Skip to content

Instantly share code, notes, and snippets.

@Generalelektrix

Generalelektrix/find_logs.pl

Created November 25, 2015 17:02
Show Gist options
  • Save Generalelektrix/debf32f0c8b7cae913c4 to your computer and use it in GitHub Desktop.
Save Generalelektrix/debf32f0c8b7cae913c4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
find_logs.pl
#!/usr/bin/perl
# Lookup EZproxy log files for activity from a given user
#
# Pierre Lemieux, April 17th 2015
# Université Laval
#
use strict;
use utf8;
use Getopt::Std;
use Date::Calc qw(:all);
use Sys::Hostname;
(my $host = uc(&hostname())) =~ s/\..+$//;
# EZproxy directory
my $rep = '/usr/local/ezproxy';
# Log files directory
my $rep_logs = "$rep/logs";
# Audit files directory
my $rep_audit = "$rep/audit";
# Directory where to store report files from this script
# Important: You need to create this directory before running the script
my $rep_surv = "$rep/surveillance";
my ($year, $month, $day, $username);
our ($opt_i, $opt_d);
getopts("i:d:");
if (defined $opt_i) {
$username = $opt_i;
if (defined $opt_d) {
$year = substr($opt_d, 0, 4);
$month = substr($opt_d, 4, 2);
$day = substr($opt_d, 6, 2);
usage() unless (check_date($year, $month, $day));
}
else { ($year, $month, $day) = split(/\-/, (split(/ /, &DATE_NOW(-86400)))[0]); } # Defaults to Yesterday
}
else {
usage();
}
print STDOUT "Looking up activity for '$username' on '$host' with datestamp '$year$month$day'...\n";
my $log = "ezp$year$month$day.log";
my $audit = "$year$month$day.txt";
if (-e "$rep_audit/$audit") {
# Looking up username in audit files to retrieve session IDs
my %sessions;
open(AUDIT, "<$rep_audit/$audit");
while (my $line = <AUDIT>) {
if (($line =~ /\s$username\s/i) and ($line =~ /Login\.Success/i)) {
# Ex.: "2015-03-03 17:59:01 Login.Success 123.123.123.123 username qpz1ktzFSpGb8u5..."
my $sess = (split(/\s+/, $line))[5];
$sessions{$sess} = 1;
}
}
close(AUDIT);
if (scalar(keys %sessions) > 0) {
print STDOUT "\nRetrieved session IDs for '$username' on '$year-$month-$day':\n";
foreach my $sess (keys %sessions) { print STDOUT "$sess\n"; }
if (-e "$rep_logs/$log") {
# Looking up activities for retrieved session IDs
my @match_logs;
open(LOG, "<$rep_logs/$log");
while (my $line = <LOG>) {
# Ex.: "- 123.123.123.123 qpz1ktzFSpGb8u5 [03/Mar/2015:17:59:18 -0500] "GET http://vendor.org:80..."
my $sess_log = (split(/\s+/, $line))[2];
push(@match_logs, $line) if ($sessions{$sess_log});
}
close(LOG);
if (scalar(@match_logs) > 0) {
print STDOUT "\nNumber of lines found in '$log' with session IDs started by '$username': " . scalar(@match_logs) . "\n";
unlink("$rep_surv/$username\_$audit") if (-e "$rep_surv/$username\_$audit");
open(RES, ">$rep_surv/$username\_$audit");
foreach my $li (@match_logs) { print RES $li; }
close(RES);
print STDOUT "\nFile '$rep_surv/$username\_$audit' contains lines found.\n";
}
else { print STDOUT "No line from '$rep_logs/$log' contains retrieved session IDs.\n"; }
}
else { print STDOUT "Log file '$rep_logs/$log' doesn't exist.\n"; }
}
else { print STDOUT "No session ID retrieved for user '$username'.\n"; }
}
else { print STDOUT "Audit file '$rep_audit/$audit' doesn't exist.\n"; }
exit;
sub usage {
print <<"END_OF_USAGE";
Usage:
find_logs.pl -i<IDUL> [-d<YYYYMMDD>]
Lookup EZproxy log files for activity from a given user
Options:
-i username
-d Log file datestamp YYYYMMDD (defaults to yesterday)
Lines found will be written in a file named from username and datestamp
END_OF_USAGE
exit;
}
sub DATE_NOW
{
my ($delay) = @_;
my ($sec, $min, $hour, $day_m, $month, $year, $day_w, $yday, $isdst) = localtime(time() + $delay);
my $time = sprintf("%d\-%02d\-%02d %02d:%02d:%02d", $year + 1900, $month + 1, $day_m, $hour, $min, $sec);
return($time);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment