From 683f5de32cdf0f45ef1051b0b4677a5e9c04e269 Mon Sep 17 00:00:00 2001 From: Ezri Brimhall Date: Tue, 1 Oct 2024 17:52:15 -0600 Subject: [PATCH] Optimized by not reading the entire log file into memory --- python-logs/parselogs.py | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/python-logs/parselogs.py b/python-logs/parselogs.py index 0c4efd7..9961d87 100755 --- a/python-logs/parselogs.py +++ b/python-logs/parselogs.py @@ -10,26 +10,27 @@ def main(): input_file = sys.argv[1] - with open(input_file, "r") as f: - # Read log file - lines = f.readlines() - # keep track of both the total number of authentication failures and the number of failures from each IP address auth_failures = {} total = 0 - for line in lines: - if "authentication failure" in line: - # add failure - total += 1 - # Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record - rhost = line.split("rhost=")[1].split(" ")[0] - if rhost not in auth_failures: - # initialize the count - auth_failures[rhost] = 1 - else: + with open(input_file, "r") as f: + # Read log file + for line in f: + # check for auth failure in line + # NOTE: This is a rudimentary check, and will not work for all log formats. This was chosen for the log file provided. + # as an example, it will not work when the failure arises from PAM, as those logs are formatted differently + if "authentication failure" in line: # add failure - auth_failures[rhost] += 1 + total += 1 + # Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record + rhost = line.split("rhost=")[1].split(" ")[0] + if rhost not in auth_failures: + # initialize the count + auth_failures[rhost] = 1 + else: + # add failure + auth_failures[rhost] += 1 # Print the results for rhost in auth_failures: