#!/usr/bin/perl

# Author: Paul Slootman <paul@debian.org> 2001/03/14
# Licence: GPL
# Written for debian logcheck, basically duplicating the old compiled
# logtail program's behaviour in perl so that the package isn't
# architecture-dependent.

my ($logfile, $offsetfile) = @ARGV;
if (! -f $logfile) {
        print "File $logfile cannot be read.\n";
        exit 66;
}
unless ($offsetfile) {
        # offsetfile not given, use .offset/$logfile in the same directory
        $offsetfile = $logfile . '.offset';
}

unless (open(LOGFILE, $logfile)) {
        print "File $logfile cannot be read.\n";
        exit 66;
}

my ($inode, $offset) = (0, 0);

if (open(OFFSET, $offsetfile)) {
        $_ = <OFFSET>;
        unless (! defined $_) {
                chomp $_;
                $inode = $_;
                $_ = <OFFSET>;
                unless (! defined $_) {
                        chomp $_;
                        $offset = $_;
                }
        }
}

my ($ino, $size);
unless ((undef,$ino,undef,undef,undef,undef,undef,$size) = stat $logfile) {
        print "Cannot get $logfile file size.\n", $logfile;
        exit 65;
}

if ($inode == $ino) {
    exit 0 if $offset == $size; # short cut
    if ($offset > $size) {
        $offset = 0;
        print "***************\n";
        print "*** WARNING ***: Log file $logfile is smaller than last time checked!\n";
        print "*************** This could indicate tampering.\n";
    }
}
if ($inode != $ino || $offset > $size) {
        $offset = 0;
}

seek(LOGFILE, $offset, 0);
print <LOGFILE>;
$size = tell LOGFILE;
close LOGFILE;

unless (open(OFFSET, ">$offsetfile")) {
        print "File $offsetfile cannot be created. Check your permissions.\n";
        exit 73;
}
unless (chmod 0600, $offsetfile) {
        print "Cannot set permissions on file $offsetfile\n";
        exit 65;
}
print OFFSET "$ino\n$size\n";
close OFFSET;

exit 0;
