Trace Netbackup User Activity

#!/usr/bin/env perl use strict; use warnings; use Data::Dumper qw(Dumper); my $date = `date '+%m%d%y'`; chomp $date; my $input_file = "/usr/openv/netbackup/logs/bpjava-susvc/log.".$date; my $output_file = "/tmp/output.$$"; print "Output file name: $output_file\n"; my @inlist = qw( bppolicynew bpplinfo bppllist bpplclients bppldelete bpplinclude bpplcatdrinfo bpplsched bpplschedrep bpplschedwin bpplvalid bpschedule bpstuadd bpstudel ); my $prefix = "/usr/openv/netbackup/bin/admincmd"; my(%info, %final, %users, %commands, %pids); my($time, $pid, $type, $str); open(LOG, $input_file) or die "Could not open file $input_file: $!\n"; while () { chomp; next if(/^\s*$/); if(! /^\d\d:\d\d:\d\d\.\d\d\d/) { my $str = pop(@{$info{$pid}{$type}}); $str .= "\n$_"; push(@{$info{$pid}{$type}}, $str); next; } my(@tmp) = split(/\s+/, $_, 5); $time = $tmp[0]; $tmp[1] =~ s/\[|\]//g; $pid = $tmp[1]; $tmp[3] =~ s/:$//; $type = $tmp[3]; $str = $tmp[4]; #push(@{$info{$pid}{$type}}, $time.",".$str); push(@{$info{$pid}{$type}}, $str); if($type eq "mkTmpFile" && $str =~ /^temp filename = .*user_ops\/(.*)\/logs.*/) { $users{$pid} = $1; $pids{$pid} = 1; } if($type eq "command_EXEC" && $str =~ /EXEC_RETURN.*buffer = (.*)$/) { my $cmd = $1; my $found = 0; if($cmd =~ /^"$prefix\/(bp.*)" .*$/) { my($c, @t) = split(/\s+/, $1); $c =~ s/"//g; $found = 1 if(grep(/^$c$/, @inlist)); } if($found) { $cmd =~ s/"//g; push(@{$commands{$pid}}, $cmd);

} }

} close(LOG); open(OUT, "> $output_file") or die "Can't open $output_file: $!\n"; foreach $pid(sort keys %pids) { my $user = $users{$pid}; my @cmds = @{$commands{$pid}} if(exists $commands{$pid}); print OUT "USER NAME: $user (PID: $pid)\n"; if(!scalar @cmds) { print OUT "\t*** No Commands Executed ***\n\n"; next; } print OUT "\tCommands Executed:\n"; my $n = 1; foreach my $cmd(@cmds) { print OUT "\t$n. $cmd\n"; $n++; } print OUT "\n"; } close(OUT); system('mailx -s "User tampering Netbackup policies" <email_address> < '.$output_file);