Python log-parser for authentication failures
This commit is contained in:
commit
09b57cdf06
GPG Key ID:
3DA1675C4E9B9216
2000
python-logs/Linux_2k.log
Normal file
2000
python-logs/Linux_2k.log
Normal file
File diff suppressed because it is too large
Load Diff
42
python-logs/parselogs.py
Executable file
42
python-logs/parselogs.py
Executable file
@ -0,0 +1,42 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) != 2:
|
||||||
|
print(f"Usage: python3 {sys.argv[0]} <input_file>")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
input_file = sys.argv[1]
|
||||||
|
|
||||||
|
with open(input_file, "r") as f:
|
||||||
|
# Read log file
|
||||||
|
lines = f.readlines()
|
||||||
|
|
||||||
|
# keep track of both the total number of authentication failures and the number of failures from each IP address
|
||||||
|
auth_failures = {}
|
||||||
|
total = 0
|
||||||
|
|
||||||
|
for line in lines:
|
||||||
|
if "authentication failure" in line:
|
||||||
|
# add failure
|
||||||
|
total += 1
|
||||||
|
# Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record
|
||||||
|
rhost = line.split("rhost=")[1].split(" ")[0]
|
||||||
|
if rhost not in auth_failures:
|
||||||
|
# initialize the count
|
||||||
|
auth_failures[rhost] = 1
|
||||||
|
else:
|
||||||
|
# add failure
|
||||||
|
auth_failures[rhost] += 1
|
||||||
|
|
||||||
|
# Print the results
|
||||||
|
for rhost in auth_failures:
|
||||||
|
print(f"From {rhost}: {auth_failures[rhost]} failures")
|
||||||
|
|
||||||
|
print(f"\nTotal failures: {total}")
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
Loading…
x
Reference in New Issue
Block a user