diff --git a/zabbix_scripts/check_samba_dc_sudo b/zabbix_scripts/check_samba_dc_sudo index 835a2c8..811e18a 100644 --- a/zabbix_scripts/check_samba_dc_sudo +++ b/zabbix_scripts/check_samba_dc_sudo @@ -6,6 +6,7 @@ use JSON; use Getopt::Long; use File::Which; use Date::Parse; +use File::ReadBackwards; use Data::Dumper; my $samba_tool = which('samba-tool'); @@ -144,9 +145,12 @@ if (defined $ou){ } if (-e $audit_auth_log){ - open (my $auth_log, '<', $audit_auth_log) or die "Couldn't open $audit_auth_log : $!\n"; - foreach my $line (<$auth_log>){ - my $event = from_json($line); + my $backward = File::ReadBackwards->new( $audit_auth_log ) or die "Couldn't open $audit_auth_log : $!\n"; + while (defined (my $line = $backward->readline)){ + my $event; + eval { + $event = from_json($line); + }; # Skip the log entry if we can't parse JSON next if (not defined $event); my $type = $event->{type}; @@ -155,8 +159,10 @@ if (defined $ou){ # Parse the date in the timstamp field my $timestamp = str2time($event->{timestamp}); - # Only look at lines from the last $since seconds. Skip if date couldn't be parsed - next if (not defined $timestamp or time() - $timestamp > $since); + # Skip if date couldn't be parsed + next if (not defined $timestamp); + # As we're reading in reverse order, if we reached an events prior to now - since, then we can stop, as all the other will be even earlier + last if (time() - $timestamp > $since); my $subject; if ($type eq 'Authentication'){ @@ -172,7 +178,6 @@ if (defined $ou){ $json->{activity}->{authorizations}->{$subject}++; } } - close $auth_log; } } diff --git a/zabbix_templates/Template_App_Samba_DC.xml b/zabbix_templates/Template_App_Samba_DC.xml index 6aa863a..4c445bb 100644 --- a/zabbix_templates/Template_App_Samba_DC.xml +++ b/zabbix_templates/Template_App_Samba_DC.xml @@ -1,7 +1,7 @@ 5.0 - 2021-01-11T15:08:31Z + 2021-01-14T14:39:31Z Templates @@ -203,7 +203,7 @@ 60d 1825d FLOAT - !auth/min + !auth Samba @@ -214,10 +214,6 @@ JSONPATH $.activity.authentications.computers.failure - - MULTIPLIER - 0.2 - samba_dc.info[300] @@ -239,7 +235,7 @@ 60d 1825d FLOAT - !auth/min + !auth Samba @@ -250,10 +246,6 @@ JSONPATH $.activity.authentications.computers.success - - MULTIPLIER - 0.2 - samba_dc.info[300] @@ -267,7 +259,7 @@ 60d 1825d FLOAT - !auth/min + !auth Samba @@ -278,10 +270,6 @@ JSONPATH $.activity.authentications.users.failure - - MULTIPLIER - 0.2 - samba_dc.info[300] @@ -295,7 +283,7 @@ 60d 1825d FLOAT - !auth/min + !auth Samba @@ -306,10 +294,6 @@ JSONPATH $.activity.authentications.users.success - - MULTIPLIER - 0.2 - samba_dc.info[300] @@ -323,7 +307,7 @@ 60d 1825d FLOAT - !auth/min + !auth Samba @@ -334,10 +318,6 @@ JSONPATH $.activity.authorizations.computers - - MULTIPLIER - 0.2 - samba_dc.info[300] @@ -351,7 +331,7 @@ 60d 1825d FLOAT - !auth/min + !auth Samba @@ -362,10 +342,6 @@ JSONPATH $.activity.authorizations.users - - MULTIPLIER - 0.2 - samba_dc.info[300] @@ -714,7 +690,7 @@ 5m 60d 1825d - auth + !auth Samba @@ -728,7 +704,7 @@ 5m 60d 1825d - auth + !auth Samba @@ -742,7 +718,7 @@ 5m 60d 1825d - auth + !auth Samba @@ -756,7 +732,7 @@ 5m 60d 1825d - auth + !auth Samba @@ -770,7 +746,7 @@ 5m 60d 1825d - auth + !auth Samba @@ -784,7 +760,7 @@ 5m 60d 1825d - auth + !auth Samba