Following up the last project, I created another function so that my syslog server can post slack upon rejection of client request due to the content filtering.
Output Example:
Here is the new modified syslog_server.py with new function and some rearrangement of the function:
## Reference https://gist.github.com/marcelom/4218010
## Tiny Syslog Server in Python.
##
## This is a tiny syslog server that is able to receive UDP based syslog
## entries on a specified port and save them to a file.
## That's it... it does nothing else...
## There are a few configuration parameters.
HOST, PORT = "0.0.0.0", 514
PRINT_LOG = True
# SYSLOG Notification parameter
CONTENT_FILTERING_NOTIFY = True
#
# NO USER SERVICEABLE PARTS BELOW HERE...
#
import logging
import re
import socketserver
import sys
import custom_helper.slack
class SyslogUDPHandler(socketserver.BaseRequestHandler):
def handle(self):
data = bytes.decode(self.request[0].strip(), encoding="utf-8")
socket = self.request[1]
if PRINT_LOG:
print("%s : " % self.client_address[0], str(data.encode("utf-8")))
if CONTENT_FILTERING_NOTIFY:
cf_notify(data)
logging.info(str(data.encode("utf-8")))
def cf_notify(log):
log_match = re.search(r'log_type="(.*?)".*log_subtype="(.*?)".*category="(.*?)".*url="(.*?)"', log)
if log_match[1] == "Content Filtering" and log_match[2] == "Denied":
category, url = log_match[3], log_match[4]
custom_helper.slack.post(f"Content Filtering Denied: {category} - {url}", "security_logs", "HOME_SOPHOS")
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} log_file_name")
sys.exit(0)
try:
LOG_FILE = sys.argv[1]
logging.basicConfig(level=logging.INFO, format='%(message)s', datefmt='', filename=LOG_FILE, filemode='a')
server = socketserver.UDPServer((HOST,PORT), SyslogUDPHandler)
server.serve_forever(poll_interval=0.5)
except (IOError, SystemExit):
raise
except KeyboardInterrupt:
print ("Crtl+C Pressed. Shutting down.")