forked from kenshin17/Scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
modsec_log_parse.py
50 lines (41 loc) · 1.26 KB
/
modsec_log_parse.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/python
#@:k
import re
import time, sys
import MySQLdb
db = MySQLdb.connect("localhost","username","xxx","mydb")
cursor = db.cursor()
# tail -f log file function
def tail_f(file):
interval = 1.0
while True:
where = file.tell()
line = file.readline()
if not line:
time.sleep(interval)
file.seek(where)
else:
yield line
#parse log function
def proccess_log(log):
date = ' '.join(re.findall(r'(\d.+\/\d+)\s(\d+:\d+:\d+)',log)[0])
ip = ''.join(re.findall(r'(\d+.\d+.\d+.\d+)]\s',log)[0])
rules = ''.join(re.findall(r'Pattern\smatch\s"(.+):"',log)[0])
args = ''.join(re.findall(r'at\s([a-zA-Z1-9:_-]+)',log)[0])
rules_id = ''.join(re.findall(r'id\s"(\d+)"',log)[0])
msg = ''.join(re.findall(r'msg\s"([a-zA-Z1-9\s]+)',log)[0])
hostname = ''.join(re.findall(r'\[hostname\s"([a-zA-Z1-9_-]+)',log)[0])
uri = ''.join(re.findall(r'uri\s"(\/[a-zA-Z1-9\.]+)',log)[0])
#insert log to mysql
cursor.execute("INSERT INTO log(date,ip,rules,args,rules_id,msg,hostname,uri) VALUES (%s,%s,%s,%s,%s,%s,%s,%s)",(date,ip,rules,args,int(rules_id),msg,hostname,uri))
db.commit()
#main
def main():
file = open("modsec.log")
for line in tail_f(file):
try:
proccess_log(line)
except Exception:
pass
if __name__ == '__main__':
main()