#!/usr/bin/env bash # * check we are root # if we are not root, bail out # if [ $(whoami) != "root" ]; then if [[ "$EUID" -ne "0" ]]; then echo "Must be run as root or with sudo command"; exit; fi; # base folder BASE_FOLDER=$(dirname $(readlink -f $0))"/"; # auth log file AUTH_LOG="${BASE_FOLDER}/../auth-log/user_auth.log"; if [ ! -f "${AUTH_LOG}" ]; then touch "${AUTH_LOG}"; fi; # debug flag DEBUG=0; # check all logs flag RUN_FULL_LOG=0; # option parsing while getopts ":fd" opt; do case "${opt}" in f|full) echo "[!!!] Run through all log files to collect data"; RUN_FULL_LOG=1; ;; d|deubg) DEBUG=1; ;; esac; done; function prD() { message="${1}"; debug=${2:-0}; lb_off=${3:-0}; if [ ${debug} -eq 1 ]; then if [ ${lb_off} -eq 1 ]; then echo -n "${message}"; else echo "${message}"; fi; fi; } function parseLog() { # do we have a key entry, if not add new with last log date # clean up date from YYYY nam dd to YYYY-MM-DD HH:II:SS line="${1}"; auth_log="${2}"; start_year="${3}"; logger="${4}"; debug=${5:-0}; #prD "Line: $line" ${debug}; # auth user has . at the end, remove that one if [ "${logger}" = "systemd" ]; then # 2022-11-18T20:04:08+0900 auth_date=$(echo "${line}" | cut -d " " -f 1); auth_user=$(echo "${line}" | cut -d "]" -f 2 | cut -d " " -f 7 | cut -d "." -f 1); else auth_date=$(echo "${line}" | cut -c 1-6)" ${start_year} "$(echo "${line}" | cut -c 8-15); auth_user=$(echo "${line}" | cut -d ")" -f 2 | cut -d " " -f 6 | cut -d "(" -f 1); fi; auth_date=$(echo "${auth_date}" | date +"%F %T" -f -); # $(printf "USER: %-20s: %19s" "${auth_user}" "${auth_date}") # prD "USER: $auth_user | DATE: $auth_date" ${debug} 1; printf -v msg "Source: %-10s | Year: %4s | Last auth user: %-20s: %19s" "${logger}" "${start_year}" "${auth_user}" "${auth_date}" prD "${msg}" ${debug} 1; # find auth user in current auth file # if not there attach, else replace date only found=$(grep "${auth_user};" "${auth_log}"); if [ -z "${found}" ]; then prD " | Write new" ${debug}; echo "${auth_user};${auth_date}" >> "${auth_log}"; else prD " | Replace old" ${debug}; sed -i "s/${auth_user};.*$/${auth_user};${auth_date}/" "${auth_log}"; fi; } printf -v msg "Run date: %s %s" $(date +"%F %T") prD "${msg}" ${DEBUG}; # Collector script for login information via journalctl # if no systemd installed, try to get info from /var/log/secure or /var/log/auth.log readonly init_version=$(/proc/1/exe --version | head -n 1); if [ -z "${init_version##*systemd*}" ]; then LOG_TARGET="systemd"; # for journalctl START_DATE=$(date +%F -d "1 day ago"); END_DATE=$(date +%F); OPT_START_DATE=''; if [ $RUN_FULL_LOG -eq 0 ]; then OPT_START_DATE="-S ${START_DATE}"; OPT_END_DATE="-U ${END_DATE}"; fi; # READ as other format so we get the YEAR -o short-iso START_YEAR=$(date +%Y -d "1 day ago"); journalctl -u systemd-logind --no-pager -o short-iso ${OPT_START_DATE} ${OPT_END_DATE} | grep ": New session" | while read line; do # # Nov 21 14:15:46 we.are.hostname.com systemd-logind[1865]: New session 12345 of user some^user. # date: 5 chars # time: 8 chars # hostname # systemd-logind pid ... # " of user " # we want date + time + username # prefix year with start date year parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; else LOG_TARGET="syslog"; # for secure/auth log if [ $RUN_FULL_LOG -eq 1 ]; then # we loop over EACH file and get the DATE so we can have the correct YEAR for sfile in $(ls -1 /var/log/secure*bz2); do tz=$(stat -c %Z "${sfile}"); START_YEAR=$(date +%Y -d @${tz}); bunzip2 -ck "${sfile}" | grep ": session opened for user" | grep " by (uid=0)" | while read line; do parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; done; # read all START_DATE="sshd" fi; START_YEAR=$(date +%Y -d "1 day ago"); cat /var/log/secure | grep "${START_DATE}" | grep ": session opened for user" | grep " by (uid=0)" | while read line; do parseLog "${line}" "${AUTH_LOG}" "${START_YEAR}" "${LOG_TARGET}" ${DEBUG}; done; fi; # __END__