API tools faq
paste
Advertisement
Guest User

modaudit-jwall-skys.sh

a guest
Apr 4th, 2011
229
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.36 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # Mlogc->auditconsole alternative using jwall tool
  3. # Script created by skys (skysbsb[at]gmail.com)
  4. # SecAuditLogType Serial
  5. # SecAuditLog logs/modsec_audit.log
  6.  
  7. # Config
  8. uriip="192.168.1.5:8443/rpc/auditLogReceiver"
  9. sensorname="sensorname"
  10. sensorpw="sensorpw"
  11.  
  12. lastsigfile=/var/tmp/maudit-lastsig.txt
  13. lastsig=$(cat $lastsigfile 2>/dev/null)
  14. lasttmpsig=""
  15. jwallbin=$(which jwall)
  16. tmpmaudit="/tmp/maudit.log"
  17. tmpfile="/tmp/mtmp.log"
  18. logfile="/var/log/auditrpc.log"
  19. auditfile="/etc/httpd/logs/modsec_audit.log"
  20.  
  21. #######################################
  22. # do not need changes below this line #
  23. #######################################
  24. function getLastSig {
  25.     lasttmpsig=`tac "$tmpmaudit" | grep -a -E -m 1 "^--[0-9a-f]{8}-A--" -B 1 | grep "^\[" | sed 's/[^]]\+] \([^ ]\+\) .*/\1/'`
  26.     if [ ! "$lasttmpsig" ]; then
  27.         testtmp=$(tac "$tmpmaudit" | grep -a -E -m 1 "^--[0-9a-f]{8}-A--" -B 1)
  28.         echo -e "Lasttmpsig empty.. testtmp: $testtmp"
  29.     fi
  30.     echo "Last sig: $lasttmpsig"
  31.     echo -n "$lasttmpsig" > $lastsigfile
  32. }
  33.  
  34. if [ ! -e "$auditfile" ]; then
  35.     echo "Error: file $auditfile do not exist"
  36.     exit
  37. fi
  38.  
  39. # copy modsec_audit.log to tmp dir
  40. cp -f "$auditfile" "$tmpmaudit"
  41.  
  42. # verify the number of lines
  43. numl=`wc -l $tmpmaudit | cut -d " " -f 1`
  44.  
  45. if [ $numl -lt 3 ]; then
  46.     echo "File $tmpmaudit empty"
  47.     exit
  48. fi
  49.  
  50. # in case where the sigfile do not exists,
  51. # or the file do not have the lastsig anymore (logrotate act)
  52. # send all the modsec_audit file
  53. if [ ! -e "$lastsigfile" ] || ! grep -a " $lastsig" "$tmpmaudit" 2>&1 >/dev/null; then
  54.     echo "Sending $(grep -a -c -E "^--[0-9a-f]{8}-A--" $tmpmaudit) entries"
  55.     getLastSig
  56.     $jwallbin send "https://$sensorname:$sensorpw@$uriip" "$tmpmaudit" 2>&1
  57.     exit
  58. fi
  59.  
  60.  
  61. # read modsec_audit.log file
  62. # but only the lines below the lastsig
  63. cat $tmpmaudit | awk "BEGIN { res=0; last=\"\"; fim=0; } { if(fim) { print \$0; next; } if(res) { k=match(\$0, \"^--[0-9a-f]+-A--\"); if(k) { fim=1; print \$0; } } m=match(\$0, \"$lastsig\"); if(m) { res=1; }; last=\$0; }" > $tmpfile
  64.  
  65. # verify if the generated file has more lines
  66. numl=`grep -a -c -E "^--[0-9a-f]{8}-A--" $tmpfile`
  67.  
  68. if [ $numl -eq 0 ]; then
  69.     echo "There is no more entries"
  70.     exit
  71. fi
  72.  
  73. # store lastsig
  74. getLastSig
  75.  
  76. # send created file
  77. echo "Sending $numl entries"
  78. $jwallbin send "https://$sensorname:$sensorpw@$uriip" "$tmpfile" 2>&1
  79.  
  80. echo "All ok."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!