(ids) use actual timestamp to find alertlogs

4f571608 · Ad Schellevis · 8addbbee · 4f571608
Commit 4f571608 authored Aug 31, 2015 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 9 deletions

listAlertLogs.py src/opnsense/scripts/suricata/listAlertLogs.py +23 -9

No files found.
--- a/src/opnsense/scripts/suricata/listAlertLogs.py
+++ b/src/opnsense/scripts/suricata/listAlertLogs.py
@@ -33,20 +33,34 @@
 import os
 import glob
 import ujson
+import time
+import datetime
 from lib import suricata_alert_log
+from lib.log import reverse_log_reader
 result = []
 for filename in sorted(glob.glob('%s*'%suricata_alert_log)):
    row = dict()
-    row['modified'] = os.stat(filename).st_mtime
+    row['size'] = os.stat(filename).st_size
-    row['filename'] = filename.split('/')[-1]
+    if row['size']  > 0:
-    ext=filename.split('.')[-1]
+        row['modified'] = os.stat(filename).st_mtime
-    if ext.isdigit():
+        row['filename'] = filename.split('/')[-1]
-        row['sequence'] = int(ext)
+        # try to find actual timestamp from file
-    else:
+        for line in reverse_log_reader(filename=filename):
-        row['sequence'] = None
+            if line['line'] != '':
+                record = ujson.loads(line['line'])
-    result.append(row)
+                if record.has_key('timestamp'):
+                    row['modified'] = int(time.mktime(datetime.datetime.strptime(record['timestamp'].split('.')[0], "%Y-%m-%dT%H:%M:%S").timetuple()))
+                    break
+        ext=filename.split('.')[-1]
+        if ext.isdigit():
+            row['sequence'] = int(ext)
+        else:
+            row['sequence'] = None
+        result.append(row)
 # output results
 print(ujson.dumps(result))