import os import sys from optparse import OptionParser import ParseLogs # # Logalyzer. Original: https://github.com/hatRiot/logalyzer # Converted to python3.6 by @programmerchad # # callback for the user flag def user_call(option, opt_str, value, parser): if len(parser.rargs) != 0: value = parser.rargs[0] else: value = None setattr(parser.values, option.dest, value) if __name__ == "__main__": # default location log = '/var/log/auth.log' # parsing options parser = OptionParser(epilog= "Combine flags to view user-specific information. \'-u test -i\' lists IP addresses " "associated with user test") parser.add_option("-u", help="Specify user. Blank lists all users.", action="callback", callback=user_call, default=None, dest="user") parser.add_option("--full", help="Full log dump for specified user", action="store_true", default=False, dest="fullu") parser.add_option("-l", help="Specify log file. Default is auth.log", default=None, dest="log") parser.add_option("-f", help="List failures", action="store_true", default=False, dest="fail") parser.add_option("-s", help="List success logs", action="store_true", default=False, dest="success") parser.add_option("-c", help="List commands by user", action="store_true", default=False, dest="commands") parser.add_option("-i", help="List IP Addresses", action="store_true", default=False, dest="ip") # get arguments (options, args) = parser.parse_args() # if they're trying to access /var/log/auth.log without proper privs, bail if not os.getuid() == 0 and options.log is None: print("[-] Please run with SUDO") sys.exit(1) # check if they specified another file if options.log is not None: log = options.log # parse logs LOGS = ParseLogs.ParseLogs(log) if LOGS is None: sys.exit(1) # validate the user if options.user: if not options.user in LOGS: print(f"[-] User \'{options.user}\' is not present in the logs.") sys.exit(1) # tag log location first print('[!] Log file: ', log) # output all commands if options.commands and not options.user: for i in LOGS: for comms in LOGS[i].commands: print(f"{i}:\t{comms}") sys.exit(1) # output all failures elif options.fail and not options.user: for i in LOGS: for fail in LOGS[i].fail_logs: print(f"{i}:\t{fail}") sys.exit(1) # output all logged IP addresses elif options.ip and not options.user: for i in LOGS: for ip in LOGS[i].ips: print(f"{i}:\t{ip}") sys.exit(1) # output user-specific commands if options.commands and options.user: print(f"[+] Commands for user \'{options.user}\'") for com in LOGS[options.user].commands: print("\t", com) # output user-specific success logs elif options.success and options.user: print(f"[+] Successes logs for user \'{options.user}\'") for log in LOGS[options.user].succ_logs: print("\t", log) # output user-specific failures elif options.fail and options.user: print(f"[+] Failures for user \'{options.user}\'") for fail in LOGS[options.user].fail_logs: print("\t", fail) # output user-specific ip addresses elif options.ip and options.user: print(f"[+] Logged IPs for user \'{options.user}\'") for i in LOGS[options.user].ips: print("\t", i) # print out all information regarding specified user elif options.user is not None: print(f"[!] Logs associated with user \'{options.user}\'") print('[+] First log: ', LOGS[options.user].first_date()) print('[+] Last log: ', LOGS[options.user].last_date()) print("[!] Failure Logs") for fail in LOGS[options.user].fail_logs: print("\t", fail) print("[!] Success Logs") for succ in LOGS[options.user].succ_logs: print("\t", succ) print("[!] Associated IPs") for ip in LOGS[options.user].ips: print("\t", ip) print("[!] Commands") for comm in LOGS[options.user].commands: print("\t", comm) # dump the full log for the user if specified if options.fullu and options.user: print("[!] Full Log") for log in LOGS[options.user].logs: print(log) # if they supplied us with an empty user, dump all of the logged users elif options.user is None: if len(LOGS) > 0: for i in LOGS: print(i)