|
1 import re |
|
2 |
|
3 class FullFilter (object) : |
|
4 def __init__ (self, event_type) : |
|
5 self.event_type = event_type |
|
6 |
|
7 def test (self, line) : |
|
8 return line |
|
9 |
|
10 class NullFilter (object) : |
|
11 def __init__ (self, pattern, flags=None) : |
|
12 self.regexp = re.compile(pattern, flags) |
|
13 |
|
14 def test (self, line) : |
|
15 match = self.regexp.search(line) |
|
16 |
|
17 if match : |
|
18 return False |
|
19 |
|
20 class SimpleFilter (object) : |
|
21 def __init__ (self, event_type, pattern, format) : |
|
22 self.event_type = event_type |
|
23 |
|
24 self.regexp = re.compile(pattern) |
|
25 self.format = format |
|
26 |
|
27 def test (self, line) : |
|
28 match = self.regexp.search(line) |
|
29 |
|
30 if match : |
|
31 return self._filter(match) |
|
32 |
|
33 def _filter (self, match) : |
|
34 return self.format % match.groupdict() |
|
35 |
|
36 _timestamp = "\w{3} [0-9 ]\d \d{2}:\d{2}:\d{2}" |
|
37 |
|
38 all = FullFilter("all") |
|
39 |
|
40 all_wo_timestamps = SimpleFilter( |
|
41 "all", |
|
42 "^" + _timestamp + " (?P<line>.+)$", |
|
43 "%(line)s" |
|
44 ) |
|
45 |
|
46 sudo = SimpleFilter( |
|
47 "sudo", |
|
48 "(?P<hostname>\S+)\s+sudo:\s*(?P<username>\S+) : TTY=(?P<tty>\S+) ; PWD=(?P<pwd>.+?) ; USER=(?P<target_user>\S+) ; COMMAND=(?P<command>.*)", |
|
49 "%(username)s:%(tty)s - %(target_user)s@%(hostname)s:%(pwd)s - %(command)r" |
|
50 ) |
|
51 |
|
52 ssh = SimpleFilter( |
|
53 "ssh", |
|
54 "(?P<success>Accepted|Failed) password for (?P<username>\S+) from (?P<ip>\S+) port (?P<port>\S+) (?P<proto>\S+)", |
|
55 "%(success)s login for %(username)s from %(ip)s:%(port)s proto %(proto)s" |
|
56 ) |
|
57 |
|
58 cron_killer = NullFilter( |
|
59 "^" + _timestamp + " \S+\s+(CRON|su)\[\d+\]: pam_unix\(cron:\w+\): session (opened|closed) for user \w+( by \(uid=\d+\))?$", |
|
60 re.IGNORECASE |
|
61 ) |
|
62 |
|
63 su_nobody_killer = NullFilter( |
|
64 "^" + _timestamp + " \S+\s+su\[\d+\]: (Successful su for nobody by root|\+ \?\?\? root:nobody)$", |
|
65 re.IGNORECASE |
|
66 ) |