#!/usr/bin/perl

# This perl script is an adaptation of logtail2 to parse
# Apache access logs.
# I know it's generally preferrable to require and call
# the original instead of forking and risking of not maintaining
# it but logtail is fairly simple and, since logtail2 is not always
# installed and somtimes not even packaged in distributions,
# it simplify deployment.
# TODO: call logtail2 if available ?

# Copyright (C) 2003 Jonathan Middleton <jjm@ixtab.org.uk
# Copyright (C) 2001 Paul Slootman <paul@debian.org>

# This file is part of Logcheck.

# Logcheck is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.

# Logcheck is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with Logcheck; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

use strict;
use warnings;
use Getopt::Long;
use File::Basename;
use Digest::MD5 qw(md5_hex);
my ($size, $logfile, $offsetfile, @listingLogfiles, @listingOffsetfiles, $key, $firstTimeReading);
# (problems with including utils.pm)
my %ERRORS=('OK'=>0,'WARNING'=>1,'CRITICAL'=>2,'UNKNOWN'=>3,'DEPENDENT'=>4);
my $TMP_DIR = '/tmp';
my %opts = ();
my %outputCpt = (
    '2XX' => 0,
    '3XX' => 0,
    '403' => 0,
    '404' => 0,
    '4XX' => 0,
    '500' => 0,
    '5XX' => 0,
    'others' => 0, # other (1XX) and strange things
    );
my ($outputTotalCpt) = 0;
my ($outputTotalBandwith) = 0;

# process args and switches
my ($TEST_MODE) = 0;
# When we discover a file for the first time,
# we don't do the count and just mark the position
# for the next time
my ($COUNT_FIRST_READ_CATCHING_UP) = 0;
GetOptions(
    'file=s' => \@listingLogfiles,
    'even-catch-up' => \$COUNT_FIRST_READ_CATCHING_UP,
    'test-mode'     => \$TEST_MODE,
    );


sub print_from_offset {
    my ($filename, $offset) = @_;
    # this subroutine prints the contents of the file named $filename,
    # starting offset $offset.
    #print "print_from_offset $filename, $offset\n";
    unless (open(LOGFILE, $filename)) {
        print "File $logfile cannot be read: $!\n";
        exit $ERRORS{UNKNOWN};
    }

    seek(LOGFILE, $offset, 0);

    while (<LOGFILE>) {
        if ($_ =~ /^([[:xdigit:].:]+) (.+) (.+) (\[[[:alnum:]\/:]+ \+[[:digit:]]{4}\]) (".*") ([[:digit:]]{3}) ([[:digit:]]+) "(.*)" "(.*)"$/) {
            #We ignore some IP address
            next if ($1 eq '::1' or $1 eq '127.0.0.1');

            if ($6 >= 200 && $6 < 300) {
                ++$outputCpt{'2XX'};
            } elsif ($6 >= 300 && $6 < 400) {
                ++$outputCpt{'3XX'};
            } elsif ($6 == 403) {
                ++$outputCpt{'403'};
            } elsif ($6 == 404) {
                ++$outputCpt{'404'};
            } elsif ($6 >= 400 && $6 < 500) {
                ++$outputCpt{'4XX'};
            } elsif ($6 == 500) {
                ++$outputCpt{'500'};
            } elsif ($6 >= 500 && $6 < 600) {
                ++$outputCpt{'5XX'};
            } else {
                ++$outputCpt{'others'};
            }
            $outputTotalBandwith += $7;
        } else {
            ++$outputCpt{'others'};
        }
    }

    $size = tell LOGFILE;
    close LOGFILE;
    return $size;
}

sub mtime {
    my ($filename) = @_;
    my $mtime = 0;
    unless (-e $filename && ($mtime = ((stat($filename))[8])) ) {
        print STDERR "Cannot get $filename mtime: $!\n";
        exit 65;
    }
    return $mtime;
}

sub inode {
    my ($filename) = @_;
    my $inode = 0;
    unless (-e $filename && ($inode = ((stat($filename))[1])) ) {
        print STDERR "Cannot get $filename inode: $!\n";
        exit 65;
    }
    return $inode;
}

sub get_directory_contents {
    my ($filename) = @_;
    my $dirname = dirname($filename);
    unless (opendir(DIR, $dirname)) {
        print STDERR "Cannot open directory $dirname: $!\n";
        exit 65;
    }
    my @direntries = readdir(DIR);
    closedir DIR;
    return @direntries;
}

sub determine_rotated_logfile {
    my ($filename,$inode) = @_;
    my $rotated_filename;
    # this subroutine tries to guess to where a given log file was
    # rotated. Its magic is mainly taken from logcheck's logoutput()
    # function with dateext magic added.

    #print "determine_rotated_logfile $filename $inode\n";
    for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
        my $func = do $codefile;
        if (!$func) {
            print STDERR "cannot compile $codefile: $!";
            exit 68;
        }
        $rotated_filename = $func->($filename);
        last if $rotated_filename;
    }
    #if ($rotated_filename) {
    #  print "rotated_filename $rotated_filename (". inode($rotated_filename). ")\n";
    #} else {
    #  print "no rotated file found\n";
    #}
    if ($rotated_filename && -e "$rotated_filename" && inode($rotated_filename) == $inode) {
        return $rotated_filename;
    } else {
        return "";
    }
}
foreach $logfile (@listingLogfiles) {
    my ($inode, $ino, $offset) = (0, 0, 0);

    if (! -f $logfile) {
        print "File $logfile cannot be read: $!\n";
        exit $ERRORS{UNKNOWN};
    }

    # We generate a unique offset filename
    $offsetfile = $TMP_DIR . '/nagios-logtail.' . md5_hex($logfile) . '.offset';
    $firstTimeReading = 0;
    if (! -f $offsetfile) {
        open(OFFSET, ">", $offsetfile);
        chmod 0600, $offsetfile;
        if (($ino,$size) = (stat($logfile))[1,7]) {
            # Unless we care about the historic before the
            # first call of this script, we just skip it.
            if ($COUNT_FIRST_READ_CATCHING_UP) {
                $size = 0;
            }
            print OFFSET "$ino\n$size\n";
        }
        close OFFSET;
    }


    if ($offsetfile) {
        # If offset file exists, open and parse it.
        if (open(OFFSET, $offsetfile)) {
            $_ = <OFFSET>;
            if (defined $_) {
                chomp $_;
                $inode = $_;
                $_ = <OFFSET>;
                if (defined $_) {
                    chomp $_;
                    $offset = $_;
                }
            }
        }

        # determine log file inode and size
        unless (($ino,$size) = (stat($logfile))[1,7]) {
            print "Cannot get $logfile file size: $!\n";
            exit $ERRORS{UNKNOWN};
        }

        if ($inode == $ino) {
            # inode is still the same
            next if $offset == $size; # short cut
            if ($offset > $size) {
                $offset = 0;
                print "(warning: possible tampering on $logfile) "
            }
        }

        if ($inode != $ino) {
            # this is the interesting case: inode has changed.
            # So the file might have been rotated. We need to print the
            # entire file.
            # Additionally, we might want to see whether we can find the
            # previous instance of the file and to process it from here.
            #print "inode $inode, ino $ino\n";
            my $rotatedfile = determine_rotated_logfile($logfile,$inode);
            if ( $rotatedfile && ! $firstTimeReading) {
                print_from_offset($rotatedfile,$offset);
            }
            # print the actual file from beginning
            $offset = 0;
        }
    }

    $size = print_from_offset($logfile,$offset);

    # update offset, unless test mode
    unless ($TEST_MODE) {
        unless (open(OFFSET, ">", $offsetfile)) {
            print STDERR "File $offsetfile cannot be created. Check your permissions: $!\n";
            exit 73;
        }
        print OFFSET "$ino\n$size\n";
        close OFFSET;
    }
}

# printing results
print "OK|";
foreach $key (sort keys %outputCpt) {
    print "'" . $key . "'=" . $outputCpt{$key} . ";;;; "
}
print "'total bandwidth'=" . $outputTotalBandwith . "B;;;;\n";
exit $ERRORS{'OK'};