0x646e78/gist:8b8af776647657b579cc

## gistfile1.sh
#!/usr/bin/env bash

# This requires bash 4+

# $ ./ossec-syscheck-decoder.sh
# File: /etc/sudoers
# Date: Tue Jun  2 15:45:45 AEST 2015
# # of changes: 0 changes
# File Size: 4002 Bytes
# File Mode: 100440
# ownership: 0:0
# sha1sum: 7f8136e115bc8877afdda1cb9c357da7ecdbb8d2


# https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU
#
#!++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 : bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335 /opt/syslog-ng/conf/sys  log-ng.conf
#
#First three characters are used to count the number of times a file has changed:
#
#+++ 0 changes
#!++  1 change
#!!+   2 chnages
#!!!    3 changes
#!!?   more than 3 changes
#
#The rest of the line fields are:
#
#file_size : file_mode : uid : gid : md5sum : sha1sum !epoch_timestamp file_path
#
#File mode stores the result of (stat.st_mode), and contains file type code (to identify
#if it is a symbolic link, directory, socket, registry key,...) and access permission bits.

# A production log line:
LOG='+++4002:33056:0:0:5da55a26faf886d0958f6adbae4078b2:7f8136e115bc8877afdda1cb9c357da7ecdbb8d2 !1433223945 /etc/sudoers'

# Filename
echo "File: ${LOG##* }"

# TIMEDATE
DELIM=${LOG##*:}
DELIM=${DELIM##*!}
EPOCH=$(echo $DELIM | cut -d" " -f1)
DATE=$(date -d @$EPOCH)
echo "Date: $DATE"

# Count changes
COUNT=${LOG:0:3}
if [ ${COUNT} == '+++' ]; then
  COUNT=0
elif [ ${COUNT} == '!++' ]; then
  COUNT=1
elif [ $COUNT == '!!+' ]; then
  COUNT=2
elif [ $COUNT == '!!!' ]; then
  COUNT=3
elif [ $COUNT == '!!?' ]; then
  COUNT="3+"
else
  COUNT="Unknown nuber of changes"
fi
echo "# of changes: $COUNT changes"

# File Size
SIZE=$(echo ${LOG:3} | cut -d":" -f 1)
echo "File Size: $SIZE Bytes"

# File mode
printf "File Mode: \0%o\n" 33056

# UID:GID
OWN=$(echo ${LOG:3} | cut -d":" -f 3,4)
echo "ownership: $OWN"

# SHAsum:
DELIM=${LOG##*:}
SHA1=$(echo $DELIM | cut -d" " -f1)
echo "sha1sum: $SHA1"
echo
	#!/usr/bin/env bash

	# This requires bash 4+

	# $ ./ossec-syscheck-decoder.sh
	# File: /etc/sudoers
	# Date: Tue Jun 2 15:45:45 AEST 2015
	# # of changes: 0 changes
	# File Size: 4002 Bytes
	# File Mode: 100440
	# ownership: 0:0
	# sha1sum: 7f8136e115bc8877afdda1cb9c357da7ecdbb8d2


	# https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU
	#
	#!++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 : bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335 /opt/syslog-ng/conf/sys log-ng.conf
	#
	#First three characters are used to count the number of times a file has changed:
	#
	#+++ 0 changes
	#!++ 1 change
	#!!+ 2 chnages
	#!!! 3 changes
	#!!? more than 3 changes
	#
	#The rest of the line fields are:
	#
	#file_size : file_mode : uid : gid : md5sum : sha1sum !epoch_timestamp file_path
	#
	#File mode stores the result of (stat.st_mode), and contains file type code (to identify
	#if it is a symbolic link, directory, socket, registry key,...) and access permission bits.

	# A production log line:
	LOG='+++4002:33056:0:0:5da55a26faf886d0958f6adbae4078b2:7f8136e115bc8877afdda1cb9c357da7ecdbb8d2 !1433223945 /etc/sudoers'

	# Filename
	echo "File: ${LOG##* }"

	# TIMEDATE
	DELIM=${LOG##*:}
	DELIM=${DELIM##*!}
	EPOCH=$(echo $DELIM \| cut -d" " -f1)
	DATE=$(date -d @$EPOCH)
	echo "Date: $DATE"

	# Count changes
	COUNT=${LOG:0:3}
	if [ ${COUNT} == '+++' ]; then
	COUNT=0
	elif [ ${COUNT} == '!++' ]; then
	COUNT=1
	elif [ $COUNT == '!!+' ]; then
	COUNT=2
	elif [ $COUNT == '!!!' ]; then
	COUNT=3
	elif [ $COUNT == '!!?' ]; then
	COUNT="3+"
	else
	COUNT="Unknown nuber of changes"
	fi
	echo "# of changes: $COUNT changes"

	# File Size
	SIZE=$(echo ${LOG:3} \| cut -d":" -f 1)
	echo "File Size: $SIZE Bytes"

	# File mode
	printf "File Mode: \0%o\n" 33056

	# UID:GID
	OWN=$(echo ${LOG:3} \| cut -d":" -f 3,4)
	echo "ownership: $OWN"

	# SHAsum:
	DELIM=${LOG##*:}
	SHA1=$(echo $DELIM \| cut -d" " -f1)
	echo "sha1sum: $SHA1"
	echo