From 4f57160807665aa4c8a232d4bb23a9861c811557 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 31 Aug 2015 09:03:41 +0200 Subject: [PATCH] (ids) use actual timestamp to find alertlogs --- .../scripts/suricata/listAlertLogs.py | 30 ++++++++++++++----- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/opnsense/scripts/suricata/listAlertLogs.py b/src/opnsense/scripts/suricata/listAlertLogs.py index 53b3fc340..05fa14642 100755 --- a/src/opnsense/scripts/suricata/listAlertLogs.py +++ b/src/opnsense/scripts/suricata/listAlertLogs.py @@ -33,20 +33,34 @@ import os import glob import ujson +import time +import datetime from lib import suricata_alert_log +from lib.log import reverse_log_reader result = [] for filename in sorted(glob.glob('%s*'%suricata_alert_log)): row = dict() - row['modified'] = os.stat(filename).st_mtime - row['filename'] = filename.split('/')[-1] - ext=filename.split('.')[-1] - if ext.isdigit(): - row['sequence'] = int(ext) - else: - row['sequence'] = None + row['size'] = os.stat(filename).st_size + if row['size'] > 0: + row['modified'] = os.stat(filename).st_mtime + row['filename'] = filename.split('/')[-1] + # try to find actual timestamp from file + for line in reverse_log_reader(filename=filename): + if line['line'] != '': + record = ujson.loads(line['line']) + if record.has_key('timestamp'): + row['modified'] = int(time.mktime(datetime.datetime.strptime(record['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%S").timetuple())) + break - result.append(row) + + ext=filename.split('.')[-1] + if ext.isdigit(): + row['sequence'] = int(ext) + else: + row['sequence'] = None + + result.append(row) # output results print(ujson.dumps(result))