webseal-log-reader.rb

# Parses IBM ISAM's WebSeal (broken) XML logs and outputs a line-based
# version of them extracting the most relevant information required to
# analyse who is requesting HTTP resources, from where and when.
#
#  - m.barnaba@ifad.org  Tue May 30 15:51:28 CEST 2017
#
require 'nokogiri'
require 'time'

def openlog
  log = ARGV[0]

  if log
    File.open(log)
  else
    $stdin
  end
rescue SystemCallError => e
  $stderr.puts e.message
  abort
end

def getdate(line)
  line = Nokogiri.parse(line)
  date = (line / 'date').text
  time = Time.parse(date)
  return time.iso8601(3)
end

def convert(line, date)
  # Remove unmatched closing XML tag
  line = line.sub('</accessor>', '')

  # Wrap the fragment in a root node
  line = ['<isam>', line, '</isam>'].join

  line = Nokogiri.parse(line)
  if line.css('object_nameinapp').length > 0
    ip  = line.css('user_location').text
    url = line.css('object_nameinapp').text.downcase

    return [date, ip, url].join(' ')

  elsif line.css('name_in_rgy').length > 0
    uid = line.css('name_in_rgy').text
    ip  = line.css('user_location').text
    obj = line.css('object').text

    return [date, ip, uid, obj].join(' ')
  end
end

log = openlog

begin
  date = nil
  while line = log.readline
    if line =~ /<date>/
      date = getdate(line)
    else
      out = convert(line, date)
      puts out if out
    end
  end
rescue EOFError
end