syslogmonitor/logparser.py at master · ChangerR/syslogmonitor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import json
import ply.lex as lex
import ply.yacc as yacc

reserved = {
    'SSHD' : 'SSHD' ,
    'FAILED' : 'FAILED' ,
    'PASSWORD' : 'PASSWORD' ,
    'FOR' : 'FOR' ,
    'FROM' : 'FROM' ,
    'PORT' : 'PORT' ,
    'SSH2' : 'SSH2' ,
    'DROPBEAR' : 'DROPBEAR' ,
    'BAD' : 'BAD' ,
    'ATTEMPT' : 'ATTEMPT' ,
    'AUTH' : 'AUTH' ,
    'SUCCEEDED' : 'SUCCEEDED' ,
    'ACCEPTED' : 'ACCEPTED'
}

tokens = [
    'IP','LBRACKET','RBRACKET','COLON','QUOTE','NUMBER','IDENTIFY', 'EQUALS',
    'LPAREN','RPAREN','SEM','PLUS','MINUS','TIMES','DIVIDE','POINT','GT','LT',
    'AND' ,'COMMA',
] + list (reserved.values() )

t_SSHD = r'sshd'
t_LBRACKET = r'\['
t_RBRACKET = r'\]'
t_COLON = r':'
t_QUOTE = r'\''
t_EQUALS  = r'='
t_LPAREN  = r'\('
t_RPAREN  = r'\)'
t_SEM = r';'
t_PLUS    = r'\+'
t_MINUS   = r'-'
t_TIMES   = r'\*'
t_DIVIDE  = r'/'
t_POINT = r'\.'
t_GT = r'>'
t_LT = r'<'
t_AND = r'\&'
t_COMMA = r','

def t_IP(t) :
    r'\d+\.\d+\.\d+\.\d+'
    return t

# A regular expression rule with some action code
def t_NUMBER(t):
    r'\d+'
    t.value = int(t.value)
    return t

def t_IDENTIFY(t) :
    r'\w+'
    t.type = reserved.get( t.value.upper() ,'IDENTIFY')
    return t

# Define a rule so we can track line numbers
def t_newline(t):
    r'\n+'
    t.lexer.lineno += len(t.value)

# A string containing ignored characters (spaces and tabs)
t_ignore  = ' \t'

# Error handling rule
def t_error(t):
    print("Illegal character '%s'" % t.value[0])
    t.lexer.skip(1)

def p_expression(p) :
    '''
    expression : ssh
            | dropbear_failed
            | dropbear_success
    '''
    p[0] = p[1]

def p_ssh(p) :
    '''ssh : IDENTIFY SSHD LBRACKET NUMBER RBRACKET COLON ssh_state PASSWORD FOR IDENTIFY FROM IP PORT NUMBER SSH2'''
    ret = {
        'type' : p[7] ,
        'host' : p[1] ,
        'user' : p[10] ,
        'ip' : p[12] ,
        'port' : p[14] ,
    }
    p[0] = ret


def p_dropbear_failed(p) :
    'dropbear_failed : DROPBEAR LBRACKET NUMBER RBRACKET COLON BAD PASSWORD ATTEMPT FOR QUOTE IDENTIFY QUOTE FROM IP COLON NUMBER'
    ret = {
        'type' : 'failed' ,
        'host' : 'dropbear' ,
        'user' : p[11] ,
        'ip' : p[14] ,
        'port' : p[16] ,
    }
    p[0] = ret

def p_dropbear_success(p) :
    'dropbear_success : DROPBEAR LBRACKET NUMBER RBRACKET COLON PASSWORD AUTH SUCCEEDED FOR QUOTE IDENTIFY QUOTE FROM IP COLON NUMBER'
    ret = {
        'type' : 'success' ,
        'host' : 'dropbear' ,
        'user' : p[11] ,
        'ip' : p[14] ,
        'port' : p[16] ,
    }
    p[0] = ret

def p_ssh_state(p) :
    ''' ssh_state : ACCEPTED
                | FAILED
    '''
    if p[1].upper() == 'ACCEPTED' :
        p[0] = 'success'
    else :
        p[0] = 'failed'

def p_error(p) :
    return None

lexer = lex.lex()
parser = yacc.yacc()