parent
2f250fbd56
commit
06d7b1d253
1 changed files with 110 additions and 0 deletions
@ -0,0 +1,110 @@ |
||||
#!/usr/bin/perl -w |
||||
|
||||
use warnings; |
||||
use strict; |
||||
use JSON; |
||||
|
||||
my $result = { |
||||
users => {}, |
||||
machines => {}, |
||||
operations => { |
||||
connect => 0, |
||||
disconnect => 0, |
||||
chdir => 0, |
||||
open_read => 0, |
||||
open_write => 0, |
||||
close => 0, |
||||
rename => 0, |
||||
unlink => 0, |
||||
mkdir => 0, |
||||
rmdir => 0 |
||||
}, |
||||
files => {}, |
||||
status => { |
||||
success => 0, |
||||
failure => 0 |
||||
} |
||||
}; |
||||
|
||||
my $re_date = qr/(?<month>\w{3})\s(?<day>\d{1,2})\s(?<hour>[\d+]{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})/; |
||||
my $re_hostname = qr/\w[\w\-]+/; |
||||
my $re_user = qr/\w[\w\-]+/; |
||||
my $re_op = qr/connect|disconnect|chdir|open|close|rename|unlink|mkdir|rmdir/; |
||||
my $re_path = qr{/?(\.|([^\|]/?)*)}; |
||||
my $re_ip = qr/(\d{1,3}\.){3}\d{1,3}/; |
||||
my $re_share = qr/\w[\w\-]+/; |
||||
my $re_status = qr/ok|fail\s+[^\|]+/; |
||||
|
||||
while (<STDIN>){ |
||||
chomp; |
||||
# Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close |
||||
next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?<user>$re_user)\|(?<ip>$re_ip)\|(?<machine>$re_hostname)\|(?<share>$re_share)\|(?<operation>$re_op)\|(?<status>$re_status)\|/; |
||||
my $date = $+{date}; |
||||
my $user = $+{user}; |
||||
my $ip = $+{ip}; |
||||
my $machine = $+{machine}; |
||||
my $share = $+{share}; |
||||
my $operation = $+{operation}; |
||||
my $status = $+{status}; |
||||
my $open_mode; |
||||
my $file = ''; |
||||
my $new_name; |
||||
if ($operation eq 'open'){ |
||||
m/(r|w)\|(?<file>$re_path)$/; |
||||
$open_mode = $1; |
||||
$file = $+{file}; |
||||
if ($open_mode eq 'r'){ |
||||
$result->{operations}->{open_read}++; |
||||
} else { |
||||
$result->{operations}->{open_write}++; |
||||
} |
||||
} elsif ($operation eq 'rename') { |
||||
m/(?<file>$re_path)\|(?<new_name>$re_path)$/; |
||||
$file = $+{file}; |
||||
$new_name = $+{new_name}; |
||||
$result->{operations}->{rename}++; |
||||
} elsif ($operation =~ m/(dis)?connect/){ |
||||
$result->{operations}->{$operation}++; |
||||
}else { |
||||
m/(?<file>$re_path)$/; |
||||
$file = $+{file}; |
||||
$result->{operations}->{$operation}++; |
||||
} |
||||
$result->{machines}->{$machine}++; |
||||
$result->{ip}->{$ip}++; |
||||
# Skip machine account, do not count it as a user action |
||||
$result->{users}->{$user}++ unless ($user =~ m/_$/); |
||||
$result->{files}->{$share . '/' . $file}++ unless ($file =~ m{^/}); |
||||
if ($status eq 'ok'){ |
||||
$result->{status}->{success}++; |
||||
} else { |
||||
$result->{status}->{failure}++; |
||||
} |
||||
} |
||||
|
||||
$result->{distinct} = { |
||||
users => scalar keys %{$result->{users}}, |
||||
machines => scalar keys %{$result->{machines}}, |
||||
ip => scalar keys %{$result->{ip}}, |
||||
files => scalar keys %{$result->{files}}, |
||||
}; |
||||
|
||||
$result->{top10} = { |
||||
users => get_top($result->{users}), |
||||
machines => get_top($result->{machines}), |
||||
ip => get_top($result->{ip}), |
||||
files => get_top($result->{files}), |
||||
operations => get_top($result->{operations}) |
||||
}; |
||||
|
||||
print to_json($result, { pretty => 1}); |
||||
|
||||
sub get_top { |
||||
my $hash = shift; |
||||
my $res = []; |
||||
foreach my $item (sort { $hash->{$b} <=> $hash->{$a} } keys %{$hash}){ |
||||
push @{$res}, $item . " ($hash->{$item})"; |
||||
last if (scalar(@{$res}) ge 010); |
||||
} |
||||
return $res; |
||||
} |
Loading…
Reference in new issue