Last active
February 6, 2020 21:36
-
-
Save mikemackintosh/db16fe31dcf24983e260 to your computer and use it in GitHub Desktop.
Audit Log Parser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // Include Parser.php - The LogAudit Source | |
| include('Parser.php'); | |
| // Create an instance of the Auth Class | |
| // If an argument is passed, it is expecting | |
| // a username. | |
| // @ $arg Not Required | |
| $Audit = new \LogAudit\Auth('sixeightzero'); | |
| // $Audit->getLength will search for entries that | |
| // match your operator passed as a string in the | |
| // argument. | |
| foreach($Audit->getLength('> 10200') as $Entry){ | |
| // $Entry contains all entries which | |
| // are greater than 10200 seconds | |
| print_r($Entry); | |
| } | |
| // $Audit->getUser will search for entries that | |
| // were logged by the specified user. | |
| // NOTE: If you start the class with a user, | |
| // this will only return results for the user | |
| // passed in the construct | |
| foreach($Audit->getUser('root') as $Entry){ | |
| // $Entry contains all entries which | |
| // occured for the root user | |
| print_r($Entry); | |
| } | |
| // $Audit->getMonth will search for entries that | |
| // occured in the specified numeric month | |
| foreach($Audit->getMonth(12) as $Entry){ | |
| // $Entry contains all entries which | |
| // occured during the provided month | |
| print_r($Entry); | |
| } | |
| // $Audit->getModule will search for entries that | |
| // were created by the daemon/log source you supply | |
| foreach($Audit->getModule('sshd') as $Entry){ | |
| // $Entry contains all entries which | |
| // were created by sshd | |
| print_r($Entry); | |
| } | |
| // $Audit->getHost will search for entries that | |
| // were generated by the provided host | |
| foreach($Audit->getHost('angryserver') as $Entry){ | |
| // $Entry contains all entries which | |
| // were created on angryserver. This | |
| // is useful for a syslog server | |
| print_r($Entry); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| stdClass Object ( | |
| [entry] => Aug 23 22:36:53 angryserver sshd[8049]: pam_unix(sshd:session): session opened for user sixeightzero | |
| [date] => 22:36:53 | |
| [time] => Aug-23 | |
| [start_timestamp] => 1345775813 | |
| [end_timestamp] => 1345788487 | |
| [host] => angryserver | |
| [daemon] => sshd | |
| [pid] => 8049 | |
| [module] => sshd | |
| [function] => session | |
| [user] => sixeightzero | |
| [month] => 08 | |
| [day] => 23 | |
| [session_time] => 12674 | |
| [searched_for] => session_time | |
| ) | |
| stdClass Object ( | |
| [entry] => Aug 29 20:10:01 angryserver sshd[31908]: pam_unix(sshd:session): session opened for user sixeightzero | |
| [date] => 20:10:01 | |
| [time] => Aug-29 | |
| [start_timestamp] => 1346285401 | |
| [end_timestamp] => 1346476329 | |
| [host] => angryserver | |
| [daemon] => sshd | |
| [pid] => 31908 | |
| [module] => sshd | |
| [function] => session | |
| [user] => sixeightzero | |
| [month] => 08 | |
| [day] => 29 | |
| [session_time] => 190928 | |
| [searched_for] => session_time | |
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */ | |
| /** | |
| * LogAudit | |
| * | |
| * Minimum PHP version 5.3 | |
| * | |
| * LICENSE: All scripts which are created or modified by | |
| * sixeightzero, angrystatic, HighOnPHP, High on PHP, and | |
| * all other affiliated names are goverend by this script, | |
| * wherein there is no conflict with the original license, | |
| * which takes precedence. You are permitted to use, modify, | |
| * distribute this code, as long as this license agreement | |
| * remains in the document. A longtext version of this | |
| * license may be found at: | |
| * http://www.highonphp.com/license/v1 | |
| * | |
| * @category Audit | |
| * @package LogAudit | |
| * @author sixeightzero <mike.mackintosh@angrystatic.com> http://www.highonphp.com | |
| * @copyright 2012 sixeightzero | |
| * @license http://www.highonphp.com/license/v1 | |
| * @version SVN: 231 | |
| * @link http://www.highonphp.com/php/logaudit | |
| **/ | |
| /** | |
| * Place includes, constant defines and $_GLOBAL settings here. | |
| * Make sure they have appropriate docblocks to avoid phpDocumentor | |
| * construing they are documented by the page-level docblock. | |
| **/ | |
| /** | |
| * @namespace LogAudit | |
| **/ | |
| namespace LogAudit; | |
| /** | |
| * @errorreporting Silence Notices Only | |
| **/ | |
| error_reporting(E_ALL ^ (E_NOTICE & E_DEPRECATED)); | |
| ini_set('memory_limit', '1024M'); | |
| /** | |
| * LogAudit - Parser | |
| * | |
| * Minimum PHP version 5.3 | |
| * | |
| * LICENSE: All scripts which are created or modified by | |
| * sixeightzero, angrystatic, HighOnPHP, High on PHP, and | |
| * all other affiliated names are goverend by this script, | |
| * wherein there is no conflict with the original license, | |
| * which takes precedence. You are permitted to use, modify, | |
| * distribute this code, as long as this license agreement | |
| * remains in the document. A longtext version of this | |
| * license may be found at: | |
| * http://www.highonphp.com/license/v1 | |
| * | |
| * @category Audit | |
| * @package LogAudit | |
| * @class Parser | |
| * @author sixeightzero <mike.mackintosh@angrystatic.com> http://www.highonphp.com | |
| * @copyright 2012 sixeightzero | |
| * @license http://www.highonphp.com/license/v1 | |
| * @version SVN: 231 | |
| * @link http://www.highonphp.com/php/logaudit | |
| **/ | |
| class Parser{ | |
| public function __construct(){ | |
| } | |
| // This provides a Catch All | |
| public function __call($catch, $all){ | |
| $methods = array( | |
| 'getUser' => 'user', | |
| 'getDate' => 'date', | |
| 'getDay' => 'day', | |
| 'getMonth' => 'month', | |
| 'getMonthDay' => 'md', | |
| 'getLength' => 'length', | |
| ); | |
| if(array_key_exists($catch, $methods)){ | |
| return self::searchEntries($methods[$catch], $all[0]); | |
| } | |
| return false; | |
| } | |
| protected function grabLog(){ | |
| $this->log = explode("\n", file_get_contents($this->log_file)); | |
| } | |
| protected function getEntries(){ | |
| return array_values($this->entries); | |
| } | |
| protected function searchEntries($type = NULL, $value = NULL){ | |
| return self::_search($type, $value); | |
| } | |
| private function _search($search, $input){ | |
| $outputArray = array(); | |
| //echo "Searching For $input"; | |
| $iterator = new \RecursiveIteratorIterator(new \RecursiveArrayIterator($this->entries)); | |
| foreach($iterator as $id => $sub){ | |
| $subArray = $iterator->getSubIterator(); | |
| if($search == 'length'){ | |
| if($id == 'session_time' && eval('return '.strtolower($sub).$input.';')){ | |
| // echo "Found it in $id - posted in ID $input"; | |
| $subArray = iterator_to_array($subArray); | |
| $outputArray[] = (object) array_merge($subArray, array('searched_for' => $id)); | |
| } | |
| }else{ | |
| if($id == $search && strtolower($sub) == strtolower($input)){ | |
| // echo "Found it in $id - posted in ID $input"; | |
| $subArray = iterator_to_array($subArray); | |
| $outputArray[] = (object) array_merge($subArray, array('searched_for' => $id)); | |
| } | |
| } | |
| } | |
| return (object) $outputArray; | |
| } | |
| } | |
| /** | |
| * LogAudit - Entry | |
| * | |
| * Minimum PHP version 5.3 | |
| * | |
| * LICENSE: All scripts which are created or modified by | |
| * sixeightzero, angrystatic, HighOnPHP, High on PHP, and | |
| * all other affiliated names are goverend by this script, | |
| * wherein there is no conflict with the original license, | |
| * which takes precedence. You are permitted to use, modify, | |
| * distribute this code, as long as this license agreement | |
| * remains in the document. A longtext version of this | |
| * license may be found at: | |
| * http://www.highonphp.com/license/v1 | |
| * | |
| * @category Audit | |
| * @package LogAudit | |
| * @class Entry | |
| * @author sixeightzero <mike.mackintosh@angrystatic.com> http://www.highonphp.com | |
| * @copyright 2012 sixeightzero | |
| * @license http://www.highonphp.com/license/v1 | |
| * @version SVN: 231 | |
| * @link http://www.highonphp.com/php/logaudit | |
| **/ | |
| class Entry{ | |
| public $entry; | |
| public $date; | |
| public $time; | |
| public $start_timestamp; | |
| public $end_timestamp; | |
| public $host; | |
| public $daemon; | |
| public $pid; | |
| public $module; | |
| public $function; | |
| public $user; | |
| public $month; | |
| public $day; | |
