def parseDNS(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) #print(lastTime, lineDate) if lineDate < lastTime: return '' lineHostName = lineParsedLine["syslogtag"][:-1] lineParsedMsg = lineParsedLine["msg"].split() lineDestDomain = '' lineLocalIP = lineParsedMsg[2][:-1] if re.match(r"[a-z0-9-]*\.[a-z0-9-]", lineParsedMsg[4]): lineDestDomain = re.findall(r"[a-z0-9-]*\.{1,61}[a-z0-9-]*\.{1,61}$", lineParsedMsg[4]) lineDestDomain = lineDestDomain[0][:-1] if lineDestDomain == '': return '' # parsedLine = lineHostName + '_DNS' + ',domain=' + lineDestDomain + ',localIP=' + lineLocalIP + ' value=1 ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseInterface(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' line = lineParsedLine["msg"] lineHostName = line[1:line.find(": ")] lineParsedMsg = line.split(";") for x in lineParsedMsg: if "name" in x: lineIntName = x[x.find("=") + 1:] if "rx-bits-per-second" in x: lineRXbits = x[x.find("=") + 1:] if "tx-bits-per-second" in x: lineTXbits = x[x.find("=") + 1:] if "rx-drops-per-second" in x: lineRXdrops = x[x.find("=") + 1:] if "rx-errors-per-second" in x: lineRXerrors = x[x.find("=") + 1:] if "tx-drops-per-second" in x: lineTXdrops = x[x.find("=") + 1:] if "tx-errors-per-second" in x: lineTXerrors = x[x.find("=") + 1:] parsedLine = lineHostName + '_INTERFACES' + ',Interface=' + lineIntName + ' RX=' + lineRXbits + ',TX=' + lineTXbits + ',RXDrops=' + lineRXdrops + ',TXDrops=' + lineTXdrops + ',RXError=' + lineRXerrors + ',TXError=' + lineTXerrors + ' ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseDNS_cache(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineParsedMsg = lineParsedLine["msg"].split() for x in lineParsedMsg: if "cache_size" in x: lineCacheSize = x[x.find("=") + 1:] if lineCacheSize == '': return '' if "cache_used" in x: lineCacheUsed = x[x.find("=") + 1:] if lineCacheUsed == '': return '' if "cache_items" in x: lineCacheItems = x[x.find("=") + 1:] if lineCacheItems == '': return '' lineHostName = lineParsedMsg[0][:-1] parsedLine = lineHostName + '_DNS' + ' CacheSize=' + lineCacheSize + ',CacheUsed=' + lineCacheUsed + ',CacheItems=' + lineCacheItems + ' ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseUserLoginFailure(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineParsedMsg = lineParsedLine["msg"].strip().split() lineHostName = lineParsedMsg[0][:-1] lineUserName = lineParsedMsg[5] lineIP = lineParsedMsg[7] lineVIA = lineParsedMsg[9] parsedLine = lineHostName + '_USERS' + ',Action=login_failure' + ',UserName='******',Via=' + lineVIA + ',IP=' + lineIP + ' value=1 ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseDNS_cache(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineParsedMsg = lineParsedLine["msg"].split() lineHostName = lineParsedMsg[0][:-1] lineCacheSize = lineParsedMsg[2][11:] lineCacheUsed = lineParsedMsg[3][11:] lineCacheItems = lineParsedMsg[4][12:] parsedLine = lineHostName + '_DNS' + ' CacheSize=' + lineCacheSize + ',CacheUsed=' + lineCacheUsed + ',CacheItems=' + lineCacheItems + ' ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseAccounting(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineParsedMsg = lineParsedLine["msg"].strip().split(';') lineHostName = lineParsedMsg[0][:lineParsedMsg[0].find(": ")] lineDST = lineParsedMsg[2][12:] lineSRC = lineParsedMsg[4][12:] lineBytes = lineParsedMsg[1][6:] parsedLine = lineHostName + '_accounting' + ',DestinationIP=' + lineDST + ',SourceIP=' + lineSRC + ' bytes=' + lineBytes + ' ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseSystem(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineParsedMsg = lineParsedLine["msg"].split() lineHostName = lineParsedMsg[0][:-1] lineCPULoad = lineParsedMsg[2][8:] lineFreeMEM = lineParsedMsg[3][8:] lineTotalMEM = lineParsedMsg[4][9:] lineFreeHDD = lineParsedMsg[5][8:] lineTotalHDD = lineParsedMsg[6][9:] parsedLine = lineHostName + '_SYSTEM' + ' CPULoad=' + lineCPULoad + ',FreeMEM=' + lineFreeMEM + ',TotalMEM=' + lineTotalMEM + ',FreeHDD=' + lineFreeHDD + ',TotalHDD=' + lineTotalHDD + ' ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseAccounting(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' line = lineParsedLine["msg"] lineHostName = line[1:line.find(": ")] lineParsedMsg = line.split(";") for x in lineParsedMsg: if "bytes" in x: lineBytes = x[x.find("=") + 1:] if "dst-address" in x: lineDST = x[x.find("=") + 1:] if "src-address" in x: lineSRC = x[x.find("=") + 1:] parsedLine = lineHostName + '_accounting' + ',DestinationIP=' + lineDST + ',SourceIP=' + lineSRC + ' bytes=' + lineBytes + ' ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseUserLoginFailure(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineParsedMsg = lineParsedLine["msg"] lineParsedMsg = lineParsedMsg[1:] lineHostName = lineParsedMsg[0:lineParsedMsg.find(":")].replace(" ", "_") lineUserName = lineParsedMsg[lineParsedMsg.find("user") + len("user "):lineParsedMsg. find(" from")].replace(" ", "_") lineIP = lineParsedMsg[lineParsedMsg.find("from") + len("from "):lineParsedMsg.find(" via")].replace( " ", "_") lineVIA = lineParsedMsg[lineParsedMsg.find("via") + len("via "):].replace( " ", "_") parsedLine = lineHostName + '_USERS' + ',Action=login_failure' + ',UserName='******',Via=' + lineVIA + ',IP=' + lineIP + ' value=1 ' + str( int(lineDate.timestamp())) return (parsedLine)
def parseDNS(message, lastTime): lineParsedLine = json.loads(message) lineDate = dateParser.dateParser(lineParsedLine['time']) if lineDate < lastTime: return '' lineHostName = lineParsedLine["syslogtag"][:-1] lineParsedMsg = lineParsedLine["msg"].split() lineDestDomain = '' lineLocalIP = lineParsedMsg[2][:-1] lineParsedDomain = lineParsedMsg[4][:-1].split('.') domainLenght = len(lineParsedDomain) if domainLenght < 2: return '' lineDestDomain = lineParsedDomain[ domainLenght - 2] + '.' + lineParsedDomain[domainLenght - 1] parsedLine = lineHostName + '_DNS' + ',domain=' + lineDestDomain + ',localIP=' + lineLocalIP + ' value=1 ' + str( int(lineDate.timestamp())) return (parsedLine)
logHandler.setFormatter(formatter) logger.addHandler(logHandler) except: sys.stdout.write('Problem activating logging to file \n') sys.stdout.write('Please Check if correct file is specified in ' + configFile + ' in section "applogfile" \n') sys.stdout.write('exiting ... \n') exit() sys.stdout.write( 'Switching from STDOUT to file logging, please check this file: ' + appLogFile + '\n') logger.info('Trying convert string date to date object') try: lastTimeObj = dateParser.dateParser(lastTimeStrUTC[1:-1]) except: logger.error( 'Problem convert date to object, please check section "lasttimeutc" if date is in correct format example: "2020-09-25T12:49:43.943211+00:00"' ) exit() logger.info('Trying open logfile: ' + logFile) try: f = open(logFile) except: logger.error('Problem open file: ' + logFile) exit() logger.info('Trying read line from logfile') try: