$NetBSD$


NetBSD message on shutdown.
NetBSD message if user not known to the authentication.
NetBSD turnover message.
NetBSD connect message.
NetBSD rsh message.
NetBSD bad su message.
NetBSD root login message.
NetBSD user login message.

--- scripts/services/secure.orig	2011-03-01 17:29:48.000000000 +0000
+++ scripts/services/secure
@@ -209,6 +209,7 @@ while (defined($ThisLine = <STDIN>)) {
       ( $ThisLine =~ /^su\[\d+\]: pam_authenticate: Authentication failure/) or
       ( $ThisLine =~ /^passwd\[\d+\]:/) or
       ( $ThisLine =~ /^reboot:/) or
+      ( $ThisLine =~ /^shutdown:/) or
       ( $ThisLine =~ /^sudo:/) or
       ( $ThisLine =~ /^su: pam_unix2: session (started|finished) for user [^ ]+, service [^ ]+/) or
       ( $ThisLine =~ /^xinetd\[\d+\]: USERID: ([^ ]+) (.+)$/ ) or
@@ -228,6 +229,7 @@ while (defined($ThisLine = <STDIN>)) {
       ( $ThisLine =~ /^login\[\d+\]: ROOT LOGIN  on '\S+'/) or #debian: done in pam_unix (Similar message on other system is reported)
       ( $ThisLine =~ /^login\[\d+\]: FAILED LOGIN \(\d+\) on ['`]\S+' FOR `\S+', (Authentication failure|User not known to the underlying authentication module)/) or #debian: done in pam_unix
       ( $ThisLine =~ /^login: FAILED LOGIN 2 FROM (.*) FOR .*, (Authentication failure|User not known to the underlying authentication module)/) or
+      ( $ThisLine =~ /^login: 1 LOGIN FAILURE (FROM|ON)/) or #netbsd
       ( $ThisLine =~ /^login: pam_securetty(.*): unexpected response from failed conversation function/) or
       ( $ThisLine =~ /^pam_limits\[\d+\]/ ) or
       ( $ThisLine =~ /^kcheckpass(\[\d+\]|):/ ) or   # done in pam_unix
@@ -243,7 +245,7 @@ while (defined($ThisLine = <STDIN>)) {
       ( $ThisLine =~ /PAM pam_set_item: attempt to set conv\(\) to NULL/) or
       ( $ThisLine =~ /PAM pam_get_item: nowhere to place requested item/) or
       ( $ThisLine =~ /pam_succeed_if\(.*:.*\): error retrieving information about user [a-zA-Z]*/ ) or
-      ( $ThisLine =~ /logfile turned over/) or # newsyslog on OpenBSD
+      ( $ThisLine =~ /log(| )file turned over/) or # newsyslog on OpenBSD
       ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM \[error: [^ ]+ cannot open shared object file: No such file or directory\]/) or
       ( $ThisLine =~ /vmware-authd\[[0-9]+\]: PAM adding faulty module: [^ ]+/) or
       ( $ThisLine =~ /Connection closed by/) or
@@ -275,6 +277,23 @@ while (defined($ThisLine = <STDIN>)) {
       }
    } elsif ( ($Host,$User) = ($ThisLine =~ /^login: FAILED LOGIN \d+ FROM ([^ ]+) FOR ([^,]+),/ ) ) {
       $FailedLogins->{$User}->{$Host}++;
+   } elsif ( ($IP, $Service) = ($ThisLine =~ /^inetd\[\d+\]: connection from ([^ \n]+), service ([^ ]+)/) ) {
+      #NetBSD inetd
+      if ($Ignore =~ /\b\Q$Service\E\b/i) { next; }
+      if ($Summarize =~ /\Q$Service\E/) {
+         $Connections->{$Service}++;
+      } else {
+         $Name = LookupIP($IP);
+         $Connections->{$Service}->{$Name}++;
+      }