| const DATE_FORMAT = 'M-j'; | |
| const TIME_FORMAT = 'G:i:s'; | |
| public function __construct($entry){ | |
| $elements = array('entry', 'date', 'host', 'daemon', 'pid', 'module', 'function', 'user'); | |
| foreach($entry as $id => $arg){ | |
| $this->$elements[$id] = $arg; | |
| if($elements[$id] == 'date'){ | |
| $this->time = $this->delog_time($arg, true); | |
| $this->date = $this->delog_time($arg, false, true); | |
| $this->month = $this->delog_time($arg, false, false, 'm'); | |
| $this->day = $this->delog_time($arg, false, false, 'd'); | |
| $this->start_timestamp = $this->delog_time($arg); | |
| } | |
| } | |
| } | |
| public function module(){ | |
| return $this->module; | |
| } | |
| public function user(){ | |
| return $this->user; | |
| } | |
| public function date(){ | |
| return $this->date; | |
| } | |
| public function time(){ | |
| return $this->time; | |
| } | |
| public function timestamp(){ | |
| return $this->timestamp; | |
| } | |
| public function status(){ | |
| return $this->status; | |
| } | |
| public function closeEntry($obj){ | |
| $this->end_timestamp = $this->delog_time($obj[1]); | |
| $this->session_time = $this->end_timestamp - $this->start_timestamp; | |
| } | |
| private function delog_time($time, $flag=false,$tflag = false, $format=NULL){ | |
| $time = date_parse_from_format("M j G:i:s", $time); | |
| $timestamp = mktime($time['hour'], $time['minute'], $time['second'], $time['month'], $time['day'], date('Y')); | |
| if($flag) | |
| return date(self::DATE_FORMAT, $timestamp); | |
| elseif($tflag) | |
| return date(self::TIME_FORMAT, $timestamp); | |
| elseif($format) | |
| return date($format, $timestamp); | |
| return $timestamp; | |
| } | |
| } | |
| /** | |
| * LogAudit - Auth | |
| * | |
| * Minimum PHP version 5.3 | |
| * | |
| * LICENSE: All scripts which are created or modified by | |
| * sixeightzero, angrystatic, HighOnPHP, High on PHP, and | |
| * all other affiliated names are goverend by this script, | |
| * wherein there is no conflict with the original license, | |
| * which takes precedence. You are permitted to use, modify, | |
| * distribute this code, as long as this license agreement | |
| * remains in the document. A longtext version of this | |
| * license may be found at: | |
| * http://www.highonphp.com/license/v1 | |
| * | |
| * @category Audit | |
| * @package LogAudit | |
| * @class Auth | |
| * @author sixeightzero <mike.mackintosh@angrystatic.com> http://www.highonphp.com | |
| * @copyright 2012 sixeightzero | |
| * @license http://www.highonphp.com/license/v1 | |
| * @version SVN: 231 | |
| * @link http://www.highonphp.com/php/logaudit | |
| **/ | |
| class Auth extends Parser{ | |
| public $user; | |
| var $entries = array(); | |
| var $log_file = '/var/log/auth.log'; | |
| public function __construct($user = NULL){ | |
| parent::__construct(); | |
| // If we are looking for a user, set it | |
| if(!is_null($user)) | |
| $this->user = $user; | |
| // Instantiate the log file | |
| if(self::_instLog()){ | |
| self::_parseLog(); | |
| } | |
| } | |
| private function _instLog(){ | |
| parent::grabLog(); | |
| if(strlen($this->user) > 0){ | |
| $this->log = array_values(preg_grep('/for user '.$this->user.'/', $this->log)); | |
| } | |
| return true; | |
| } | |
| private function _parseLog(){ | |
| $this->incomplete = array(); | |
| foreach($this->log as $line){ | |
| if(preg_match('/([A-Za-z0-9:\s]+) ([a-zA-Z0-9-_]+) ([A-Za-z0-9_-]+)\[([0-9]+)\]\: pam_unix\(([A-Za-z0-9_-]+)\:([A-Za-z0-9_-]+)\)\: session opened for user (['.(isset($this->user) ? $this->user : 'a-zA-Z0-9_-').']+)/', $line, $open)){ | |
| $this->incomplete[$open[4]] = true; | |
| $this->entries[$open[4]] = new Entry($open); | |
| } | |
| elseif(preg_match('/([A-Za-z0-9:\s]+) ([a-zA-Z0-9-_]+) ([A-Za-z0-9_-]+)\[([0-9]+)\]\: pam_unix\(([A-Za-z0-9_-]+)\:([A-Za-z0-9_-]+)\)\: session closed for user (['.(isset($this->user) ? $this->user : 'a-zA-Z0-9_-').']+)/', $line, $close)){ | |
| if(@is_object($this->entries[$close[4]])){ | |
| unset($this->incomplete[$close[4]]); | |
| $this->entries[$close[4]]->closeEntry($close); | |
| }else{ | |
| $this->incomplete[$close[4]] = true; | |
| } | |
| } | |
| } | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment