From ede5f1a2b88b0cbe6774bd56bff69f6f25209536 Mon Sep 17 00:00:00 2001
From: Clemens Schwaighofer <clemens.schwaighofer@egplusww.com>
Date: Mon, 21 Nov 2022 17:41:27 +0900
Subject: [PATCH] Add full log scan for old non systemd auth checks

---
 bin/collect_login_data.sh | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/bin/collect_login_data.sh b/bin/collect_login_data.sh
index a78cb12..a2ec89a 100755
--- a/bin/collect_login_data.sh
+++ b/bin/collect_login_data.sh
@@ -75,7 +75,25 @@ if [ -z "${init_version##*systemd*}" ]; then
 else
 	LOG_TARGET="syslog";
 	# for secure/auth log
-	START_DATE=$(date +"%b %e" -d "1 day ago")
+	if [ $RUN_FULL_LOG -eq 0 ]; then
+		bunzip -ck /var/log/secure*.bz2 | grep ": session opened for user" |
+		while read line; do
+			# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0)
+			auth_date=$($(echo "${line}" | cut -c 1-6)" ${START_YEAR} "$(echo "${line}" | cut -c 8-15) | date +"%F %T" -f -);
+			auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1);
+			# find auth user in current auth file
+			# if not there attach, else replace date only
+			if [ -z grep "${auth_user}" "${AUTH_LOG}" ]; then
+				cat "${auth_user};${auth_date}"  >> "${AUTH_LOG}";
+			else
+				sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${AUTH_LOG}";
+			fi;
+		done;
+		# read all
+		START_DATE="sshd"
+	else
+		START_DATE=$(date +"%b %e" -d "1 day ago")
+	fi;
 	cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" |
 	while read line; do
 		# Nov 21 14:15:56 some.hostname.com sshd[12345]: pam_unix(sshd:session): session opened for user some-user(uid=6789) by (uid=0)