fws
/
log_parsers
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

More work on samba audit log parser

Browse Source
master
Daniel Berteaud 3 years ago
parent adf83d7a4e
commit 732b72bdf1
1 changed files with 38 additions and 31 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 69
      samba/autdit.pl

69
samba/autdit.pl
Unescape View File

@ -2,26 +2,28 @@
use warnings;
use strict;
use Data::Dumper;
use JSON;
my $users = {};
my $machines = {};
my $operations = {
connect => 0,
disconnect => 0,
chdir => 0,
open_read => 0,
open_write => 0,
close => 0,
rename => 0,
unlink => 0,
mkdir => 0,
rmdir => 0
};
my $files = {};
my $statuses = {
success => 0,
failure => 0
my $result = {
users => {},
machines => {},
operations => {
connect => 0,
disconnect => 0,
chdir => 0,
open_read => 0,
open_write => 0,
close => 0,
rename => 0,
unlink => 0,
mkdir => 0,
rmdir => 0
},
files => {},
status => {
success => 0,
failure => 0
}
};
my $re_date = qr/(?<month>\w{3})\s(?<day>\d{1,2})\s(?<hour>[\d+]{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})/;
@ -34,6 +36,7 @@ my $re_share = qr/\w[\w\-]+/;
my $re_status = qr/ok|fail\s+[^\|]+/;
while (<STDIN>){
chomp;
# Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close
next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?<user>$re_user)\|(?<ip>$re_ip)\|(?<machine>$re_hostname)\|(?<share>$re_share)\|(?<operation>$re_op)\|(?<status>$re_status)\|/;
my $date = $+{date};
@ -44,35 +47,39 @@ while (<STDIN>){
my $operation = $+{operation};
my $status = $+{status};
my $open_mode;
my $file;
my $file = '';
my $new_name;
if ($operation eq 'open'){
m/(r|w)\|(?<file>$re_path)$/;
$open_mode = $1;
$file = $+{file};
if ($open_mode eq 'r'){
$operations->{open_read}++;
$result->{operations}->{open_read}++;
} else {
$operations->{open_write}++;
$result->{operations}->{open_write}++;
}
} elsif ($operation eq 'rename') {
m/(?<file>$re_path)\|(?<new_name>$re_path)$/;
$file = $+{file};
$new_name = $+{new_name};
$operations->{rename}++;
} else {
$result->{operations}->{rename}++;
} elsif ($operation =~ m/(dis)?connect/){
$result->{operations}->{$operation}++;
}else {
m/(?<file>$re_path)$/;
$file = $+{file};
$operations->{$operation}++;
$result->{operations}->{$operation}++;
}
$machines->{$ip} = 1;
$users->{$user} = 1;
$files->{$file} = 1;
$result->{machines}->{$machine}++;
$result->{ip}->{$ip}++;
# Skip machine account, do not count it as a user action
$result->{users}->{$user}++ unless ($user =~ m/_$/);
$result->{files}->{$share . '/' . $file}++ unless ($file =~ m{^/});
if ($status eq 'ok'){
$statuses->{success}++;
$result->{status}->{success}++;
} else {
$statuses->{failure}++;
$result->{status}->{failure}++;
}
}
print "Sucess : $statuses->{success}\nFailure : $statuses->{failure}\n";
print to_json($result, { pretty => 1});

Write Preview
Loading…
Cancel
Save