Add applystddate patch - support rsyslog timestamps

Add http patch - count .hdr files as archives
Add pluto patch - update openswan parsing
Add xvc patch - support xen virtual console logins

logwatch-applystddate.patch

@@ -0,0 +1,26 @@
+--- logwatch-svn110/scripts/shared/applystddate.orig	2011-06-25 19:21:13.000000000 +0200
++++ logwatch-svn110/scripts/shared/applystddate	2012-08-29 10:44:05.355719191 +0200
+@@ -25,6 +25,7 @@
+ # customize the Timefilter by appending a string:
+ # *ApplyStdDate = "%H:%M %d/%m/%Y"
+ $SearchDate = TimeFilter($ARGV[0] || '%b %e %H:%M:%S');
++$SearchDateRsyslog = TimeFilter('%Y-%m-%dT%H:%M:%S\.[0-9]+[+-][0-9]{2}:[0-9]{2}');
+ 
+ # The date might be "Dec 09", but it needs to be "Dec  9"...
+ #$SearchDate =~ s/ 0/  /;
+@@ -32,11 +33,15 @@
+ if ( $Debug > 5 ) {
+    print STDERR "DEBUG: Inside ApplyStdDate...\n";
+    print STDERR "DEBUG: Looking For: " . $SearchDate . "\n";
++   print STDERR "DEBUG: Looking For: " . $SearchDateRsyslog . "\n";
+ }
+ 
+ while (defined($ThisLine = <STDIN>)) {
+    if ($ThisLine =~ m/^$SearchDate /o) {
+       print $ThisLine;
++   } elsif ($ThisLine =~ /^$SearchDateRsyslog /o) {
++      $ThisLine =~ s/^([0-9]{4})-([0-9]{2})-([0-9]{2})T([0-9]{2}):([0-9]{2}):([0-9]{2})\.[0-9]+[+-][0-9]{2}:[0-9]{2} //o;
++      print POSIX::strftime("%b %e %H:%M:%S", $6, $5, $4, $3+1, $2-1, $1 - 1900) . " " . $ThisLine;
+    } elsif ($ThisLine =~ m/(Mon|Tue|Wed|Thu|Fri|Sat|Sun) $SearchDate \d{4}/o) {
+       print $ThisLine;
+    }

logwatch-http.patch

@@ -0,0 +1,12 @@
+diff -up logwatch-7.3/scripts/services/http.pom logwatch-7.3/scripts/services/http
+--- logwatch-7.3/scripts/services/http.pom	2006-02-28 22:13:00.000000000 -0500
++++ logwatch-7.3/scripts/services/http	2009-10-26 07:27:51.000000000 -0400
+@@ -204,7 +204,7 @@ my $content_types =  '(';
+    $content_types =  $content_types.'|\.class|\.jsp|\.jar|\.java';
+    $content_types =  $content_types.'|COPYRIGHT|README|FAQ|INSTALL|\.txt)';
+ my $docs_types =     '(\.asc|\.bib|\.djvu|\.doc|\.dot|\.dtd|\.dvi|\.gnumeric|\.mcd|\.mso|\.pdf|\.pps|\.ppt|\.ps|\.rtf|\.sxi|\.tex|\.text|\.tm|\.xls|\.xml)';
+-my $archive_types =  '(\.ace|\.bz2|\.cab|\.deb|\.dsc|\.ed2k|\.gz|\.hqx|\.md5|\.rar|\.rpm|\.sig|\.sign|\.tar|\.tbz2|\.tgz|\.vl2|\.z|\.zip)';
++my $archive_types =  '(\.ace|\.bz2|\.cab|\.deb|\.dsc|\.ed2k|\.gz|\.hqx|\.md5|\.rar|\.rpm|\.sig|\.sign|\.tar|\.tbz2|\.tgz|\.vl2|\.z|\.zip|\.hdr)';
+ my $sound_types =    '(\.au|\.aud|\.mid|\.mp3|\.ogg|\.pls|\.ram|\.raw|\.rm|\.wav|\.wma|\.wmv|\.xsm)';
+ my $movie_types =    '(\.asf|\.ass|\.avi|\.idx|\.mid|\.mpg|\.mpeg|\.mov|\.qt|\.psb|\.srt|\.ssa|\.smi|\.sub)';
+ my $winexec_types =  '(\.bat|\.com|\.exe|\.dll)';

