-#
-# sshd_journald.py
-#
-# Find number of ssh logins and authorised users (uses journald)
-#
+"""
+Find number of ssh logins and authorised users (uses journald)
+"""
import re
from systemd import journal
-from logparse.formatting import *
-from logparse.util import resolve
from logparse import config
+from logparse.formatting import *
from logparse.load_parsers import Parser
+from logparse.util import resole
class SshdJournald(Parser):
def __init__(self):
super().__init__()
self.name = "sshd_journald"
- self.info = "Find number of ssh logins and authorised users (uses journald)"
+ self.info = "Find number of ssh logins and authorised users "
+ "(uses journald)"
def parse_log(self):
section = Section("ssh")
j = journal.Reader()
- j.this_boot()
- j.log_level(journal.LOG_DEBUG)
+ j.this_machine()
+ j.log_level(journal.LOG_INFO)
j.add_match(_COMM="sshd")
+ j.seek_realtime(section.period.startdate)
messages = [entry["MESSAGE"] for entry in j if "MESSAGE" in entry]
for msg in messages:
if "Accepted publickey" in msg:
- entry = re.search('^.*publickey\sfor\s(\w*)\sfrom\s(\S*)', msg) # [('user', 'ip')]
+ # [('user', 'ip')]
+ entry = re.search('^.*publickey\sfor\s(\w*)\sfrom\s(\S*)', msg)
user = entry.group(1)
ip = entry.group(2)
- userhost = user + '@' + resolve(ip, fqdn=config.prefs.get("sshd", "sshd-resolve-domains"))
+ userhost = user + '@' + resolve(ip,
+ fqdn=config.prefs.get("sshd", "sshd-resolve-domains"))
login_data.items.append(userhost)
elif "Connection closed by authenticating user root" in msg:
- entry = re.search('^.*Connection closed by authenticating user (\S+) (\S+)', msg) # [('user', 'ip')]
+ entry = re.search('^.*Connection closed by authenticating user"
+ " (\S+) (\S+)', msg) # [('user', 'ip')]
user = entry.group(1)
ip = entry.group(2)
- userhost = user + '@' + resolve(ip, fqdn=config.prefs.get("sshd", "sshd-resolve-domains"))
+ userhost = user + '@' + resolve(ip,
+ fqdn=config.prefs.get("sshd", "sshd-resolve-domains"))
failed_data.items.append(userhost)
elif "Invalid user" in msg:
- entry = re.search('^.*Invalid user (\S+) from (\S+).*', msg) # [('user', 'ip')]
+ # [('user', 'ip')]
+ entry = re.search('^.*Invalid user (\S+) from (\S+).*', msg)
user = entry.group(1)
ip = entry.group(2)
- userhost = user + '@' + resolve(ip, fqdn=config.prefs.get("sshd", "sshd-resolve-domains"))
+ userhost = user + '@' + resolve(ip,
+ fqdn=config.prefs.get("sshd", "sshd-resolve-domains"))
invalid_data.items.append(userhost)
- login_data.subtitle = plural("successful login", len(login_data.items)) + " from"
+ login_data.subtitle = plural("successful login",
+ len(login_data.items)) + " from"
login_data.orderbyfreq()
login_data.truncl(config.prefs.getint("logparse", "maxlist"))
invalid_data.subtitle = plural("attempted login", len(invalid_data.items))
invalid_data.orderbyfreq()
- invalid_data.subtitle += plural(" from invalid user", len(invalid_data.items), False)
+ invalid_data.subtitle += plural(" from invalid user",
+ len(invalid_data.items), False)
invalid_data.truncl(config.prefs.getint("logparse", "maxlist"))
- failed_data.subtitle = plural("failed login", len(failed_data.items)) + " from"
+ failed_data.subtitle = plural("failed login",
+ len(failed_data.items)) + " from"
failed_data.orderbyfreq()
failed_data.truncl(config.prefs.getint("logparse", "maxlist"))