Andrew's git / logparse.git /
f233a84092779f8c9291c570368461e3536f7d28
   1#
   2#   sshd.py
   3#   
   4#   Find number of ssh logins and authorised users
   5#
   6
   7import re
   8
   9from ..formatting import *
  10from ..util import readlog, resolve
  11from .. import config
  12
  13import logging
  14logger = logging.getLogger(__name__)
  15
  16def parse_log():
  17    logger.debug("Starting sshd section")
  18    section = Section("ssh")
  19    logger.debug("Searching for matches in {0}".format(config.prefs['logs']['auth']))
  20    matches = re.findall('.*sshd.*Accepted publickey for .* from .*', readlog(config.prefs['logs']['auth']))    # get all logins
  21    logger.debug("Finished searching for logins")
  22    
  23    users = []  # list of users with format [username, number of logins] for each item
  24    data = []
  25    num = sum(1 for x in matches)     # total number of logins
  26    for match in matches:
  27        entry = re.search('^.*publickey\sfor\s(\w*)\sfrom\s(\S*)', match)  # [('user', 'ip')]
  28
  29        user = entry.group(1)
  30        ip = entry.group(2)
  31
  32        userhost = user + '@' + resolve(ip, fqdn=config.prefs['sshd']['resolve-domains'])
  33        users.append(userhost)
  34    logger.debug("Parsed list of authorised users")
  35
  36    auth_data = Data(subtitle=plural('login', num) + ' from', items=users)
  37
  38    if (len(auth_data.items) == 1):             # if only one user, do not display no of logins for this user
  39        logger.debug("found " + str(len(matches)) + " ssh logins for user " + users[0])
  40        auth_data.subtitle += ' ' + auth_data.items[0]
  41    auth_data.orderbyfreq()
  42    auth_data.truncl(config.prefs['maxlist'])
  43    logger.debug("Found " + str(len(matches)) + " ssh logins for users " + str(data))
  44    section.append_data(auth_data)
  45    logger.info("Finished sshd section")
  46    return section