From 16e6b983995a416d1f0259c42ecd3a059898aa80 Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Mon, 21 Nov 2022 18:19:03 +0900 Subject: [PATCH] Start year fix for log file parsing --- bin/collect_login_data.sh | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/bin/collect_login_data.sh b/bin/collect_login_data.sh index 594f26e..1690f28 100755 --- a/bin/collect_login_data.sh +++ b/bin/collect_login_data.sh @@ -28,12 +28,12 @@ function parseLog() # clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS line="${1}"; auth_log="${2}"; - debug="${3}"; - START_YEAR=$(date +%Y -d "1 day ago"); + start_year="${3}"; + debug="${4}"; # echo "L: $line"; - auth_date=$(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15); + auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15); auth_date=$(echo "${auth_date}" | date +"%F %T" -f -); # auth user has . at the end, remove that one auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1); @@ -66,6 +66,8 @@ if [ -z "${init_version##*systemd*}" ]; then OPT_START_DATE="-S ${START_DATE}"; OPT_END_DATE="-U ${END_DATE}"; fi; + # READ as other format so we get the YEAR (JSON ) + START_YEAR=$(date +%Y -d "1 day ago"); journalctl -u systemd-logind --no-pager ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" | while read line; do # # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user. @@ -76,24 +78,28 @@ if [ -z "${init_version##*systemd*}" ]; then # " of user " # we want date + time + username # prefix year with start date year - parseLog "${line}" "${AUTH_LOG}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" 0; done; else LOG_TARGET="syslog"; # for secure/auth log if [ $RUN_FULL_LOG -eq 1 ]; then - bunzip2 -ck /var/log/secure*.bz2 | grep ": session opened for user" | - while read line; do - parseLog "${line}" "${AUTH_LOG}" 0; + # we loop over EACH file and get the DATE so we can have the correct YEAR + for sfile in $(ls -1 /var/log/secure*bz2); do + tz=$(stat -c %z "${sfile}"); + START_YEAR=$(date +%Y -d @${tz}); + bunzip2 -ck "${sfile}" | grep ": session opened for user" | + while read line; do + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" 0; + done; done; # read all START_DATE="sshd" - else - START_DATE=$(date +"%b %e" -d "1 day ago") fi; + START_YEAR=$(date +%Y -d "1 day ago"); cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | while read line; do - parseLog "${line}" "${AUTH_LOG}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" 0; done; fi;