-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathminilogparser.pl
134 lines (98 loc) · 3.24 KB
/
minilogparser.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/usr/bin/perl -w
#
# This is a simple and probably broken log parser used to get
# Sonicwall log files from a local syslog server and parse such logfile
# to select some fields to use in another external reporting tool.
#
# Luciano Coutinho <[email protected]> - 03 jul 2014
#
use strict;
use warnings;
use Getopt::Long;
use Socket;
# put options in a generic hash
my %options;
# get command line options
GetOptions(\%options, "logfile=s", "outfile=s", "sn=s", "help") or &show_help();
# check if all options are set or show help message.
if ($options{'sn'} and $options{'logfile'} and $options{'outfile'}) {
exit &parse_files($options{'sn'}, $options{'logfile'}, $options{'outfile'});
} else {
&show_help;
};
#
# read each file from selected logfile and send parsed data to
# selected output file
#
sub parse_files() {
# got options
my $sn = shift;
my $logfile = shift;
my $outfile = shift;
# open files
open LOG_FILE, $logfile or die $!;
open OUT_FILE, '>', $outfile or die $!;
# iterate over each line of the log file
while (<LOG_FILE>) {
# remove "new lines"
chomp;
# skip lines without the required information..
next if ! /m=(14|16|17|97) /;
# cleanup quotes
s/"//g;
# discard any (unused) data before the firewall serial number
my (undef, $line) = split("sn=$sn", $_, 2);
# if we cannot get serial number to select our data, then skip to the next line
next if not $line;
#
# select the required data from log
#
my ($date, $hour, $timezone) = $line =~ /time=(\d{4}-\d{2}-\d{2}) (\d{2}:\d{2}:\d{2}) (\w{3})/;
# create a placeholder for user
my $user = "none";
($user) = $line =~ /usr=([^\s]+) / if /usr=/;
my ($source_f) = $line =~ /src=([^\s]+) /;
my ($source_ip, undef) = split(":", $source_f, 2);
my $url_h = "";
# search for dstname or dst to get the host name
if ( (/dstname=/) && ( ! /dstname= /)) {
($url_h) = $line =~ /dstname=([^\s]+) /;
} elsif ( ($line =~ /dst=/) && ( $line !~ /dst= /) ) {
my ($dst) = $line =~ /dst=([^\s]+) /;
my ($ipaddr, undef) = split(":", $dst, 2);
# keep the ip address if cannot resolve hostname
$url_h = gethostbyaddr(inet_aton($ipaddr), AF_INET) || $ipaddr;
};
my $url_a = "";
($url_a) = $line =~ /arg=([^\s]+) / if (/arg=/) && (! /arg= /);
my $url = sprintf("%s%s", $url_h, $url_a);
my ($category, undef) = $line =~ /Category=(.*)$/;
$category =~ s/\s/_/g;
# set method to GET by default
my $method = "1";
($method) = $line =~ /op=(\w+) / if /op=/;
my $size = 0;
($size) = $line =~ /rcvd=(\d+) / if /rcvd=/;
my $action = ( $_ =~ /m=14/ ) ? "DENY" : "ALLOW";
# store parsed data into the new logfile
printf OUT_FILE "%s %s %s %s %s %s %s %s %s %s\n",
$date, $hour, $timezone, $user, $action, $source_ip,
$category, $url, $method, $size;
}
# close file descriptors
close LOG_FILE;
close OUT_FILE;
return 0;
}
sub show_help() {
printf "\nUsage:\n";
printf "\n %s --sn=<serial number> ", $0;
printf "--logfile=<log files to parse> --outfile=<output parsed file>\n\n";
printf "\n\n";
printf "serial number: Sonicwall Serial Number\n";
printf "logfile: List of log files from syslog\n";
printf "outfile: Output file with parsed log entries\n";
printf "\n\n";
exit 0;
}
# EOF