Skip to content

Instantly share code, notes, and snippets.

@gurupras
Last active December 15, 2015 18:24
Show Gist options
  • Save gurupras/ec4117adf786e8c211fe to your computer and use it in GitHub Desktop.
Save gurupras/ec4117adf786e8c211fe to your computer and use it in GitHub Desktop.
Check auth logs
import os,sys,argparse,re
import json
import gzip
import tempfile
import glob
import requests
import pycommons
from pycommons import ListAction
def setup_parser():
parser = argparse.ArgumentParser()
parser.add_argument('-i', '--input', type=str, default=None,
help='Previously processed input file')
parser.add_argument('-o', '--output', type=str, default=None,
help='Store results in output')
parser.add_argument('--safe-ips', type=str, action=ListAction,
default=['.*'], help='Safe IPs to filter')
parser.add_argument('--geo', action='store_true', default=False,
help='Safe IPs to filter')
return parser
def open_file(filename, mode):
name, ext = os.path.splitext(filename)
fn = open
if ext == '.gz':
fn = gzip.open
return fn(filename, mode)
def process(file, safe_ips, geo):
ip_dict = {}
pattern = re.compile('^(?P<date>[A-Za-z]+\s+\d+\s+\d+:\d+:\d+)\s+.* Accepted publickey for (?P<user>[a-zA-Z0-9_]+) from (?P<ip>.*) port.*')
with open_file(file, 'rb') as f:
for idx, line in enumerate(f):
m = pattern.match(line)
if m:
date = m.group('date')
user = m.group('user')
ip = m.group('ip')
safe = False
for ip_pat_str in safe_ips:
ip_pattern = re.compile(ip_pat_str)
if ip_pattern.match(ip):
safe = True
break
if not safe:
if not ip_dict.get(ip, None):
ip_dict[ip] = []
ip_dict[ip].append((date, user))
for ip, values in ip_dict.iteritems():
user_dict = {}
for (date, user) in values:
if not user_dict.get(user, None):
user_dict[user] = 0
user_dict[user] += 1
#print '%s -> %s: %s' % (date, user, ip)
geo_str = ''
if geo:
import requests
# Get geolocation from freegeoip.net
r = requests.get('http://freegeoip.net/json/%s' % (ip))
geo_str = ' -> ' + r.text.strip()
print '%s -> %s %s' % (ip, str(user_dict), geo_str)
def main(argv):
parser = setup_parser()
args = parser.parse_args(argv[1:])
if args.input:
file = args.input
else:
file = None
if not file:
fd, fpath = tempfile.mkstemp()
file = os.fdopen(fd, 'wb')
files = glob.glob('/var/log/auth.*')
for f in files:
with open_file(f, 'rb') as f:
bytes = f.read()
file.write(bytes)
file.flush()
file.close()
# If we have to save the file into output, do it now
if args.output:
file = open(fpath, 'rb')
with open(args.output, 'wb') as f:
f.write(file.read())
file.seek(0, 0)
file = fpath
# Now do any processing that we need to
process(file, args.safe_ips, args.geo)
if __name__ == '__main__':
main(sys.argv)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment