Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # Mlogc->auditconsole alternative using jwall tool
- # Script created by skys (skysbsb[at]gmail.com)
- # SecAuditLogType Serial
- # SecAuditLog logs/modsec_audit.log
- # Config
- uriip="192.168.1.5:8443/rpc/auditLogReceiver"
- sensorname="sensorname"
- sensorpw="sensorpw"
- lastsigfile=/var/tmp/maudit-lastsig.txt
- lastsig=$(cat $lastsigfile 2>/dev/null)
- lasttmpsig=""
- jwallbin=$(which jwall)
- tmpmaudit="/tmp/maudit.log"
- tmpfile="/tmp/mtmp.log"
- logfile="/var/log/auditrpc.log"
- auditfile="/etc/httpd/logs/modsec_audit.log"
- #######################################
- # do not need changes below this line #
- #######################################
- function getLastSig {
- lasttmpsig=`tac "$tmpmaudit" | grep -a -E -m 1 "^--[0-9a-f]{8}-A--" -B 1 | grep "^\[" | sed 's/[^]]\+] \([^ ]\+\) .*/\1/'`
- if [ ! "$lasttmpsig" ]; then
- testtmp=$(tac "$tmpmaudit" | grep -a -E -m 1 "^--[0-9a-f]{8}-A--" -B 1)
- echo -e "Lasttmpsig empty.. testtmp: $testtmp"
- fi
- echo "Last sig: $lasttmpsig"
- echo -n "$lasttmpsig" > $lastsigfile
- }
- if [ ! -e "$auditfile" ]; then
- echo "Error: file $auditfile do not exist"
- exit
- fi
- # copy modsec_audit.log to tmp dir
- cp -f "$auditfile" "$tmpmaudit"
- # verify the number of lines
- numl=`wc -l $tmpmaudit | cut -d " " -f 1`
- if [ $numl -lt 3 ]; then
- echo "File $tmpmaudit empty"
- exit
- fi
- # in case where the sigfile do not exists,
- # or the file do not have the lastsig anymore (logrotate act)
- # send all the modsec_audit file
- if [ ! -e "$lastsigfile" ] || ! grep -a " $lastsig" "$tmpmaudit" 2>&1 >/dev/null; then
- echo "Sending $(grep -a -c -E "^--[0-9a-f]{8}-A--" $tmpmaudit) entries"
- getLastSig
- $jwallbin send "https://$sensorname:$sensorpw@$uriip" "$tmpmaudit" 2>&1
- exit
- fi
- # read modsec_audit.log file
- # but only the lines below the lastsig
- cat $tmpmaudit | awk "BEGIN { res=0; last=\"\"; fim=0; } { if(fim) { print \$0; next; } if(res) { k=match(\$0, \"^--[0-9a-f]+-A--\"); if(k) { fim=1; print \$0; } } m=match(\$0, \"$lastsig\"); if(m) { res=1; }; last=\$0; }" > $tmpfile
- # verify if the generated file has more lines
- numl=`grep -a -c -E "^--[0-9a-f]{8}-A--" $tmpfile`
- if [ $numl -eq 0 ]; then
- echo "There is no more entries"
- exit
- fi
- # store lastsig
- getLastSig
- # send created file
- echo "Sending $numl entries"
- $jwallbin send "https://$sensorname:$sensorpw@$uriip" "$tmpfile" 2>&1
- echo "All ok."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement