updated logparse2.py

Author: mmcphee

logparse2.py

@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 
+# Written by Mike McPhee, Dec 2022. 
+# 45Drives 
 
 import re
 import os
@@ -8,35 +10,51 @@
 import syslog
 import subprocess
 
-def processLog2(userdict: dict, obj: dict) -> list:
+def processLog2(userdict: dict, connectionActions: dict):
 
     #obj = {}
     username = userdict["username"]
     localmachine = userdict["localmachine"]
     ipaddress = userdict["ipaddress"]
+
 
-    if ipaddress not in obj:
-        obj[ipaddress]={}
+    if ipaddress not in connectionActions:
+        connectionActions[ipaddress]={}
 
 
     # if username not in obj:
     #     obj[username] = {}
 
-    if localmachine not in obj[ipaddress]:
-        obj[ipaddress][localmachine] = {}
+    if localmachine not in connectionActions[ipaddress]:
+        connectionActions[ipaddress][localmachine] = {}
+
+    if username not in connectionActions[ipaddress][localmachine]:
+        connectionActions[ipaddress][localmachine][username] = {}
+        connectionActions[ipaddress][localmachine][username]["count"]= 0
+        connectionActions[ipaddress][localmachine][username]["actions"]= []
+        connectionActions[ipaddress][localmachine][username]["paths"]={}
 
-    if username not in obj[ipaddress][localmachine]:
-        obj[ipaddress][localmachine][username] = {}
-        obj[ipaddress][localmachine][username]["count"]= 0
-        obj[ipaddress][localmachine][username]["actions"]= []
 
-    obj[ipaddress][localmachine][username]["count"]+=1
-    obj[ipaddress][localmachine][username]["actions"].append({
+    connectionActions[ipaddress][localmachine][username]["count"]+=1
+    connectionActions[ipaddress][localmachine][username]["actions"].append({
         "sharename":userdict["sharename"],
-        "action":userdict["action"],
+        "action":userdict["action"].strip('\n'),
         "date":userdict["date"]
     })
-    return obj
+
+    raw = userdict["action"].strip('\n').split('|')
+    #print(raw)
+    for path in raw:
+        path = path.strip('\n')
+
+        #we only want filepaths beginning with "/"
+        #if "/" in path:  
+        if path.startswith("/"):
+            #print(path)
+            if path not in connectionActions[ipaddress][localmachine][username]["paths"]:
+                connectionActions[ipaddress][localmachine][username]["paths"][path]=0
+            connectionActions[ipaddress][localmachine][username]["paths"][path]+=1
+
 
 
 
@@ -47,29 +65,30 @@ def main():
 
         #try:
             linelist = []
-            obj = {}
+            connectionActions = {}
+
+            process = subprocess.Popen("cat /var/log/samba/smb_audit.log", stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding='utf-8', shell=True)
+            #process = subprocess.Popen("cat /var/log/samba/smb_audit.log | awk '{$1print $6, $8, $10, $12, $14, $16}'", stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding='utf-8', shell=True)
 
-            process = subprocess.Popen("cat /var/log/samba/smb_audit.log | awk '{print $6, $8, $10, $12, $14, $16}'", stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding='utf-8', shell=True)
             line = process.stdout.readline()
             #if line is not null, process it into a dict object
             while line:
                 #print(line)
                 #example output: IP:192.168.209.99 USER:user MACHINE:45dr-mmcphee SHARENAME:share DATE:2022/12/14 ACTION:|create_file|ok|0x80|file|open|/tank/samba/share
 
-                line = line.split(' ')
+                line = line.split('???')
                 entry = {"ipaddress":None, "username": None, "localmachine": None, "sharename": None, "date": None, "action": None}
 
-                entry["ipaddress"]=line[0].split(':')[1]
-                entry["username"]=line[1].split(':')[1]
-                entry["localmachine"]=line[2].split(':')[1]
-                entry["sharename"]=line[3].split(':')[1]
-                entry["date"]=line[4].split(':')[1]
-                entry["action"]=line[5].split(':')[1]
-                #entry["action"].append(line[5].split(':')[1])
-                #filepaths = []
+                entry["ipaddress"]=line[1]
+                entry["username"]=line[2]
+                entry["localmachine"]=line[3]
+                entry["sharename"]=line[4]
+                entry["date"]=line[5]
+                entry["action"]=line[6]
+             
 
                 linelist.append(entry)
-                #linelist.append(filepaths)
+                #linelist.append(filepaths)#
 
                 line = process.stdout.readline()
 
@@ -78,25 +97,26 @@ def main():
             for line in linelist:
                 #print("processing log\n")
 
-                obj=processLog2(line, obj)
+                processLog2(line, connectionActions)
 
-            #print("\n",json.dumps(obj, indent=4))
+            #print("\n",json.dumps(connectionActions, indent=4))
             print("#HELP smb_audit_log_entry Number of times each username/machine/ip combination appears in the smb audit log")
             print("#TYPE smb_audit_log_entry counter")
-            for ip in obj:
-                machines = obj[ip]
+            for ip in connectionActions:
+                machines = connectionActions[ip]
                 #print("\n",json.dumps(key, indent=4))
                 #print("\n",ip )
                 for machine in machines:
                     users = machines[machine]
                     for user in users:
                         data = users[user]
+                        
                         print(f"smb_audit_log_entry{{ip={ip},machine={machine},user={user}}} {data['count']}")
+                        for key in data["paths"]:
+                           print(f"\t{key} {data['paths'][key]}")
+                       
 
-                #break
-            
-        #except KeyboardInterrupt:
-          #  break
 
+
 if __name__ == "__main__":
     main()