More work on samba audit log parser

master
Daniel Berteaud 4 years ago
parent adf83d7a4e
commit 732b72bdf1
  1. 45
      samba/autdit.pl

@ -2,11 +2,12 @@
use warnings;
use strict;
use Data::Dumper;
use JSON;
my $users = {};
my $machines = {};
my $operations = {
my $result = {
users => {},
machines => {},
operations => {
connect => 0,
disconnect => 0,
chdir => 0,
@ -17,11 +18,12 @@ my $operations = {
unlink => 0,
mkdir => 0,
rmdir => 0
};
my $files = {};
my $statuses = {
},
files => {},
status => {
success => 0,
failure => 0
}
};
my $re_date = qr/(?<month>\w{3})\s(?<day>\d{1,2})\s(?<hour>[\d+]{1,2}):(?<minute>\d{1,2}):(?<seconds>\d{1,2})/;
@ -34,6 +36,7 @@ my $re_share = qr/\w[\w\-]+/;
my $re_status = qr/ok|fail\s+[^\|]+/;
while (<STDIN>){
chomp;
# Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close
next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?<user>$re_user)\|(?<ip>$re_ip)\|(?<machine>$re_hostname)\|(?<share>$re_share)\|(?<operation>$re_op)\|(?<status>$re_status)\|/;
my $date = $+{date};
@ -44,35 +47,39 @@ while (<STDIN>){
my $operation = $+{operation};
my $status = $+{status};
my $open_mode;
my $file;
my $file = '';
my $new_name;
if ($operation eq 'open'){
m/(r|w)\|(?<file>$re_path)$/;
$open_mode = $1;
$file = $+{file};
if ($open_mode eq 'r'){
$operations->{open_read}++;
$result->{operations}->{open_read}++;
} else {
$operations->{open_write}++;
$result->{operations}->{open_write}++;
}
} elsif ($operation eq 'rename') {
m/(?<file>$re_path)\|(?<new_name>$re_path)$/;
$file = $+{file};
$new_name = $+{new_name};
$operations->{rename}++;
} else {
$result->{operations}->{rename}++;
} elsif ($operation =~ m/(dis)?connect/){
$result->{operations}->{$operation}++;
}else {
m/(?<file>$re_path)$/;
$file = $+{file};
$operations->{$operation}++;
$result->{operations}->{$operation}++;
}
$machines->{$ip} = 1;
$users->{$user} = 1;
$files->{$file} = 1;
$result->{machines}->{$machine}++;
$result->{ip}->{$ip}++;
# Skip machine account, do not count it as a user action
$result->{users}->{$user}++ unless ($user =~ m/_$/);
$result->{files}->{$share . '/' . $file}++ unless ($file =~ m{^/});
if ($status eq 'ok'){
$statuses->{success}++;
$result->{status}->{success}++;
} else {
$statuses->{failure}++;
$result->{status}->{failure}++;
}
}
print "Sucess : $statuses->{success}\nFailure : $statuses->{failure}\n";
print to_json($result, { pretty => 1});

Loading…
Cancel
Save