From aa0594e17f3a9aca6dd589401bf27ba1b489aa54 Mon Sep 17 00:00:00 2001 From: Clemens Schwaighofer Date: Mon, 21 Nov 2022 18:29:47 +0900 Subject: [PATCH] Fix for different log output and missing different cut flow in function --- bin/collect_login_data.sh | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/bin/collect_login_data.sh b/bin/collect_login_data.sh index 1690f28..455213d 100755 --- a/bin/collect_login_data.sh +++ b/bin/collect_login_data.sh @@ -29,14 +29,19 @@ function parseLog() line="${1}"; auth_log="${2}"; start_year="${3}"; - debug="${4}"; + logger="${4}"; + debug="${5}"; # echo "L: $line"; auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15); auth_date=$(echo "${auth_date}" | date +"%F %T" -f -); # auth user has . at the end, remove that one - auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1); + if [ "${logger}" = "systemd" ]; then + auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1); + else + auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1); + fi; # echo -n "USER: $auth_user | DATE: $auth_date"; @@ -78,7 +83,7 @@ if [ -z "${init_version##*systemd*}" ]; then # " of user " # we want date + time + username # prefix year with start date year - parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0; done; else LOG_TARGET="syslog"; @@ -86,20 +91,20 @@ else if [ $RUN_FULL_LOG -eq 1 ]; then # we loop over EACH file and get the DATE so we can have the correct YEAR for sfile in $(ls -1 /var/log/secure*bz2); do - tz=$(stat -c %z "${sfile}"); + tz=$(stat -c %Z "${sfile}"); START_YEAR=$(date +%Y -d @${tz}); - bunzip2 -ck "${sfile}" | grep ": session opened for user" | + bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" | while read line; do - parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0; done; done; # read all START_DATE="sshd" fi; START_YEAR=$(date +%Y -d "1 day ago"); - cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | + cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" | while read line; do - parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" 0; + parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" 0; done; fi;