-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathparser.py
More file actions
103 lines (88 loc) · 2.92 KB
/
Copy pathparser.py
File metadata and controls
103 lines (88 loc) · 2.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
"""
parser.py
Parsing functions for Linux auth logs and Apache/Nginx access logs.
"""
import re
from utils import read_lines
# --- Regex patterns -------------------------------------------------------
# Example auth.log failed password line:
# Jul 6 10:12:03 host sshd[1234]: Failed password for invalid user admin
# from 192.168.1.15 port 51514 ssh2
AUTH_FAILED_RE = re.compile(
r"Failed password for (?:invalid user )?(?P<user>\S+) from "
r"(?P<ip>\d{1,3}(?:\.\d{1,3}){3}) port \d+"
)
# Example auth.log successful login line:
# Jul 6 10:13:10 host sshd[1234]: Accepted password for root
# from 192.168.1.20 port 51520 ssh2
AUTH_SUCCESS_RE = re.compile(
r"Accepted password for (?P<user>\S+) from "
r"(?P<ip>\d{1,3}(?:\.\d{1,3}){3}) port \d+"
)
INVALID_USER_RE = re.compile(
r"Invalid user (?P<user>\S+) from (?P<ip>\d{1,3}(?:\.\d{1,3}){3})"
)
# Example Apache/Nginx combined log format:
# 10.0.0.8 - - [06/Jul/2026:10:15:00 +0000] "GET /admin HTTP/1.1" 404 512
ACCESS_LOG_RE = re.compile(
r'(?P<ip>\d{1,3}(?:\.\d{1,3}){3}) \S+ \S+ \[(?P<timestamp>[^\]]+)\] '
r'"(?P<method>\S+) (?P<path>\S+) (?P<protocol>[^"]+)" '
r'(?P<status>\d{3}) (?P<size>\S+)'
)
def parse_auth_log(filepath: str):
"""
Parse a Linux authentication log.
Returns a list of dicts:
{"type": "failed"|"success"|"invalid_user", "user": str, "ip": str, "raw": str}
"""
events = []
for line in read_lines(filepath):
m = AUTH_FAILED_RE.search(line)
if m:
events.append({
"type": "failed",
"user": m.group("user"),
"ip": m.group("ip"),
"raw": line,
})
continue
m = AUTH_SUCCESS_RE.search(line)
if m:
events.append({
"type": "success",
"user": m.group("user"),
"ip": m.group("ip"),
"raw": line,
})
continue
m = INVALID_USER_RE.search(line)
if m:
events.append({
"type": "invalid_user",
"user": m.group("user"),
"ip": m.group("ip"),
"raw": line,
})
continue
return events
def parse_access_log(filepath: str):
"""
Parse an Apache/Nginx access log (combined log format).
Returns a list of dicts:
{"ip": str, "timestamp": str, "method": str, "path": str,
"status": int, "size": str, "raw": str}
"""
events = []
for line in read_lines(filepath):
m = ACCESS_LOG_RE.search(line)
if m:
events.append({
"ip": m.group("ip"),
"timestamp": m.group("timestamp"),
"method": m.group("method"),
"path": m.group("path"),
"status": int(m.group("status")),
"size": m.group("size"),
"raw": line,
})
return events