2022-01-04 09:35:55 +01:00
// Copyright 2021, johan@nosd.in
2023-09-06 21:19:32 +02:00
//go:build freebsd
2022-01-04 09:35:55 +01:00
// +build freebsd
2023-09-06 21:19:32 +02:00
2022-01-04 09:35:55 +01:00
//
// godit is a search tool for BSM audit trails used by FreeBSD auditd
//
/ *
2022-01-06 17:29:16 +01:00
% time praudit - l / home / yo / Dev / go / godit / 20211228134923.20211228151348 > praudit . log
101.728 u 7.315 s 1 : 49.09 99.9 % 10 + 167 k 0 + 191152i o 0 pf + 0 w
2022-01-10 17:51:12 +01:00
% time . / godit 20211228134923.20211228151348 > godit . log
11.599 u 38.235 s 0 : 48.25 103.2 % 1045 + 553 k 1 + 2262168i o 4 pf + 0 w
2022-01-06 17:29:16 +01:00
% . / godit - V
Godit v0 .03
2022-01-10 17:51:12 +01:00
% time . / godit 20211228134923.20211228151348 > 20211228134923.20211228151348 . godit3
7.183 u 19.590 s 0 : 25.98 103.0 % 1038 + 559 k 0 + 2262168i o 0 pf + 0 w
% . / godit - V
Godit v0 .4 .3
2022-01-04 09:35:55 +01:00
* /
2022-01-06 17:29:16 +01:00
package main
2022-01-04 09:35:55 +01:00
import (
2022-01-04 11:03:58 +01:00
"io"
2022-01-04 09:35:55 +01:00
"os"
"fmt"
2022-01-10 17:51:12 +01:00
"bufio"
"strings"
2022-01-04 09:35:55 +01:00
"github.com/spf13/pflag"
)
const (
2023-09-11 16:14:33 +02:00
version = "0.6.1"
2022-01-04 09:35:55 +01:00
)
var (
2023-09-06 21:19:32 +02:00
randFlag bool
showVersion bool
2022-01-04 09:35:55 +01:00
// Default delimiter
2023-09-06 21:19:32 +02:00
delimiter = ","
2022-01-04 09:35:55 +01:00
)
func main ( ) {
2022-01-04 17:50:34 +01:00
var flags int
var oneLine bool
var noUserResolve bool
2023-09-10 16:32:05 +02:00
var syslog23 bool
2023-09-06 21:19:32 +02:00
var json bool
2022-01-04 17:50:34 +01:00
2023-09-11 16:04:31 +02:00
pflag . BoolVarP ( & oneLine , "oneline" , "l" , false , "Prints the entire record on the same line" )
pflag . BoolVarP ( & noUserResolve , "numeric" , "n" , false , "Do not convert user and group IDs to their names but leave in their numeric forms" )
2023-09-06 21:19:32 +02:00
pflag . BoolVarP ( & json , "json" , "j" , false , "Print compact json" )
2023-09-11 16:04:31 +02:00
pflag . BoolVarP ( & syslog23 , "syslog23" , "s" , false , "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output" )
pflag . BoolVarP ( & showVersion , "version" , "V" , false , "Show version and exit" )
2022-01-04 09:35:55 +01:00
2023-09-11 14:41:10 +02:00
var Usage = func ( ) {
fmt . Fprintf ( os . Stderr , "Usage of \"%s [opts] auditfile\":\n" , os . Args [ 0 ] )
pflag . PrintDefaults ( )
fmt . Fprintf ( os . Stderr , "Set auditfile to \"-\" to read stdin\n" )
}
pflag . Usage = Usage
2022-01-04 09:35:55 +01:00
pflag . Parse ( )
if showVersion {
fmt . Printf ( "Godit v%s\n" , version )
return
}
2022-01-04 17:50:34 +01:00
if oneLine {
flags = flags + PRT_ONELINE
}
if noUserResolve {
flags = flags + PRT_NORESOLVE_USER
}
2023-09-10 16:32:05 +02:00
if syslog23 {
flags = flags + PRT_TIMESYSLOG23
2022-01-06 17:56:28 +01:00
}
2023-09-06 21:19:32 +02:00
if json {
flags |= PRT_JSON
}
2022-01-06 17:56:28 +01:00
2022-01-04 09:35:55 +01:00
args := os . Args
2023-09-11 16:14:33 +02:00
if len ( os . Args ) < 2 {
pflag . Usage ( )
os . Exit ( 1 )
}
2022-01-04 09:35:55 +01:00
filename := args [ len ( args ) - 1 ]
2023-09-06 21:19:32 +02:00
2022-01-10 17:51:12 +01:00
var f * os . File
var r * bufio . Reader
var err error
2022-01-04 09:35:55 +01:00
if len ( filename ) > 0 {
2022-01-10 17:51:12 +01:00
// If arg is "-", open stdin to read content
if true == strings . EqualFold ( filename , "-" ) {
r = bufio . NewReader ( os . Stdin )
} else {
f , err = os . Open ( filename )
if err != nil {
fmt . Printf ( "Impossible d'ouvrir le fichier %s\n" , filename )
2023-09-06 21:33:44 +02:00
os . Exit ( - 1 )
2022-01-10 17:51:12 +01:00
}
r = bufio . NewReader ( f )
2022-01-04 09:35:55 +01:00
}
2022-01-10 17:51:12 +01:00
2022-01-04 09:35:55 +01:00
//for i := 0 ; i < 20 ; i++ {
for {
2022-01-10 17:51:12 +01:00
rec , err := readRecordToStruct ( r )
2022-01-04 11:03:58 +01:00
if err != nil {
if err != io . EOF {
fmt . Printf ( "Erreur : %v\n" , err )
2023-09-06 21:19:32 +02:00
} else { // v.0.4.2 : Continue on error
2022-01-10 17:51:12 +01:00
return
2022-01-04 11:03:58 +01:00
}
2022-01-04 09:35:55 +01:00
}
2022-01-04 17:50:34 +01:00
rec . Print ( os . Stdout , "," , flags )
2022-01-04 09:35:55 +01:00
}
}
}
