Last active
December 15, 2015 06:24
-
-
Save cutaway/5cbfe8ad0fddfe066a28 to your computer and use it in GitHub Desktop.
Parsing SSH Accepted Syslog files with Python and PyParsing - based on Lendro Silva's code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys | |
| from pyparsing import Word, alphas, Suppress, Combine, nums, string, Optional, Regex | |
| #from time import strftime | |
| import time | |
| from datetime import datetime | |
| # Script: ssh_accepted_xlog_parser.py | |
| # Author: Don C. Weber (cutaway) | |
| # Date: 20151214 | |
| # Reference: Lendro Silva - Parsing Syslog files with Python and PyParsing: https://gist.github.com/lea | |
| DEBUG = False | |
| log_format = "%b %d %Y %H:%M:%S" | |
| class Parser(object): | |
| def __init__(self): | |
| ints = Word(nums) | |
| # priority | |
| #Some log entries do not have a priority | |
| #priority = Suppress("<") + ints + Suppress(">") | |
| # timestamp | |
| month = Word(string.uppercase, string.lowercase, exact=3) | |
| day = ints | |
| hour = Combine(ints + ":" + ints + ":" + ints) | |
| timestamp = month + day + hour | |
| # hostname | |
| hostname = Word(alphas + nums + "_" + "-" + ".") | |
| # appname | |
| appname = Word(alphas + "/" + "-" + "_" + ".") + Optional(Suppress("[") + ints + Suppress("]")) + Suppress(":") | |
| # message | |
| message = Regex(".*") | |
| # pattern build | |
| #self.__pattern = priority + timestamp + hostname + appname + message | |
| self.__pattern = timestamp + hostname + appname + message | |
| def parse(self, line): | |
| parsed = self.__pattern.parseString(line) | |
| # If priority is included then it will be in position [0] | |
| # Parsed: ['May', '30', '08:40:09', 'hostname', 'sshd', '18789', 'Accepted password for root from 8.8.8.8 port 54480 ssh2'] | |
| if DEBUG: print "Parsed:",parsed | |
| payload = {} | |
| # Pull datetime back together and add current year | |
| dt = parsed[0] + ' ' + parsed[1] + ' 2015 ' + parsed[2] | |
| payload["timestamp"] = dt | |
| dc = datetime.strptime(dt,log_format) | |
| payload["epoch"] = str(time.mktime(dc.timetuple())) | |
| payload["hostname"] = parsed[3] | |
| payload["appname"] = parsed[4] | |
| payload["pid"] = parsed[5] | |
| payload["message"] = parsed[6].split()[5] | |
| return payload | |
| """ --------------------------------- """ | |
| def main(): | |
| parser = Parser() | |
| #inf = './sample.log' | |
| inf = sys.argv[1] | |
| with open(inf) as syslogFile: | |
| for line in syslogFile: | |
| if DEBUG: print "Processing line:",line | |
| fields = parser.parse(line) | |
| print "parsed:", fields | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment