Skip to content

Instantly share code, notes, and snippets.

@raphink

raphink/augsed.sh

Last active December 11, 2015 02:09
Show Gist options
  • Save raphink/4528677 to your computer and use it in GitHub Desktop.
Save raphink/4528677 to your computer and use it in GitHub Desktop.
Download ZIP
augsed bash poc
Raw
augsed.sh
#!/bin/bash
BYLINE=0
while getopts "l" opt; do
case $opt in
l)
BYLINE=1
shift
;;
\?)
echo "Invalid option: -$OPTARG" >&2
;;
esac
done
NL="\n"
LENS=$1
shift
COMMANDS=$@
function do_augtool() {
input="${1//$'\n'/\n}"
shift
commands="$@"
(augtool --noautoload | grep -v '(no matches)') << EOF
set /input "$input$NL"
store $LENS /input /parsed
print /augeas//error
set /augeas/context /parsed
$commands
EOF
}
if [ $BYLINE = 1 ]; then
while read line; do
do_augtool "$line" "$COMMANDS"
done </dev/stdin
else
INPUT="$(cat /dev/stdin)"
do_augtool "$INPUT" "$COMMANDS"
fi
Raw
example output
# Get all users with a /bin/false shell
$ getent passwd | ./augsed.sh Passwd.lns match './*[shell="/bin/false"]'
/parsed/syslog = (none)
/parsed/messagebus = (none)
/parsed/colord = (none)
/parsed/lightdm = (none)
/parsed/avahi-autoipd = (none)
/parsed/avahi = (none)
/parsed/usbmux = (none)
/parsed/kernoops = (none)
/parsed/pulse = (none)
/parsed/rtkit = (none)
/parsed/saned = (none)
/parsed/whoopsie = (none)
/parsed/hplip = (none)
/parsed/puppet = (none)
/parsed/Debian-exim = (none)
/parsed/ntp = (none)
/parsed/nagios = (none)
/parsed/rabbitmq = (none)
/parsed/mysql = (none)
# Get shell for a single user
$ getent passwd rpinson | ./augsed.sh Passwd.entry match '*/shell'
/parsed/rpinson/shell = /bin/bash
# Emulate awk: filter on 3rd column
$ cat /etc/fstab | AUGEAS_LENS_LIB=. ./augsed.sh Logs.lns_spacedcols match '*/3'
/parsed/1/3 = /
/parsed/2/3 = /proc
/parsed/3/3 = /sys
/parsed/4/3 = /sys/fs/fuse/connections
/parsed/5/3 = /sys/kernel/debug
/parsed/6/3 = /sys/kernel/security
/parsed/7/3 = /dev
/parsed/8/3 = /dev/pts
/parsed/9/3 = /run
/parsed/10/3 = /run/lock
/parsed/11/3 = /run/shm
/parsed/12/3 = /home
/parsed/13/3 = /proc/sys/fs/binfmt_misc
/parsed/14/3 = /run/vmblock-fuse
/parsed/15/3 = /home/rpinson
/parsed/16/3 = /home/rpinson/.gvfs
# Parsing syslog
$ tail -n12 /var/log/syslog | AUGEAS_LENS_LIB=. ./augsed.sh Logs.lns_syslog match '*/service[.!="kernel"]'
/parsed/1/service = CRON
/parsed/2/service = CRON
/parsed/11/service = wpa_supplicant
/parsed/12/service = CRON
# Parse syslog line by line
$ tail -f /var/log/syslog | AUGEAS_LENS_LIB=. ./augsed.sh -l Logs.syslog match '*/service[.!="kernel"]'
(no matches)
/parsed/1/service = mtp-probe
/parsed/1/service = mtp-probe
(no matches)
(no matches)
/parsed/1/service = CRON
/parsed/1/service = CRON
Raw
logs.aug
module Logs =
let spacedcols = [ seq "line" . counter "item" . Build.opt_list [ seq "item" . store Rx.no_spaces ] Sep.space . Util.eol ]
let lns_spacedcols = spacedcols*
let date =
let month = [ label "month" . store Rx.word ]
in let day = [ label "day" . store Rx.integer ]
in let time = [ label "time" . store /[0-9]+:[0-9]+:[0-9]+/ ]
in [ label "date" . month . Sep.space
. day . Sep.space
. time ]
let syslog =
let host = [ label "host" . store Rx.word ]
in let id = [ label "id" . Util.del_str "[" . store Rx.decimal . Util.del_str "]" ]
in let service = [ label "service" . store Rx.word . id? . Sep.colon ]
in let message = [ label "message" . store Rx.space_in ]
in [ seq "line" . date . Sep.space
. host . Sep.space
. service . Sep.opt_space
. message . Util.eol ]
let lns_syslog = syslog*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment