-
Notifications
You must be signed in to change notification settings - Fork 68
/
parsemodsec.py
94 lines (77 loc) · 3.31 KB
/
parsemodsec.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/usr/bin/python3
__author__ = 'kilroy'
# (c) 2014, WasHere Consulting, Inc.
# Written for Infinite Skills
# this requires Python 3 to function properly
import os, sys, re, argparse
# This is a class designed to store the results from the parsed file until we're
# ready to print them out
class modsecRec:
# this is the initializer
def __init__(self):
# this is the list where all of the individual items are stored
self.storageList = []
# append items to the list
def append(self, newItem):
self.storageList.append(newItem)
# extract information from the message line and append it
def extractMessage(self, msgLine):
self.storageList.append(msgLine)
# print the parsed data out to a file from the list
def printListToFile(self, outputFilename):
with open(outputFileName, 'a') as outHandle:
# create a blank string
completeLine = ''
for singleEntry in self.storageList:
# strip newlines out but append a comma for CSV format
completeLine = completeLine + singleEntry.rstrip() + ","
# now we can write the line out, but strip the trailing comma
outHandle.write(completeLine.rstrip(","))
# print out the entries to screen since we don't have an output file
def printList(self):
for singleEntry in self.storageList:
print(singleEntry.rstrip(), ",")
# start over on the list since we've dumped one out
def clear(self):
self.storageList = []
# parse the command line arguments
argParser = argparse.ArgumentParser()
argParser.add_argument('-i', type=str, help='the input file with the ModSecurity audit log', required=True)
argParser.add_argument('-o', type=str, help='the output file this should generate')
# argParser.add_argument('-f', type=str, help='the format of the output')
passedArgs = vars(argParser.parse_args())
inputFileName = passedArgs['i']
outputFileName = passedArgs['o']
if not os.path.exists(inputFileName):
print("You must specify an input file that exists")
exit()
if outputFileName and os.path.exists(outputFileName):
os.remove(outputFileName)
eachRecord = modsecRec()
with open(inputFileName, 'r') as fileHandle:
for dataLine in fileHandle:
if '--' in dataLine:
if '-A--' in dataLine:
dateInfo = fileHandle.readline()
logDate = dateInfo[dateInfo.find("[")+1:dateInfo.find(":")]
logTime = dateInfo[dateInfo.find(":")+1:dateInfo.find(" ")]
eachRecord.append(logDate)
eachRecord.append(logTime)
if '-B--' in dataLine:
httpReq = fileHandle.readline()
eachRecord.append(httpReq)
if '-H--' in dataLine:
# loop until we get to the end
for messageLine in fileHandle:
if 'Message' in messageLine:
eachRecord.extractMessage(messageLine)
else:
break
if '-Z--' in dataLine:
# do something with all the data we have acquired
if outputFileName:
eachRecord.printListToFile(outputFileName)
else:
eachRecord.printList()
eachRecord.clear()
fileHandle.close()