From 732b72bdf1acd742a47b37e295e8cb0f254402e1 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 14 Jan 2021 07:47:10 +0100 Subject: [PATCH] More work on samba audit log parser --- samba/autdit.pl | 69 +++++++++++++++++++++++++++++++-------------------------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/samba/autdit.pl b/samba/autdit.pl index f4bf010..c09ed54 100644 --- a/samba/autdit.pl +++ b/samba/autdit.pl @@ -2,26 +2,28 @@ use warnings; use strict; -use Data::Dumper; +use JSON; -my $users = {}; -my $machines = {}; -my $operations = { - connect => 0, - disconnect => 0, - chdir => 0, - open_read => 0, - open_write => 0, - close => 0, - rename => 0, - unlink => 0, - mkdir => 0, - rmdir => 0 -}; -my $files = {}; -my $statuses = { - success => 0, - failure => 0 +my $result = { + users => {}, + machines => {}, + operations => { + connect => 0, + disconnect => 0, + chdir => 0, + open_read => 0, + open_write => 0, + close => 0, + rename => 0, + unlink => 0, + mkdir => 0, + rmdir => 0 + }, + files => {}, + status => { + success => 0, + failure => 0 + } }; my $re_date = qr/(?\w{3})\s(?\d{1,2})\s(?[\d+]{1,2}):(?\d{1,2}):(?\d{1,2})/; @@ -34,6 +36,7 @@ my $re_share = qr/\w[\w\-]+/; my $re_status = qr/ok|fail\s+[^\|]+/; while (){ + chomp; # Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?$re_user)\|(?$re_ip)\|(?$re_hostname)\|(?$re_share)\|(?$re_op)\|(?$re_status)\|/; my $date = $+{date}; @@ -44,35 +47,39 @@ while (){ my $operation = $+{operation}; my $status = $+{status}; my $open_mode; - my $file; + my $file = ''; my $new_name; if ($operation eq 'open'){ m/(r|w)\|(?$re_path)$/; $open_mode = $1; $file = $+{file}; if ($open_mode eq 'r'){ - $operations->{open_read}++; + $result->{operations}->{open_read}++; } else { - $operations->{open_write}++; + $result->{operations}->{open_write}++; } } elsif ($operation eq 'rename') { m/(?$re_path)\|(?$re_path)$/; $file = $+{file}; $new_name = $+{new_name}; - $operations->{rename}++; - } else { + $result->{operations}->{rename}++; + } elsif ($operation =~ m/(dis)?connect/){ + $result->{operations}->{$operation}++; + }else { m/(?$re_path)$/; $file = $+{file}; - $operations->{$operation}++; + $result->{operations}->{$operation}++; } - $machines->{$ip} = 1; - $users->{$user} = 1; - $files->{$file} = 1; + $result->{machines}->{$machine}++; + $result->{ip}->{$ip}++; + # Skip machine account, do not count it as a user action + $result->{users}->{$user}++ unless ($user =~ m/_$/); + $result->{files}->{$share . '/' . $file}++ unless ($file =~ m{^/}); if ($status eq 'ok'){ - $statuses->{success}++; + $result->{status}->{success}++; } else { - $statuses->{failure}++; + $result->{status}->{failure}++; } } -print "Sucess : $statuses->{success}\nFailure : $statuses->{failure}\n"; +print to_json($result, { pretty => 1});