Skip to content

Instantly share code, notes, and snippets.

@cleesmith

cleesmith/send_logs_to_ekanite.rb

Created October 18, 2015 15:30
Show Gist options
  • Save cleesmith/1d87a436023f746549ec to your computer and use it in GitHub Desktop.
Save cleesmith/1d87a436023f746549ec to your computer and use it in GitHub Desktop.
Download ZIP
send test syslogs to ekanite
Raw
send_logs_to_ekanite.rb
#!/usr/bin/env ruby
require 'socket'
require 'timeout'
# see: https://github.com/ekanite/ekanite
if ARGV.empty?
do_it = 1
else
do_it = ARGV[0].to_i
end
s = Time.now
client = TCPSocket.new('127.0.0.1', 5514)
total = 0
begin
do_it.times do |x|
client.puts "<1>0 Oct 18 00:00:01 louis postfix/smtpd[31499]: connect from unknown[95.75.93.154]"
client.puts "<2>0 Oct 18 00:00:02 louis named[16000]: client 199.48.164.7#64817: query (cache) 'amsterdamboothuren.com/MX/IN' denied"
client.puts "<3>0 Oct 18 00:00:03 louis CRON[619]: (www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)"
client.puts "<4>0 Oct 18 00:00:04 louis rsyslogd: [origin software=\"rsyslogd\" swVersion=\"4.2.0\" x-pid=\"2253\" x-info=\"http://www.rsyslog.com\"] rsyslogd was HUPed, type 'lightweight'."
client.puts "<5>0 Oct 18 00:00:05 spud-iMac fake_log: that should grok parse :-)"
client.puts "<6>0 Oct 18 00:00:06 1.2.3.4 sshd: this is unexpected mumbo jumbo"
client.puts "<7>0 Oct 18 00:00:07 1.2.3.4 sshd: Accepted password for bazsi from 127.0.0.1 port 48650 ssh2"
client.puts "<8>0 Oct 18 00:00:08 digitalocean sshd: Failed password for illegal user admin from ::ffff:10.10.10.135 port 45629 ssh2"
client.puts "<9>0 Oct 18 00:00:09 digitalocean sshd: Failed hassinpfeffer for invalid user puffnstuff from 127.0.0.1 port 37397 ssh2"
client.puts "<10>0 Oct 18 00:00:10 digitalocean sshd: Failed password for root from ::ffff:10.10.10.4 port 4027 ssh2"
client.puts "<11>0 Oct 18 00:00:11 digitalocean sshd: session closed for user bazsi"
client.puts "<12>0 Oct 18 00:00:12 vbox sshd[825]: Server listening on 0.0.0.0 port 22."
client.puts "<13>0 Oct 18 00:00:13 vbox sshd[825]: Server listening on :: port 22."
client.puts "<14>0 Oct 18 00:00:14 vbox login[1097]: pam_unix(login:session): session opened for user anacat by LOGIN(uid=0)"
client.puts "<15>0 Oct 18 00:00:15 vbox sshd[688]: Received signal 15; terminating."
client.puts "<16>0 Oct 18 00:00:16 vbox sshd[764]: Server listening on 0.0.0.0 port 22."
client.puts "<17>0 Oct 18 00:00:17 vbox sshd[764]: Server listening on :: port 22."
client.puts "<18>0 Oct 18 00:00:18 vbox CRON[1166]: pam_unix(cron:session): session opened for user root by (uid=0)"
client.puts "<19>0 Oct 18 00:00:19 vbox CRON[1166]: pam_unix(cron:session): session closed for user root"
client.puts "<20>0 Oct 18 00:00:20 vbox login[1034]: pam_unix(login:session): session opened for user anacat by LOGIN(uid=0)"
client.puts "<21>0 Oct 18 00:00:21 vbox sshd[1489]: Accepted password for anacat from 192.168.0.3 port 52577 ssh2"
client.puts "<22>0 Oct 18 00:00:22 vbox sshd[1489]: pam_unix(sshd:session): session opened for user anacat by (uid=0)"
client.puts "<23>0 Oct 18 00:00:23 vbox sshd[1719]: Received disconnect from 192.168.0.2: 11: disconnected by user"
client.puts "<24>0 Oct 18 00:00:24 digitalocean sshd: pam_unix(sshd:session): session closed for user bazsi"
client.puts "<25>0 Oct 18 00:00:25 digitalocean sshd[27780]: Accepted password for spud from 204.111.71.34 port 51364 ssh2"
client.puts "<26>0 Oct 18 00:00:26 digitalocean postfix/smtpd[31499]: connect from unknown[95.75.93.154] via ruby"
client.puts "<27>0 Oct 18 00:00:27 digitalocean postfix/smtpd[31499]: connect from unknown[95.75.93.154]"
client.puts "<28>0 Oct 18 00:00:28 digitalocean named[16000]: client 199.48.164.7#64817: query (cache) 'amsterdamboothuren.com/MX/IN' denied"
client.puts "<29>0 Oct 18 00:00:29 digitalocean CRON[619]: (www-data) CMD (php /usr/share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-error.log)"
client.puts "<30>0 Oct 18 00:00:30 digitalocean rsyslogd: [origin software='rsyslogd' swVersion='4.2.0' x-pid='2253' x-info='http://www.rsyslog.com'] rsyslogd was HUPed, type 'lightweight'."
client.puts "<31>0 Oct 18 00:00:31 1.2.3.4 Service_Control_Manager: 7035: NT AUTHORITYSYSTEM: *cls* The COH_Mon service was successfully sent a start control."
client.puts "<32>0 Oct 18 00:00:32 1.2.3.4 SceCli 1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for \"Troubleshooting Event 1202's\"."
client.puts "<33>0 Oct 18 00:00:33 spud-iMac.local login[3043]: USER_PROCESS: 3043 ttys004"
client.puts "<34>0 Oct 18 00:00:34 spud-iMac.local coreaudiod[210]: Disabled automatic stack shots because audio IO is active"
client.puts "<35>0 Oct 18 00:00:35 spud-iMac.local coreaudiod[210]: Enabled automatic stack shots because audio IO is inactive"
client.puts "<36>0 Oct 18 00:00:36 spud-iMac kernel[0]: CODE SIGNING: cs_invalid_page(0x1000): p=3285[GoogleSoftwareUp] clearing CS_VALID"
client.puts "<37>0 Oct 18 00:00:37 1.2.3.4 %FWSM-3-106010: Deny inbound tcp src OUTSIDE:2.116.180.66/3116 dst INSIDE:10.0.0.0/445"
client.puts "<38>0 Oct 18 00:00:38 1.2.3.4 %PIX-6-302014: Teardown TCP connection 2050472353 for outside:10.65.200.34/1252 to inside:10.0.0.0/135 duration 0:00:00 bytes 1476 TCP FINs"
client.puts "<39>0 Oct 18 00:00:39 1.2.3.4 %ASA-4-106023: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]"
client.puts "<40>0 Oct 18 00:00:40 1.2.3.4 %ASA-4-106023: no pattern for this one!"
total += 40
print '.' if (total % 40) == 0
end
puts ' '
rescue
puts "error: #{$!}"
ensure
client.close
end
puts "total=#{total.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} \t elapsed: #{Time.now - s}\n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment