Optimized by not reading the entire log file into memory

python-logs/parselogs.py

@@ -10,26 +10,27 @@ def main():
 
     input_file = sys.argv[1]
 
-    with open(input_file, "r") as f:
-        # Read log file
-        lines = f.readlines()
-
     # keep track of both the total number of authentication failures and the number of failures from each IP address
     auth_failures = {}
     total = 0
 
-    for line in lines:
+    with open(input_file, "r") as f:
-        if "authentication failure" in line:
+        # Read log file
-            # add failure
+        for line in f:
-            total += 1
+            # check for auth failure in line
-            # Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record
+            # NOTE: This is a rudimentary check, and will not work for all log formats. This was chosen for the log file provided.
-            rhost = line.split("rhost=")[1].split(" ")[0]
+            # as an example, it will not work when the failure arises from PAM, as those logs are formatted differently
-            if rhost not in auth_failures:
+            if "authentication failure" in line:
-                # initialize the count
-                auth_failures[rhost] = 1
-            else:
                 # add failure
-                auth_failures[rhost] += 1
+                total += 1
+                # Extract the remote host. This could be either a hostname or an IP address, depending if the host has a PTR record
+                rhost = line.split("rhost=")[1].split(" ")[0]
+                if rhost not in auth_failures:
+                    # initialize the count
+                    auth_failures[rhost] = 1
+                else:
+                    # add failure
+                    auth_failures[rhost] += 1
 
     # Print the results
     for rhost in auth_failures: