logparse / parsers / smbd.pyon commit further bugfixing in parsers & clean up formatting.py (cbb12b9)
   1#
   2#   smbd.py
   3#   
   4#   Get login statistics for a samba server.
   5#   TODO: add feature to specify shares to check in config file
   6#
   7
   8import re
   9import glob
  10
  11from ..formatting import *
  12from ..util import readlog, resolve
  13from .. import config
  14
  15import logging
  16logger = logging.getLogger(__name__)
  17
  18def parse_log():
  19    logger.debug("Starting smbd section")
  20    section = Section("smbd")
  21    files = glob.glob(config.prefs['logs']['smb'] + "/log.*[!\.gz][!\.old]")    # find list of logfiles
  22    # for f in files:
  23
  24        # file_mod_time = os.stat(f).st_mtime
  25
  26        # Time in seconds since epoch for time, in which logfile can be unmodified.
  27        # should_time = time.time() - (30 * 60)
  28
  29        # Time in minutes since last modification of file
  30        # last_time = (time.time() - file_mod_time)
  31        # logger.debug(last_time)
  32
  33        # if (file_mod_time - should_time) < args.time:
  34            # print "CRITICAL: {} last modified {:.2f} minutes. Threshold set to 30 minutes".format(last_time, file, last_time)
  35        # else:
  36
  37        # if (datetime.timedelta(datetime.datetime.now() - datetime.fromtimestamp(os.path.getmtime(f))).days > 7):
  38            # files.remove(f)
  39    logger.debug("Found log files " + str(files))
  40    n_auths = 0         # total number of logins from all users
  41    sigma_auths = []    # contains users
  42
  43    for file in files:  # one log file for each client
  44
  45        logger.debug("Looking at file " + file)
  46
  47        # find the machine (ip or hostname) that this file represents
  48        ip = re.search('log\.(.*)', file).group(1)    # get ip or hostname from file path (/var/log/samba/log.host)
  49        host = resolve(ip, fqdn=config.prefs['smbd']['resolve-domains'])
  50        if (host == ip and (config.prefs['smbd']['resolve-domains'] or config.prefs['resolve-domains']) != 'ip'):    # if ip has disappeared, fall back to a hostname from logfile
  51            newhost = re.findall('.*\]\@\[(.*)\]', readlog(file))
  52            if (len(set(newhost)) == 1):    # all hosts in one file should be the same
  53                host = newhost[0].lower()
  54
  55        # count number of logins from each user-host pair
  56        matches = re.findall('.*(?:authentication for user \[|connect to service .* initially as user )(\S*)(?:\] .*succeeded| \()', readlog(file))
  57        for match in matches:
  58            userhost = match + "@" + host
  59            sigma_auths.append(userhost)
  60            # exists = [i for i, item in enumerate(sigma_auths) if re.search(userhost, item[0])]
  61            # if (exists == []):
  62            #     sigma_auths.append([userhost, 1])
  63            # else:
  64            #     sigma_auths[exists[0]][1] += 1
  65            n_auths += 1
  66    auth_data = Data(subtitle=plural("login", n_auths) + " from")
  67    if (len(sigma_auths) == 1):             # if only one user, do not display no of logins for this user
  68        auth_data.subtitle += ' ' + sigma_auths[0][0]
  69        section.append_data(auth_data)
  70    else:       # multiple users
  71        auth_data.items = sigma_auths
  72        auth_data.orderbyfreq()
  73        auth_data.truncl(config.prefs['maxlist'])
  74        logger.debug("Found {0} samba logins".format(str(n_auths)))
  75    section.append_data(auth_data)
  76    logger.info("Finished smbd section")
  77    return section