def get_ossec_logs(limit=2000):
"""Return last <limit> lines of ossec.log file.
Returns
-------
logs : list
List of dictionaries with requested logs
"""
logs = []
for line in tail(common.ossec_log, limit):
log_fields = get_ossec_log_fields(line)
if log_fields:
date, tag, level, description = log_fields
# We transform local time (ossec.log) to UTC with ISO8601 maintaining time integrity
log_line = {
'timestamp': date.astimezone(timezone.utc),
'tag': tag,
'level': level,
'description': description
}
logs.append(log_line)
return logs
def ossec_log(type_log='all', category='all', months=3, offset=0, limit=common.database_limit, sort_by=None,
sort_ascending=True, search_text=None, complementary_search=False, search_in_fields=None, q=''):
"""Gets logs from ossec.log.
:param type_log: Filters by log type: all, error or info.
:param category: Filters by log category (i.e. ossec-remoted).
:param months: Returns logs of the last n months. By default is 3 months.
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort_by: Fields to sort the items by
:param sort_ascending: Sort in ascending (true) or descending (false) order
:param search_text: Text to search
:param complementary_search: Find items without the text to search
:param search_in_fields: Fields to search in
:param q: Defines query to filter.
:return: AffectedItemsWazuhResult
"""
result = AffectedItemsWazuhResult(all_msg=f"Logs read successfully"
f"{' in specified node' if node_id != 'manager' else ''}",
some_msg='Could not read logs in some nodes',
none_msg=f"Could not read logs"
f"{' in specified node' if node_id != 'manager' else ''}"
)
logs = []
first_date = previous_month(months)
statfs_error = "ERROR: statfs('******') produced error: No such file or directory"
for line in tail(common.ossec_log, 2000):
log_fields = get_ossec_log_fields(line)
if log_fields:
log_date, log_category, level, description = log_fields
if log_date < first_date:
continue
if category != 'all':
if log_category:
if log_category != category:
continue
else:
continue
# We transform local time (ossec.log) to UTC with ISO8601 maintaining time integrity
log_line = {'timestamp': log_date.astimezone(timezone.utc),
'tag': log_category, 'level': level, 'description': description}
if type_log == 'all':
logs.append(log_line)
elif type_log.lower() == level.lower():
if "ERROR: statfs(" in line:
if statfs_error in logs:
continue
else:
logs.append(statfs_error)
else:
logs.append(log_line)
else:
continue
else:
if logs and line and log_category == logs[-1]['tag'] and level == logs[-1]['level']:
logs[-1]['description'] += "\n" + line
data = process_array(logs, search_text=search_text, search_in_fields=search_in_fields,
complementary_search=complementary_search, sort_by=sort_by,
sort_ascending=sort_ascending, offset=offset, limit=limit, q=q)
result.affected_items.extend(data['items'])
result.total_affected_items = data['totalItems']
return result
