1.7 KiB
Parse a log file with Python
As with my other Python exercises, I demonstrate this in an executable Python file, but these commands can just as easily be run from a REPL.
This demonstrates a simple log parser that will count any failures of the pam_unix.so PAM authentication module, which are the failures listed in the given log file. I decided to additionally track the number of failures per remote host, as that can be extremely valuable when investigating authentication failures on SSH servers.
As stated in the large comment in the middle of the script, this check only works for some authentication setups. As I noted above, the log file given has authentication errors produced by PAM, however, in my experience the default setup for SSH is to use its built-in password authentication mechanisms rather than the "keyboard-interactive" mode that passes authentication to PAM. The SSH password auth failure logs are formatted differently, and this script will not count them.
Additionally, if the PAM configuration is different from the default (such as 2-factor authentication, or LDAP bind authentication), the failure may not originate from pam_unix.so. It may not even originate from the authentication stack in PAM, as is the case for many Linux LDAP implementations that allow any user in the database to resolve and authenticate, implementeing access control in the PAM "account" stack instead.
Finally, it will never report a failed authentication if the client only offers an SSH key and that fails. This is never indicated in the given log, and the odds of encountering that in the wild are low, but it is worth keeping in mind.
In other words, this script works for the logs given, but will need to be modified depending on the system it is parsing logs for.