Python log-parser for authentication failures

2024-10-01 17:46:06 -06:00 · 2024-10-01 17:46:06 -06:00 · 09b57cdf06
commit 09b57cdf06
2 changed files with 2042 additions and 0 deletions
--- a/python-logs/Linux_2k.log
+++ b/python-logs/Linux_2k.log
--- a/python-logs/parselogs.py
+++ b/python-logs/parselogs.py
@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+import sys
+
+
+def main():
+    if len(sys.argv) != 2:
+        print(f"Usage: python3 {sys.argv[0]} <input_file>")
+        sys.exit(1)
+
+    input_file = sys.argv[1]
+
+    with open(input_file, "r") as f:
+        # Read log file
+        lines = f.readlines()
+
+    # keep track of both the total number of authentication failures and the number of failures from each IP address
+    auth_failures = {}
+    total = 0
+
+    for line in lines:
+        if "authentication failure" in line:
+            # add failure
+            total += 1
+            # Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record
+            rhost = line.split("rhost=")[1].split(" ")[0]
+            if rhost not in auth_failures:
+                # initialize the count
+                auth_failures[rhost] = 1
+            else:
+                # add failure
+                auth_failures[rhost] += 1
+
+    # Print the results
+    for rhost in auth_failures:
+        print(f"From {rhost}: {auth_failures[rhost]} failures")
+
+    print(f"\nTotal failures: {total}")
+
+
+if __name__ == "__main__":
+    main()