Last active
January 13, 2025 23:31
-
-
Save yunginnanet/fbfd1f662d43673292ddc7f23c41f212 to your computer and use it in GitHub Desktop.
script for transferring hot suricata logs from remote host over ssh, gzipping on the wire, and appending unix timestamp to name to avoid duplicates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| _router="[email protected]" | |
| _remote_suri_dir="/mnt/sdb/var/log/suricata/" | |
| _local_suri_dir="/media/data/router_logs/" | |
| _date_fmt="+%m-%d-%YT%H:%M:%S%Z" | |
| xferlog="${_local_suri_dir}xferlogs/log_fetch_$(date +%s).log" | |
| export xferlog | |
| pendingNL=false | |
| export pendingNL | |
| LPLUS="\e[0;33m[\e[0;32m+\e[0;33m]\e[0m" | |
| LFAIL="\e[0;33m[\e[1;31mx\e[0;33m]\e[0m" | |
| LFOOB="\e[0;33m[\e[90m-\e[0;33m]\e[0m" | |
| LWOOT="\e[0;32mSuccess\e[0m" | |
| LNOPE="\e[31mError\e[0m" | |
| FATAL="\e[1;31m" | |
| RESET="\e[0m" | |
| LAST="" | |
| LAST_TIME="" | |
| function _t() { | |
| echo -e "\e[90m[$(date $_date_fmt)]${RESET}" | |
| } | |
| function cln() { | |
| # shellcheck disable=SC2001 | |
| echo "$*" | sed -z 's|\n||g' | |
| } | |
| function log() { | |
| LAST_TIME="$(_t)" | |
| LAST="${*}... " | |
| echo -ne "$(cln "${LAST_TIME} ${LFOOB} ${LAST}")" | |
| } | |
| function log0() { | |
| echo -ne "\r$(cln "${LAST_TIME} ${LPLUS} ${LAST}${LWOOT}${RESET}")\n" | tee -a "$xferlog" | |
| LAST="" | |
| LAST_TIME="" | |
| } | |
| function log1() { | |
| echo -ne "\r$(cln "${LAST_TIME} ${LFAIL} ${LAST}${LNOPE}${RESET}")\n" | tee -a "$xferlog" | |
| LAST="" | |
| LAST_TIME="" | |
| } | |
| function logln() { | |
| echo -e "$(_t) ${LFOOB} ${*}" | tee -a "$xferlog" | |
| } | |
| function debug() { | |
| if ! $_DEBUG; then return 0; fi | |
| if [ -z "$*" ]; then return 0; fi | |
| echo -e "$(cln "$(_t) ${LFOOB} \e[90m$*${RESET}")" | |
| } | |
| function err() { | |
| echo -ne "$(cln "$(_t) ${LFAIL} ${LERRD}${*//fatal: /} ${RESET}")\n" | |
| } | |
| function fatal() { | |
| err "${FATAL}[FATAL]${RESET} ${*}" | tee -a "$xferlog" | |
| exit 1 | |
| } | |
| # shellcheck disable=SC2029 | |
| function suri_xfer() { | |
| _remote_target="${_remote_suri_dir}${1}" | |
| _local_target="${_local_suri_dir}${1}.$(date +%s).gz" | |
| logln "archiving: ${_remote_target} -> ${_local_target}" | |
| if ! ssh "${_router}" "ls \"${_remote_target}\" 2>&1" >/dev/null; then | |
| fatal "${_remote_target} does not exist" | |
| fi | |
| log "stopping suricata" | |
| if ! ssh "${_router}" "service suricata stop >/dev/null"; then log1; else log0; fi | |
| log "moving ${_remote_target} --> ${_remote_target}.tmp" | |
| if ! ssh "${_router}" "/bin/mv '${_remote_target}' '${_remote_target}.tmp'"; then fatal; else log0; fi | |
| log "starting suricata" | |
| if ! ssh "${_router}" "service suricata start >/dev/null"; then log1; else log0; fi | |
| log "transferring and compressing ${_remote_target} on the wire" | |
| if ! ssh "${_router}" "cat '${_remote_target}.tmp'" | pigz -9 >"${_local_target}"; then fatal; else log0; fi | |
| log "removing ${_remote_target}.tmp" | |
| if ! ssh "${_router}" "rm '${_remote_target}.tmp'"; then fatal; else log0; fi | |
| logln "'${_remote_target}' successfully gzipped and transferred to '${_local_target}'" | |
| } | |
| if ! suri_xfer "$1" "$!"; then | |
| exit 1 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment