Optimize samba audit_auth log parsing by reading from the tail of the file
GLPI #47700
This commit is contained in:
parent
d0ee0ee54c
commit
acd74aa1db
|
@ -6,6 +6,7 @@ use JSON;
|
|||
use Getopt::Long;
|
||||
use File::Which;
|
||||
use Date::Parse;
|
||||
use File::ReadBackwards;
|
||||
use Data::Dumper;
|
||||
|
||||
my $samba_tool = which('samba-tool');
|
||||
|
@ -144,9 +145,12 @@ if (defined $ou){
|
|||
}
|
||||
|
||||
if (-e $audit_auth_log){
|
||||
open (my $auth_log, '<', $audit_auth_log) or die "Couldn't open $audit_auth_log : $!\n";
|
||||
foreach my $line (<$auth_log>){
|
||||
my $event = from_json($line);
|
||||
my $backward = File::ReadBackwards->new( $audit_auth_log ) or die "Couldn't open $audit_auth_log : $!\n";
|
||||
while (defined (my $line = $backward->readline)){
|
||||
my $event;
|
||||
eval {
|
||||
$event = from_json($line);
|
||||
};
|
||||
# Skip the log entry if we can't parse JSON
|
||||
next if (not defined $event);
|
||||
my $type = $event->{type};
|
||||
|
@ -155,8 +159,10 @@ if (defined $ou){
|
|||
# Parse the date in the timstamp field
|
||||
my $timestamp = str2time($event->{timestamp});
|
||||
|
||||
# Only look at lines from the last $since seconds. Skip if date couldn't be parsed
|
||||
next if (not defined $timestamp or time() - $timestamp > $since);
|
||||
# Skip if date couldn't be parsed
|
||||
next if (not defined $timestamp);
|
||||
# As we're reading in reverse order, if we reached an events prior to now - since, then we can stop, as all the other will be even earlier
|
||||
last if (time() - $timestamp > $since);
|
||||
|
||||
my $subject;
|
||||
if ($type eq 'Authentication'){
|
||||
|
@ -172,7 +178,6 @@ if (defined $ou){
|
|||
$json->{activity}->{authorizations}->{$subject}++;
|
||||
}
|
||||
}
|
||||
close $auth_log;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<zabbix_export>
|
||||
<version>5.0</version>
|
||||
<date>2021-01-11T15:08:31Z</date>
|
||||
<date>2021-01-14T14:39:31Z</date>
|
||||
<groups>
|
||||
<group>
|
||||
<name>Templates</name>
|
||||
|
@ -203,7 +203,7 @@
|
|||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<value_type>FLOAT</value_type>
|
||||
<units>!auth/min</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -214,10 +214,6 @@
|
|||
<type>JSONPATH</type>
|
||||
<params>$.activity.authentications.computers.failure</params>
|
||||
</step>
|
||||
<step>
|
||||
<type>MULTIPLIER</type>
|
||||
<params>0.2</params>
|
||||
</step>
|
||||
</preprocessing>
|
||||
<master_item>
|
||||
<key>samba_dc.info[300]</key>
|
||||
|
@ -239,7 +235,7 @@
|
|||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<value_type>FLOAT</value_type>
|
||||
<units>!auth/min</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -250,10 +246,6 @@
|
|||
<type>JSONPATH</type>
|
||||
<params>$.activity.authentications.computers.success</params>
|
||||
</step>
|
||||
<step>
|
||||
<type>MULTIPLIER</type>
|
||||
<params>0.2</params>
|
||||
</step>
|
||||
</preprocessing>
|
||||
<master_item>
|
||||
<key>samba_dc.info[300]</key>
|
||||
|
@ -267,7 +259,7 @@
|
|||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<value_type>FLOAT</value_type>
|
||||
<units>!auth/min</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -278,10 +270,6 @@
|
|||
<type>JSONPATH</type>
|
||||
<params>$.activity.authentications.users.failure</params>
|
||||
</step>
|
||||
<step>
|
||||
<type>MULTIPLIER</type>
|
||||
<params>0.2</params>
|
||||
</step>
|
||||
</preprocessing>
|
||||
<master_item>
|
||||
<key>samba_dc.info[300]</key>
|
||||
|
@ -295,7 +283,7 @@
|
|||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<value_type>FLOAT</value_type>
|
||||
<units>!auth/min</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -306,10 +294,6 @@
|
|||
<type>JSONPATH</type>
|
||||
<params>$.activity.authentications.users.success</params>
|
||||
</step>
|
||||
<step>
|
||||
<type>MULTIPLIER</type>
|
||||
<params>0.2</params>
|
||||
</step>
|
||||
</preprocessing>
|
||||
<master_item>
|
||||
<key>samba_dc.info[300]</key>
|
||||
|
@ -323,7 +307,7 @@
|
|||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<value_type>FLOAT</value_type>
|
||||
<units>!auth/min</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -334,10 +318,6 @@
|
|||
<type>JSONPATH</type>
|
||||
<params>$.activity.authorizations.computers</params>
|
||||
</step>
|
||||
<step>
|
||||
<type>MULTIPLIER</type>
|
||||
<params>0.2</params>
|
||||
</step>
|
||||
</preprocessing>
|
||||
<master_item>
|
||||
<key>samba_dc.info[300]</key>
|
||||
|
@ -351,7 +331,7 @@
|
|||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<value_type>FLOAT</value_type>
|
||||
<units>!auth/min</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -362,10 +342,6 @@
|
|||
<type>JSONPATH</type>
|
||||
<params>$.activity.authorizations.users</params>
|
||||
</step>
|
||||
<step>
|
||||
<type>MULTIPLIER</type>
|
||||
<params>0.2</params>
|
||||
</step>
|
||||
</preprocessing>
|
||||
<master_item>
|
||||
<key>samba_dc.info[300]</key>
|
||||
|
@ -714,7 +690,7 @@
|
|||
<delay>5m</delay>
|
||||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<units>auth</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -728,7 +704,7 @@
|
|||
<delay>5m</delay>
|
||||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<units>auth</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -742,7 +718,7 @@
|
|||
<delay>5m</delay>
|
||||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<units>auth</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -756,7 +732,7 @@
|
|||
<delay>5m</delay>
|
||||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<units>auth</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -770,7 +746,7 @@
|
|||
<delay>5m</delay>
|
||||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<units>auth</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
@ -784,7 +760,7 @@
|
|||
<delay>5m</delay>
|
||||
<history>60d</history>
|
||||
<trends>1825d</trends>
|
||||
<units>auth</units>
|
||||
<units>!auth</units>
|
||||
<applications>
|
||||
<application>
|
||||
<name>Samba</name>
|
||||
|
|
Loading…
Reference in New Issue