// Copyright 2021, johan@nosd.in //go:build freebsd // +build freebsd // // godit is a search tool for BSM audit trails used by FreeBSD auditd // /* % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log 101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w % time ./godit 20211228134923.20211228151348 > godit.log 11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w % ./godit -V Godit v0.03 % time ./godit 20211228134923.20211228151348 > 20211228134923.20211228151348.godit3 7.183u 19.590s 0:25.98 103.0% 1038+559k 0+2262168io 0pf+0w % ./godit -V Godit v0.4.3 */ package main import ( "io" "os" "fmt" "bufio" "strings" "github.com/spf13/pflag" ) const ( version = "5.9.9c" ) var ( randFlag bool showVersion bool // Default delimiter delimiter = "," ) func main() { var flags int var oneLine bool var noUserResolve bool var syslog23 bool var json bool pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line.") pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms.") pflag.BoolVarP(&json, "json", "j", false, "Print compact json") pflag.BoolVarP(&syslog23, "syslog23", "s", false, "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output.") pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit") var Usage = func() { fmt.Fprintf(os.Stderr, "Usage of \"%s [opts] auditfile\":\n", os.Args[0]) pflag.PrintDefaults() fmt.Fprintf(os.Stderr, "Set auditfile to \"-\" to read stdin\n") } pflag.Usage = Usage pflag.Parse() if showVersion { fmt.Printf("Godit v%s\n", version) return } if oneLine { flags = flags + PRT_ONELINE } if noUserResolve { flags = flags + PRT_NORESOLVE_USER } if syslog23 { flags = flags + PRT_TIMESYSLOG23 } if json { flags |= PRT_JSON } args := os.Args filename := args[len(args)-1] var f *os.File var r *bufio.Reader var err error if len(filename) > 0 { // If arg is "-", open stdin to read content if true == strings.EqualFold(filename, "-") { r = bufio.NewReader(os.Stdin) } else { f, err = os.Open(filename) if err != nil { fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename) os.Exit(-1) } r = bufio.NewReader(f) } //for i := 0 ; i < 20 ; i++ { for { rec, err := readRecordToStruct(r) if err != nil { if err != io.EOF { fmt.Printf("Erreur : %v\n", err) } else { // v.0.4.2 : Continue on error return } } rec.Print(os.Stdout, ",", flags) } } }