|pop3-login' $TEMPFILE | grep -v -P 'Disconnected|failed|Error' | sed 's/.*lport=//' | cut -d ',' -f 1 | sort | uniq -c | sort -nr echo "" fi # Hacking echo "Top 5 Password Mismatch Accounts" grep "Password mismatch" $TEMPFILE | cut -d '(' -f 2 | cut -d ',' -f 1 | sort | uniq -c | sort -nr | head -n 5 echo "" echo "Top 5 Password Mismatch IP addresses" grep "Password mismatch" $TEMPFILE | grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' | sort | uniq -c | sort -nr | head -n 5 echo ""