logwatch-pluto.patch

@@ -0,0 +1,66 @@
+--- logwatch-svn110/scripts/services/pluto	2010-05-01 04:36:08.000000000 +0200
++++ logwatch-svn110-new/scripts/services/pluto	2012-08-29 10:53:35.760260333 +0200
+@@ -76,6 +76,12 @@
+    $today="$month $day";
+ 
+    next unless ($process =~ /pluto/i);
++   $iserror=0;
++
++   if ($conn eq "ERROR:") {
++      $iserror = 1;
++      ($junk,$conn,$msg)=split(/ +/,$msg,3);
++   }
+ 
+    $loglines{$today}++;
+ 
+@@ -143,7 +149,7 @@
+    next if($rest =~ /no suitable connection for peer/);
+    next if($rest =~ /sending encrypted notification/);
+    next if($rest =~ /enabling possible NAT-traversal with method/);
+-   next if($rest =~ /received Vendor ID payload/);
++   next if($rest =~ /(received|ignoring) Vendor ID payload/);
+    next if($rest =~ /ignoring unknown Vendor ID payload/);
+    next if($rest =~ /Dead Peer Detection \(RFC 3706\): enabled/);
+    next if($rest =~ /DPD: No response from peer - declaring peer dead/);
+@@ -152,6 +158,21 @@
+    next if($rest =~ /discarding packet received during asynchronous work \(DNS or crypto\) in STATE_(MAIN|QUICK)_../);
+    next if($rest =~ /STATE_(MAIN|QUICK)_[RI][1-3]: sent [MQ][RI][1-3], expecting [MQ][IR][1-3]/);
+    next if($rest =~ /STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/);
++   next if($rest =~ /down-client output/);
++   next if($rest =~ /(restore|update)resolvconf-client output/);
++   next if($rest =~ /transform .* ignored/);
++   next if($rest =~ /multiple DH groups were set in aggressive mode\./);
++   next if($rest =~ /received mode cfg reply/);
++   next if($rest =~ /modecfg: Sending IP request/);
++   next if($rest =~ /setting .* address to/);
++   next if($rest =~ /STATE_XAUTH_I1: XAUTH client - awaiting CFG_set/);
++   next if($rest =~ /initiating Aggressive Mode/);
++   next if($rest =~ /Aggressive mode peer ID is/);
++   next if($rest =~ /protocol\/port in Phase \d ID Payload must be/);
++   next if($rest =~ /XAUTH: Bad Message: /);
++   next if($rest =~ /XAUTH: Answering XAUTH challenge with user/);
++   next if($rest =~ /Received IP4|DNS|subnet /);
++   next if($rest =~ /sendto on .* to .* failed in delete notify/);
+    $relevantlog{"$today"}++;
+ 
+    print STDERR "Rest is $rest\n" if $debug>1;
+@@ -224,6 +245,9 @@
+       $rekeyfail{$conn}++;
+       $rekeyfail_ICMPunreachable{$conn}++;
+ 
++   } elsif($rest =~ /XAUTH: Successfully Authenticated/) {
++      $xauthsuccess{$conn}++;
++
+    } elsif($rest =~ /starting keying attempt (.*) of an unlimited number/) {
+       $lastattempt=$1;
+       if($maxattempts{$conn} < $lastattempt) {
+@@ -272,6 +296,9 @@
+       if($setupfail{$conn} > 0) {
+          print "\tSetup failures: ".$setupfail{$conn}."\n";
+       }
++      if($xauthsuccess{$conn} > 0) {
++         print "\tXAUTH successful connections: ".$xauthsuccess{$conn}."\n";
++      }
+       if($crlUpdate{$conn} > 0) {
+          print "\tOverdue CRL update since: ".$crlUpdateSince{$conn}." (".$crlUpdate{$conn}." times)\n";
+       }

logwatch-xvc.patch

@@ -0,0 +1,22 @@
+--- logwatch-svn110/scripts/services/secure.orig	2012-08-29 10:45:25.000000000 +0200
++++ logwatch-svn110/scripts/services/secure	2012-08-29 10:47:51.228547898 +0200
+@@ -377,6 +377,8 @@
+       $Error{$Service}{$Err}++;
+    } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?tty[0-9]+/) {
+       $RootLoginTTY++
++   } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?xvc[0-9]+/) {
++      $RootLoginXVC++
+    } elsif ( $ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user root .*/) {
+       $RootLoginTTY++
+    } elsif ( (undef,$User) = ($ThisLine =~ /^login: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) {
+@@ -734,6 +736,10 @@
+    print "\nRoot logins on ttys: $RootLoginTTY Time(s).\n";
+ }
+ 
++if ($RootLoginXVC) {
++   print "\nRoot logins on xvcs: $RootLoginXVC Time(s).\n";
++}
++
+ if (keys %UserLogin) {
+    print "\nUser Logins:\n";
+    foreach $User (sort {$a cmp $b} keys %UserLogin) {

logwatch.spec

@@ -1,7 +1,7 @@
 Summary: A log file analysis program
 Name: logwatch
 Version: 7.4.0
-Release: 15.20120619svn110%{?dist}
+Release: 16.20120619svn110%{?dist}
 License: MIT
 Group: Applications/System
 URL: http://www.logwatch.org/
@@ -25,6 +25,10 @@ Patch7: logwatch-dovecot.patch
 Patch8: logwatch-sshd.patch
 # Rootkit Hunter patch - not applied by upstream
 Patch9: logwatch-rkhunter.patch
+Patch10: logwatch-applystddate.patch
+Patch11: logwatch-http.patch
+Patch12: logwatch-pluto.patch
+Patch13: logwatch-xvc.patch
 Requires: textutils sh-utils grep mailx
 Requires: perl(Date::Manip)
 Requires: perl(Sys::CPU)
@@ -48,6 +52,10 @@ of the package on many systems.
 %patch7 -p0
 %patch8 -p1
 %patch9 -p0
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
 rm -f scripts/services/*.orig
 
 %build
@@ -138,6 +146,12 @@ echo "# Configuration overrides for specific logfiles/services may be placed her
 %{_mandir}/man*/*
 
 %changelog
+* Wed Aug 29 2012 Jan Synáček <jsynacek@redhat.com> - 7.4.0-16.20120619svn110
+- Add applystddate patch - support rsyslog timestamps
+- Add http patch - count .hdr files as archives
+- Add pluto patch - update openswan parsing
+- Add xvc patch - support xen virtual console logins
+
 * Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 7.4.0-15.20120619svn110
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild