import time import datetime from lib import suricata_alert_log from lib.log import reverse_log_reader if __name__ == '__main__': result = [] for filename in sorted(glob.glob('%s*'%suricata_alert_log)): row = dict() row['size'] = os.stat(filename).st_size # always list first file and non empty next. if row['size'] > 0 or filename.split('/')[-1].count('.') == 1: row['modified'] = os.stat(filename).st_mtime row['filename'] = filename.split('/')[-1] # try to find actual timestamp from file for line in reverse_log_reader(filename=filename): if line['line'] != '': record = ujson.loads(line['line']) if record.has_key('timestamp'): row['modified'] = int(time.mktime(datetime.datetime.strptime(record['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%S").timetuple())) break ext=filename.split('.')[-1] if ext.isdigit(): row['sequence'] = int(ext) else: row['sequence'] = None result.append(row)
# filter one specific log line if 'filepos' in data_filters and data_filters['filepos'].isdigit(): log_start_pos = int(data_filters['filepos']) else: log_start_pos = None # query suricata eve log result = { 'filters': data_filters, 'rows': [], 'total_rows': 0, 'origin': suricata_log.split('/')[-1] } if os.path.exists(suricata_log): for line in reverse_log_reader(filename=suricata_log, start_pos=log_start_pos): try: record = ujson.loads(line['line']) except ValueError: # can not handle line record = {} # only process valid alert items if 'alert' in record: # add position in file record['filepos'] = line['pos'] record['fileid'] = parameters['fileid'] # flatten structure record['alert_sid'] = record['alert']['signature_id'] record['alert_action'] = record['alert']['action'] record['alert'] = record['alert']['signature']
data_filters_comp[filterField] = re.compile(filter_regexp) except sre_constants.error: # remove illegal expression #del data_filters[filterField] data_filters_comp[filterField] = re.compile('.*') # filter one specific log line if 'filepos' in data_filters and data_filters['filepos'].isdigit(): log_start_pos = int(data_filters['filepos']) else: log_start_pos = None # query suricata eve log result = {'filters':data_filters,'rows':[],'total_rows':0,'origin':suricata_log.split('/')[-1]} if os.path.exists(suricata_log): for line in reverse_log_reader(filename=suricata_log, start_pos=log_start_pos): try: record = ujson.loads(line['line']) except ValueError: # can not handle line record = {} # only process valid alert items if 'alert' in record: # add position in file record['filepos'] = line['pos'] # flatten structure record['alert_sid'] = record['alert']['signature_id'] record['alert'] = record['alert']['signature'] # use filters on data (using regular expressions)
import time import datetime from lib import suricata_alert_log from lib.log import reverse_log_reader if __name__ == '__main__': result = [] for filename in sorted(glob.glob('%s*' % suricata_alert_log)): row = dict() row['size'] = os.stat(filename).st_size # always list first file and non empty next. if row['size'] > 0 or filename.split('/')[-1].count('.') == 1: row['modified'] = os.stat(filename).st_mtime row['filename'] = filename.split('/')[-1] # try to find actual timestamp from file for line in reverse_log_reader(filename=filename): if line['line'] != '': try: record = ujson.loads(line['line']) except ValueError: continue if 'timestamp' in record: row['modified'] = int( time.mktime( datetime.datetime.strptime( record['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%S").timetuple())) break ext = filename.split('.')[-1] if ext.isdigit():