joenorton8014/logmonitor.py

## logmonitor.py
#!/usr/bin/python3
import time
from datetime import datetime
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from pathlib import Path

'''
Not very user friendly at this point....
Run this as a cron to monitor log files for certain activity.
*/4 * * * * /usr/bin/python3 /scripts/logmonitor.py
'''

def Get_Current_Time():
    day = time.strftime("%Y%m%d_")
    clock = time.strftime("%H%M%S")
    timestamp = day+clock
    time_obj = datetime.strptime(timestamp[:19], "%Y%m%d_%H%M%S")
    return time_obj

def sendnotificationmail(subject,email_contents):
    gmail_user = ''
    gmail_password = ''
    to_email = ''
    # create message object
    msg = MIMEMultipart()
    # fill in all the normal email parts
    msg['Subject'] = subject
    msg['From'] = gmail_user
    msg['To'] = to_email
    SERVER = "smtp.gmail.com:465"
    body = email_contents
    msg.attach(MIMEText(body))
    server = smtplib.SMTP_SSL(SERVER)
    server.ehlo()
    server.login(gmail_user , gmail_password)
    server.sendmail(msg['From'], msg['To'], msg.as_string())
    server.quit()


def Log_File_Search(log_file,search_term):
    search_results = []
    file_to_search = Path(log_file)
    if file_to_search.is_file():
        with open(file_to_search) as log_to_search:
            for line in log_to_search:
                if search_term in line:
                    search_results.append(line)
    else:
        # If the log file doesn't exist, note that in the results
        search_results.append(log_file + ' not found!')
    return search_results

# Function for parsing through Ubuntu auth.log and syslog timestamps
# Sep 13 11:13:59 kali-pontiac sshd[4835]: Accepted password for root from 10.0.0.100 port 63208 ssh2

def Get_Events_in_Hour(search_results):
    events_dict = {}
    for result in search_results:
        year = time.strftime("%Y")
        month = time.strftime("%m")
        day = result.split(" ")[1]
        hourminute = result.split(" ")[2].replace(':','')
        log_timestamp = year + month + day + '_' + hourminute
        time_key = datetime.strptime(log_timestamp[:19], "%Y%m%d_%H%M%S")
        time_diff = current_time - time_key
        time_diff_mins = int(round(time_diff.total_seconds() / 60))
        if time_diff_mins < 5:
            events_dict[time_key] = result
        else:
            pass
    return events_dict

#log_file = '/var/log/auth.log'
#search_term = 'Accepted'

current_time = Get_Current_Time()
search_dictionary = {}
search_dictionary['/var/log/auth.log'] = 'Accepted'
search_dictionary['/var/log/syslog'] = 'SENT CONTROL'

for log_file in search_dictionary:
    search_term = search_dictionary[log_file]
    search_results = Log_File_Search(log_file,search_term)
    if len(search_results) == 0:
        pass
    else:
        last_hour = Get_Events_in_Hour(search_results)
        if len(last_hour) > 0:
            subject = 'Activity for \"' + search_term + '\" in ' + log_file + ' - ' + str(current_time)
            email_contents = ''
            for log_entry in last_hour.values():
                email_contents += log_entry
            sendnotificationmail(subject,email_contents)
	#!/usr/bin/python3
	import time
	from datetime import datetime
	import smtplib
	from email.mime.multipart import MIMEMultipart
	from email.mime.text import MIMEText
	from pathlib import Path

	'''
	Not very user friendly at this point....
	Run this as a cron to monitor log files for certain activity.
	/4 * * * /usr/bin/python3 /scripts/logmonitor.py
	'''

	def Get_Current_Time():
	day = time.strftime("%Y%m%d_")
	clock = time.strftime("%H%M%S")
	timestamp = day+clock
	time_obj = datetime.strptime(timestamp[:19], "%Y%m%d_%H%M%S")
	return time_obj

	def sendnotificationmail(subject,email_contents):
	gmail_user = ''
	gmail_password = ''
	to_email = ''
	# create message object
	msg = MIMEMultipart()
	# fill in all the normal email parts
	msg['Subject'] = subject
	msg['From'] = gmail_user
	msg['To'] = to_email
	SERVER = "smtp.gmail.com:465"
	body = email_contents
	msg.attach(MIMEText(body))
	server = smtplib.SMTP_SSL(SERVER)
	server.ehlo()
	server.login(gmail_user , gmail_password)
	server.sendmail(msg['From'], msg['To'], msg.as_string())
	server.quit()


	def Log_File_Search(log_file,search_term):
	search_results = []
	file_to_search = Path(log_file)
	if file_to_search.is_file():
	with open(file_to_search) as log_to_search:
	for line in log_to_search:
	if search_term in line:
	search_results.append(line)
	else:
	# If the log file doesn't exist, note that in the results
	search_results.append(log_file + ' not found!')
	return search_results

	# Function for parsing through Ubuntu auth.log and syslog timestamps
	# Sep 13 11:13:59 kali-pontiac sshd[4835]: Accepted password for root from 10.0.0.100 port 63208 ssh2

	def Get_Events_in_Hour(search_results):
	events_dict = {}
	for result in search_results:
	year = time.strftime("%Y")
	month = time.strftime("%m")
	day = result.split(" ")[1]
	hourminute = result.split(" ")[2].replace(':','')
	log_timestamp = year + month + day + '_' + hourminute
	time_key = datetime.strptime(log_timestamp[:19], "%Y%m%d_%H%M%S")
	time_diff = current_time - time_key
	time_diff_mins = int(round(time_diff.total_seconds() / 60))
	if time_diff_mins < 5:
	events_dict[time_key] = result
	else:
	pass
	return events_dict

	#log_file = '/var/log/auth.log'
	#search_term = 'Accepted'

	current_time = Get_Current_Time()
	search_dictionary = {}
	search_dictionary['/var/log/auth.log'] = 'Accepted'
	search_dictionary['/var/log/syslog'] = 'SENT CONTROL'

	for log_file in search_dictionary:
	search_term = search_dictionary[log_file]
	search_results = Log_File_Search(log_file,search_term)
	if len(search_results) == 0:
	pass
	else:
	last_hour = Get_Events_in_Hour(search_results)
	if len(last_hour) > 0:
	subject = 'Activity for \"' + search_term + '\" in ' + log_file + ' - ' + str(current_time)
	email_contents = ''
	for log_entry in last_hour.values():
	email_contents += log_entry
	sendnotificationmail(subject,email_contents)