rpms/zabbix-agent-addons
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Optimize samba audit_auth log parsing by reading from the tail of the file

Browse Source 
GLPI #47700
This commit is contained in:
Daniel Berteaud 2021-01-14 15:40:22 +01:00
parent d0ee0ee54c
commit acd74aa1db
2 changed files with 24 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
zabbix_scripts/check_samba_dc_sudo
View File

@ -6,6 +6,7 @@ use JSON;
use Getopt::Long; use Getopt::Long;
use File::Which; use File::Which;
use Date::Parse; use Date::Parse;
use File::ReadBackwards;
use Data::Dumper; use Data::Dumper;
my $samba_tool = which('samba-tool'); my $samba_tool = which('samba-tool');
@ -144,9 +145,12 @@ if (defined $ou){
} }
if (-e $audit_auth_log){ if (-e $audit_auth_log){
open (my $auth_log, '<', $audit_auth_log) or die "Couldn't open $audit_auth_log : $!\n"; my $backward = File::ReadBackwards->new( $audit_auth_log ) or die "Couldn't open $audit_auth_log : $!\n";
foreach my $line (<$auth_log>){ while (defined (my $line = $backward->readline)){
my $event = from_json($line); my $event;
eval {
$event = from_json($line);
};
# Skip the log entry if we can't parse JSON # Skip the log entry if we can't parse JSON
next if (not defined $event); next if (not defined $event);
my $type = $event->{type}; my $type = $event->{type};
@ -155,8 +159,10 @@ if (defined $ou){
# Parse the date in the timstamp field # Parse the date in the timstamp field
my $timestamp = str2time($event->{timestamp}); my $timestamp = str2time($event->{timestamp});
# Only look at lines from the last $since seconds. Skip if date couldn't be parsed # Skip if date couldn't be parsed
next if (not defined $timestamp or time() - $timestamp > $since); next if (not defined $timestamp);
# As we're reading in reverse order, if we reached an events prior to now - since, then we can stop, as all the other will be even earlier
last if (time() - $timestamp > $since);
my $subject; my $subject;
if ($type eq 'Authentication'){ if ($type eq 'Authentication'){
@ -172,7 +178,6 @@ if (defined $ou){
$json->{activity}->{authorizations}->{$subject}++; $json->{activity}->{authorizations}->{$subject}++;
} }
} }
close $auth_log;
} }
} }

50
zabbix_templates/Template_App_Samba_DC.xml
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<zabbix_export> <zabbix_export>
<version>5.0</version> <version>5.0</version>
<date>2021-01-11T15:08:31Z</date> <date>2021-01-14T14:39:31Z</date>
<groups> <groups>
<group> <group>
<name>Templates</name> <name>Templates</name>
@ -203,7 +203,7 @@
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<value_type>FLOAT</value_type> <value_type>FLOAT</value_type>
<units>!auth/min</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -214,10 +214,6 @@
<type>JSONPATH</type> <type>JSONPATH</type>
<params>$.activity.authentications.computers.failure</params> <params>$.activity.authentications.computers.failure</params>
</step> </step>
<step>
<type>MULTIPLIER</type>
<params>0.2</params>
</step>
</preprocessing> </preprocessing>
<master_item> <master_item>
<key>samba_dc.info[300]</key> <key>samba_dc.info[300]</key>
@ -239,7 +235,7 @@
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<value_type>FLOAT</value_type> <value_type>FLOAT</value_type>
<units>!auth/min</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -250,10 +246,6 @@
<type>JSONPATH</type> <type>JSONPATH</type>
<params>$.activity.authentications.computers.success</params> <params>$.activity.authentications.computers.success</params>
</step> </step>
<step>
<type>MULTIPLIER</type>
<params>0.2</params>
</step>
</preprocessing> </preprocessing>
<master_item> <master_item>
<key>samba_dc.info[300]</key> <key>samba_dc.info[300]</key>
@ -267,7 +259,7 @@
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<value_type>FLOAT</value_type> <value_type>FLOAT</value_type>
<units>!auth/min</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -278,10 +270,6 @@
<type>JSONPATH</type> <type>JSONPATH</type>
<params>$.activity.authentications.users.failure</params> <params>$.activity.authentications.users.failure</params>
</step> </step>
<step>
<type>MULTIPLIER</type>
<params>0.2</params>
</step>
</preprocessing> </preprocessing>
<master_item> <master_item>
<key>samba_dc.info[300]</key> <key>samba_dc.info[300]</key>
@ -295,7 +283,7 @@
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<value_type>FLOAT</value_type> <value_type>FLOAT</value_type>
<units>!auth/min</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -306,10 +294,6 @@
<type>JSONPATH</type> <type>JSONPATH</type>
<params>$.activity.authentications.users.success</params> <params>$.activity.authentications.users.success</params>
</step> </step>
<step>
<type>MULTIPLIER</type>
<params>0.2</params>
</step>
</preprocessing> </preprocessing>
<master_item> <master_item>
<key>samba_dc.info[300]</key> <key>samba_dc.info[300]</key>
@ -323,7 +307,7 @@
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<value_type>FLOAT</value_type> <value_type>FLOAT</value_type>
<units>!auth/min</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -334,10 +318,6 @@
<type>JSONPATH</type> <type>JSONPATH</type>
<params>$.activity.authorizations.computers</params> <params>$.activity.authorizations.computers</params>
</step> </step>
<step>
<type>MULTIPLIER</type>
<params>0.2</params>
</step>
</preprocessing> </preprocessing>
<master_item> <master_item>
<key>samba_dc.info[300]</key> <key>samba_dc.info[300]</key>
@ -351,7 +331,7 @@
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<value_type>FLOAT</value_type> <value_type>FLOAT</value_type>
<units>!auth/min</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -362,10 +342,6 @@
<type>JSONPATH</type> <type>JSONPATH</type>
<params>$.activity.authorizations.users</params> <params>$.activity.authorizations.users</params>
</step> </step>
<step>
<type>MULTIPLIER</type>
<params>0.2</params>
</step>
</preprocessing> </preprocessing>
<master_item> <master_item>
<key>samba_dc.info[300]</key> <key>samba_dc.info[300]</key>
@ -714,7 +690,7 @@
<delay>5m</delay> <delay>5m</delay>
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<units>auth</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -728,7 +704,7 @@
<delay>5m</delay> <delay>5m</delay>
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<units>auth</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -742,7 +718,7 @@
<delay>5m</delay> <delay>5m</delay>
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<units>auth</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -756,7 +732,7 @@
<delay>5m</delay> <delay>5m</delay>
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<units>auth</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -770,7 +746,7 @@
<delay>5m</delay> <delay>5m</delay>
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<units>auth</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>
@ -784,7 +760,7 @@
<delay>5m</delay> <delay>5m</delay>
<history>60d</history> <history>60d</history>
<trends>1825d</trends> <trends>1825d</trends>
<units>auth</units> <units>!auth</units>
<applications> <applications>
<application> <application>
<name>Samba</name> <name>Samba</name>