-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmoonlit-log-watcher-custom.py
152 lines (128 loc) ยท 4.63 KB
/
moonlit-log-watcher-custom.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
import time
import os
import re
import logging
import threading
import subprocess
from moonlit import send_alert
logging.basicConfig(
filename="log_monitor.log",
level=logging.INFO,
format="%(asctime)s - %(levelname)s - %(message)s"
)
LOG_FILES = [
# ๐น System Logs
"/var/log/syslog",
"/var/log/messages",
"/var/log/dmesg",
"/var/log/kern.log",
"/var/log/boot.log",
"/var/log/alternatives.log",
# ๐น Authentication & Security Logs
"/var/log/auth.log",
"/var/log/secure",
"/var/log/faillog",
"/var/log/sudo.log",
"/var/log/btmp",
"/var/log/wtmp",
"/var/log/lastlog",
"/var/log/audit/audit.log",
"/var/log/fail2ban.log",
# ๐น Package Management Logs
"/var/log/dpkg.log", # Debian/Ubuntu package manager
"/var/log/yum.log", # RHEL/CentOS package manager
"/var/log/apt/history.log",
"/var/log/apt/term.log",
# ๐น Web Server Logs
"/var/log/nginx/access.log",
"/var/log/nginx/error.log",
"/var/log/httpd/access_log",
"/var/log/httpd/error_log",
"/var/log/apache2/access.log",
"/var/log/apache2/error.log",
# ๐น Database Logs
"/var/log/mysqld.log",
"/var/log/mariadb/mariadb.log",
"/var/log/postgresql/postgresql.log",
"/var/log/mongodb/mongod.log",
# ๐น Email & Mail Server Logs
"/var/log/mail.log",
"/var/log/maillog",
# ๐น Job Scheduler & Cron Logs
"/var/log/cron.log",
"/var/log/cron",
# ๐น Firewall & Network Logs
"/var/log/ufw.log", # Uncomplicated Firewall (UFW)
"/var/log/nftables.log",
"/var/log/ipfirewall.log",
# ๐น Container & Virtualization Logs
"/var/log/docker.log",
"/var/log/kubelet.log",
# ๐น Xorg & Display Logs
"/var/log/Xorg.0.log",
"/var/log/Xorg.1.log",
"/var/log/lightdm/lightdm.log",
# ๐น Miscellaneous Application Logs
"/var/log/journal", # Systemd Journal logs
"/var/log/user.log",
"/var/log/samba/log.smbd", # Samba file sharing logs
"/var/log/proftpd/proftpd.log", # FTP logs
"/var/log/clamav/clamav.log" # ClamAV antivirus logs
]
ALERT_KEYWORDS = [
"FAILED", "error", "segfault", "panic", "unauthorized", "denied",
"disk full", "critical", "fatal", "attack", "malware", "rootkit",
"intrusion", "brute force", "sql injection", "dos", "overload",
"banned", "blocked", "timeout", "corrupt", "compromised", "root access",
"firewall breach", "unusual login", "suspicious", "DDoS"
]
recent_alerts = {}
def monitor_journal():
process = subprocess.Popen(
["journalctl", "-f", "-o", "cat"], # Follow logs, raw output
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
text=True
)
for line in iter(process.stdout.readline, ''):
for keyword in ALERT_KEYWORDS:
if re.search(rf"\b{keyword}\b", line, re.IGNORECASE):
logging.warning(f"๐ JOURNAL ALERT: {line.strip()}")
send_unique_alert(line.strip()) # Send Telegram alert
break
def send_unique_alert(message):
global recent_alerts
if message in recent_alerts:
return # Skip duplicate alert
send_alert(message) # Send Telegram alert
recent_alerts[message] = time.time()
for key in list(recent_alerts.keys()):
if time.time() - recent_alerts[key] > 300: # Keep for 5 mins
del recent_alerts[key]
def tail_file(filename):
try:
with open(filename, "r") as file:
file.seek(0, os.SEEK_END) # Move to end of file
while True:
line = file.readline()
if not line:
time.sleep(1) # Wait for new lines
continue
for keyword in ALERT_KEYWORDS:
if re.search(rf"\b{keyword}\b", line, re.IGNORECASE):
logging.warning(f"ALERT TRIGGERED: {line.strip()}")
send_unique_alert(line.strip()) # Send alert
break
except Exception as e:
logging.error(f"Failed to read {filename}: {e}")
if __name__ == "__main__":
threading.Thread(target=monitor_journal, daemon=True).start()
logging.info("๐ Log monitoring started...")
for log_file in LOG_FILES:
if os.path.exists(log_file):
logging.info(f"โ
Monitoring {log_file} for alerts...")
threading.Thread(target=tail_file, args=(log_file,), daemon=True).start()
else:
logging.warning(f"โ ๏ธ Log file not found: {log_file}")
while True:
time.sleep(10) # Keep the script running