+   } elsif ( ($Service,$IP,undef) = ($ThisLine =~ /^([^ ]+):   from ([^ ]+) to ([^ ]+)(|\(\))/) ) {
+      #NetBSD rpcbind
+      $Name = LookupIP($IP);
+      if ($Summarize =~ /\Q$Service\E/) {
+         $Connections->{$Service}++;
+      } else {
+         $Connections->{$Service}->{$Name}++;
+      }
    } elsif ( ($Service,$IP) = ($ThisLine =~ /^([^ ]+)\[\d+\]: connect(ion)? from "?(\d+\.\d+\.\d+\.\d+).*/) ) {
       $Name = LookupIP($IP);
       if ($Summarize =~ /\Q$Service\E/) {
@@ -288,6 +307,13 @@ while (defined($ThisLine = <STDIN>)) {
       } else {
          $Connections->{$Service}->{$Name}++;
       }
+   } elsif ( ($Service,$Name) = ($ThisLine =~ /^(rshd)\[\d+\]: (.*): (.*)/) ) {
+      #NetBSD rshd
+      if ($Summarize =~ /\Q$Service\E/) {
+         $Connections->{$Service}++;
+      } else {
+         $Connections->{$Service}->{$Name}++;
+      }
    } elsif ( ($Service,$Su_msg) = ($ThisLine =~ /^(su)(?:\[\d+\])?:\s+('su \w+' succeeded for \w+) on/) ) {
       #Solaris su messages -mgt
       $Connections->{$Service}->{$Su_msg}++;
@@ -361,12 +387,22 @@ while (defined($ThisLine = <STDIN>)) {
    } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (BAD SU \w+ to \w+ on [^ ]+)/ ) ) {
    #OpenBSD su failed
       $Error{$Service}{$Err}++;
+   } elsif ( ($Service,$Err) = ($ThisLine =~ /^(su): (BAD SU \w+ to \w+) on [^ ]+/ ) ) {
+      #NetBSD su, minus ttys
+      $Error{$Service}{$Err}++;
    } elsif ( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+(ON|on)\s+`?tty[0-9]+/) {
       $RootLoginTTY++
+   } elsif (( $ThisLine =~ /^login(\[\d+\])*: ROOT LOGIN\s+\(\w+\)\s+on\s+`?tty([0-9]+| console)/) or
+            ( $ThisLine =~ /^login(\[\d+\])*: root on tty ttyp[0-9]+/)) {
+      #NetBSD root login
+      $RootLoginTTY++
    } elsif ( $ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user root .*/) {
       $RootLoginTTY++
    } elsif ( (undef,$User) = ($ThisLine =~ /^login: LOGIN ON (tty|pts\/)[0-9]+ BY ([^ ]+)/ )) {
       $UserLogin{$User}++;
+   } elsif ( ($User,undef,undef) = ($ThisLine =~ /^login: ([^ ]+) on (tty|pts\/)([0-9]+| console)/ )) {
+      #NetBSD user login
+      $UserLogin{$User}++;
    } elsif ( ($User,undef) = ($ThisLine =~ /^com.apple.SecurityServer: authinternal authenticated user ([^ ]+) .*/ )) {
       $UserLogin{$User}++;
    } elsif ( $ThisLine =~ s/^userdel\[\d+\]: delete user `(.+)'/$1/ ) {
@@ -445,7 +481,7 @@ while (defined($ThisLine = <STDIN>)) {
       $UnknownUser{$User}++;
    } elsif ($ThisLine =~ /^pam_pwdfile\[\d+\]: password too short or NULL/) {
       $pwd_file_too_short++;
-   } elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/ttyp([0-9a-z]+)/) ) {
+   } elsif ( ($User,$Su) = ($ThisLine =~ /^su: ([^ ]+) to ([^ ]+) on \/dev\/(console|tty(q|p)([0-9a-z]+))/) ) {
       $Su_User{$User}{$Su}++;
    } elsif ( ($Su,$User) = ($ThisLine =~ /^su: \(to ([^ ]+)\) ([^ ]+) on (?:none|\/dev\/(pts\/|ttyp)([0-9]+))/) ) {
       $Su_User{$User}{$Su}++;
