-
Notifications
You must be signed in to change notification settings - Fork 6
/
logparse2.py
122 lines (84 loc) · 4.15 KB
/
logparse2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/env python3
# Written by Mike McPhee, Dec 2022.
# 45Drives
import re
import os
import sys
import json
import syslog
import subprocess
def processLog2(userdict: dict, connectionActions: dict):
#obj = {}
username = userdict["username"]
localmachine = userdict["localmachine"]
ipaddress = userdict["ipaddress"]
if ipaddress not in connectionActions:
connectionActions[ipaddress]={}
# if username not in obj:
# obj[username] = {}
if localmachine not in connectionActions[ipaddress]:
connectionActions[ipaddress][localmachine] = {}
if username not in connectionActions[ipaddress][localmachine]:
connectionActions[ipaddress][localmachine][username] = {}
connectionActions[ipaddress][localmachine][username]["count"]= 0
connectionActions[ipaddress][localmachine][username]["actions"]= []
connectionActions[ipaddress][localmachine][username]["paths"]={}
connectionActions[ipaddress][localmachine][username]["count"]+=1
connectionActions[ipaddress][localmachine][username]["actions"].append({
"sharename":userdict["sharename"],
"action":userdict["action"].strip('\n'),
"date":userdict["date"]
})
raw = userdict["action"].strip('\n').split('|')
#print(raw)
for path in raw:
path = path.strip('\n')
#we only want filepaths beginning with "/"
#if "/" in path:
if path.startswith("/"):
#print(path)
if path not in connectionActions[ipaddress][localmachine][username]["paths"]:
connectionActions[ipaddress][localmachine][username]["paths"][path]=0
connectionActions[ipaddress][localmachine][username]["paths"][path]+=1
def main():
#while True:
#try:
linelist = []
connectionActions = {}
process = subprocess.Popen("cat /var/log/samba/smb_audit.log", stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding='utf-8', shell=True)
#process = subprocess.Popen("cat /var/log/samba/smb_audit.log | awk '{$1print $6, $8, $10, $12, $14, $16}'", stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding='utf-8', shell=True)
line = process.stdout.readline()
#if line is not null, process it into a dict object
while line:
#print(line)
#example output: IP:192.168.209.99 USER:user MACHINE:45dr-mmcphee SHARENAME:share DATE:2022/12/14 ACTION:|create_file|ok|0x80|file|open|/tank/samba/share
line = line.split('???')
entry = {"ipaddress":None, "username": None, "localmachine": None, "sharename": None, "date": None, "action": None}
entry["ipaddress"]=line[1]
entry["username"]=line[2]
entry["localmachine"]=line[3]
entry["sharename"]=line[4]
entry["date"]=line[5]
entry["action"]=line[6]
linelist.append(entry)
#linelist.append(filepaths)#
line = process.stdout.readline()
for line in linelist:
#print("processing log\n")
processLog2(line, connectionActions)
#print("\n",json.dumps(connectionActions, indent=4))
print("#HELP smb_audit_log_entry Number of times each username/machine/ip combination appears in the smb audit log")
print("#TYPE smb_audit_log_entry counter")
for ip in connectionActions:
machines = connectionActions[ip]
#print("\n",json.dumps(key, indent=4))
#print("\n",ip )
for machine in machines:
users = machines[machine]
for user in users:
data = users[user]
print(f"smb_audit_log_entry{{ip={ip},machine={machine},user={user}}} {data['count']}")
for key in data["paths"]:
print(f"\t{key} {data['paths'][key]}")
if __name__ == "__main__":
main()