More work on samba audit log parser

master
Daniel Berteaud 4 years ago
parent adf83d7a4e
commit 732b72bdf1
  1. 43
      samba/autdit.pl

@ -2,11 +2,12 @@
use warnings; use warnings;
use strict; use strict;
use Data::Dumper; use JSON;
my $users = {}; my $result = {
my $machines = {}; users => {},
my $operations = { machines => {},
operations => {
connect => 0, connect => 0,
disconnect => 0, disconnect => 0,
chdir => 0, chdir => 0,
@ -17,11 +18,12 @@ my $operations = {
unlink => 0, unlink => 0,
mkdir => 0, mkdir => 0,
rmdir => 0 rmdir => 0
}; },
my $files = {}; files => {},
my $statuses = { status => {
success => 0, success => 0,
failure => 0 failure => 0
}
}; };
my $re_date = qr/(?<month>\w{3})\s(?<day>\d{1,2})\s(?<hour>[\d+]{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})/; my $re_date = qr/(?<month>\w{3})\s(?<day>\d{1,2})\s(?<hour>[\d+]{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})/;
@ -34,6 +36,7 @@ my $re_share = qr/\w[\w\-]+/;
my $re_status = qr/ok|fail\s+[^\|]+/; my $re_status = qr/ok|fail\s+[^\|]+/;
while (<STDIN>){ while (<STDIN>){
chomp;
# Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close # Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close
next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?<user>$re_user)\|(?<ip>$re_ip)\|(?<machine>$re_hostname)\|(?<share>$re_share)\|(?<operation>$re_op)\|(?<status>$re_status)\|/; next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?<user>$re_user)\|(?<ip>$re_ip)\|(?<machine>$re_hostname)\|(?<share>$re_share)\|(?<operation>$re_op)\|(?<status>$re_status)\|/;
my $date = $+{date}; my $date = $+{date};
@ -44,35 +47,39 @@ while (<STDIN>){
my $operation = $+{operation}; my $operation = $+{operation};
my $status = $+{status}; my $status = $+{status};
my $open_mode; my $open_mode;
my $file; my $file = '';
my $new_name; my $new_name;
if ($operation eq 'open'){ if ($operation eq 'open'){
m/(r|w)\|(?<file>$re_path)$/; m/(r|w)\|(?<file>$re_path)$/;
$open_mode = $1; $open_mode = $1;
$file = $+{file}; $file = $+{file};
if ($open_mode eq 'r'){ if ($open_mode eq 'r'){
$operations->{open_read}++; $result->{operations}->{open_read}++;
} else { } else {
$operations->{open_write}++; $result->{operations}->{open_write}++;
} }
} elsif ($operation eq 'rename') { } elsif ($operation eq 'rename') {
m/(?<file>$re_path)\|(?<new_name>$re_path)$/; m/(?<file>$re_path)\|(?<new_name>$re_path)$/;
$file = $+{file}; $file = $+{file};
$new_name = $+{new_name}; $new_name = $+{new_name};
$operations->{rename}++; $result->{operations}->{rename}++;
} elsif ($operation =~ m/(dis)?connect/){
$result->{operations}->{$operation}++;
}else { }else {
m/(?<file>$re_path)$/; m/(?<file>$re_path)$/;
$file = $+{file}; $file = $+{file};
$operations->{$operation}++; $result->{operations}->{$operation}++;
} }
$machines->{$ip} = 1; $result->{machines}->{$machine}++;
$users->{$user} = 1; $result->{ip}->{$ip}++;
$files->{$file} = 1; # Skip machine account, do not count it as a user action
$result->{users}->{$user}++ unless ($user =~ m/_$/);
$result->{files}->{$share . '/' . $file}++ unless ($file =~ m{^/});
if ($status eq 'ok'){ if ($status eq 'ok'){
$statuses->{success}++; $result->{status}->{success}++;
} else { } else {
$statuses->{failure}++; $result->{status}->{failure}++;
} }
} }
print "Sucess : $statuses->{success}\nFailure : $statuses->{failure}\n"; print to_json($result, { pretty => 1});

Loading…
Cancel
Save