@@ -287,9 +287,9 @@ func (u *SSHService) LoadLog(req dto.SearchSSHLog) (*dto.SSHLog, error) {
287287 case constant .StatusSuccess :
288288 commandItem = fmt .Sprintf ("cat %s | grep -a Accepted %s" , file .Name , command )
289289 case constant .StatusFailed :
290- commandItem = fmt .Sprintf ("cat %s | grep -a ' Connection closed by authenticating user' | grep -a 'preauth' %s" , file .Name , command )
290+ commandItem = fmt .Sprintf ("cat %s | grep -aE 'Failed password for| Connection closed by authenticating user' | grep -a 'preauth' %s" , file .Name , command )
291291 default :
292- commandItem = fmt .Sprintf ("cat %s | grep -aE \" (Connection closed by authenticating user|Accepted)\" | grep -v 'invalid' %s" , file .Name , command )
292+ commandItem = fmt .Sprintf ("cat %s | grep -aE \" (Failed password for| Connection closed by authenticating user|Accepted)\" | grep -v 'invalid' %s" , file .Name , command )
293293 }
294294 }
295295 dataItem , successCount , failedCount := loadSSHData (commandItem , showCountFrom , showCountTo , file .Year , qqWry , nyc )
@@ -466,7 +466,7 @@ func loadSSHData(command string, showCountFrom, showCountTo, currentYear int, qq
466466 if len (itemData .Address ) != 0 {
467467 if successCount + failedCount >= showCountFrom && successCount + failedCount < showCountTo {
468468 itemData .Area = qqWry .Find (itemData .Address ).Area
469- itemData .Date , _ = time . ParseInLocation ( "2006 Jan 2 15:04:05" , fmt . Sprintf ( "%d %s" , currentYear , itemData .DateStr ) , nyc )
469+ itemData .Date = loadDate ( currentYear , itemData .DateStr , nyc )
470470 datas = append (datas , itemData )
471471 }
472472 failedCount ++
@@ -476,7 +476,7 @@ func loadSSHData(command string, showCountFrom, showCountTo, currentYear int, qq
476476 if len (itemData .Address ) != 0 {
477477 if successCount + failedCount >= showCountFrom && successCount + failedCount < showCountTo {
478478 itemData .Area = qqWry .Find (itemData .Address ).Area
479- itemData .Date , _ = time . ParseInLocation ( "2006 Jan 2 15:04:05" , fmt . Sprintf ( "%d %s" , currentYear , itemData .DateStr ) , nyc )
479+ itemData .Date = loadDate ( currentYear , itemData .DateStr , nyc )
480480 datas = append (datas , itemData )
481481 }
482482 failedCount ++
@@ -486,7 +486,7 @@ func loadSSHData(command string, showCountFrom, showCountTo, currentYear int, qq
486486 if len (itemData .Address ) != 0 {
487487 if successCount + failedCount >= showCountFrom && successCount + failedCount < showCountTo {
488488 itemData .Area = qqWry .Find (itemData .Address ).Area
489- itemData .Date , _ = time . ParseInLocation ( "2006 Jan 2 15:04:05" , fmt . Sprintf ( "%d %s" , currentYear , itemData .DateStr ) , nyc )
489+ itemData .Date = loadDate ( currentYear , itemData .DateStr , nyc )
490490 datas = append (datas , itemData )
491491 }
492492 successCount ++
@@ -540,33 +540,63 @@ func loadSSHDataForAnalysis(analysisMap map[string]dto.SSHLogAnalysis, commandIt
540540func loadSuccessDatas (line string ) dto.SSHHistory {
541541 var data dto.SSHHistory
542542 parts := strings .Fields (line )
543- if len (parts ) < 14 {
544- return data
545- }
546- data = dto.SSHHistory {
547- DateStr : fmt .Sprintf ("%s %s %s" , parts [0 ], parts [1 ], parts [2 ]),
548- AuthMode : parts [6 ],
549- User : parts [8 ],
550- Address : parts [10 ],
551- Port : parts [12 ],
552- Status : constant .StatusSuccess ,
543+ t , err := time .Parse ("2006-01-02T15:04:05.999999-07:00" , parts [0 ])
544+ if err != nil {
545+ if len (parts ) < 14 {
546+ return data
547+ }
548+ data = dto.SSHHistory {
549+ DateStr : fmt .Sprintf ("%s %s %s" , parts [0 ], parts [1 ], parts [2 ]),
550+ AuthMode : parts [6 ],
551+ User : parts [8 ],
552+ Address : parts [10 ],
553+ Port : parts [12 ],
554+ Status : constant .StatusSuccess ,
555+ }
556+ } else {
557+ if len (parts ) < 12 {
558+ return data
559+ }
560+ data = dto.SSHHistory {
561+ DateStr : t .Format ("2006 Jan 2 15:04:05" ),
562+ AuthMode : parts [4 ],
563+ User : parts [6 ],
564+ Address : parts [8 ],
565+ Port : parts [10 ],
566+ Status : constant .StatusSuccess ,
567+ }
553568 }
554569 return data
555570}
556571
557572func loadFailedAuthDatas (line string ) dto.SSHHistory {
558573 var data dto.SSHHistory
559574 parts := strings .Fields (line )
560- if len (parts ) < 14 {
561- return data
562- }
563- data = dto.SSHHistory {
564- DateStr : fmt .Sprintf ("%s %s %s" , parts [0 ], parts [1 ], parts [2 ]),
565- AuthMode : parts [8 ],
566- User : parts [10 ],
567- Address : parts [11 ],
568- Port : parts [13 ],
569- Status : constant .StatusFailed ,
575+ t , err := time .Parse ("2006-01-02T15:04:05.999999-07:00" , parts [0 ])
576+ if err != nil {
577+ if len (parts ) < 14 {
578+ return data
579+ }
580+ data = dto.SSHHistory {
581+ DateStr : fmt .Sprintf ("%s %s %s" , parts [0 ], parts [1 ], parts [2 ]),
582+ AuthMode : parts [8 ],
583+ User : parts [10 ],
584+ Address : parts [11 ],
585+ Port : parts [13 ],
586+ Status : constant .StatusFailed ,
587+ }
588+ } else {
589+ if len (parts ) < 12 {
590+ return data
591+ }
592+ data = dto.SSHHistory {
593+ DateStr : t .Format ("2006 Jan 2 15:04:05" ),
594+ AuthMode : parts [6 ],
595+ User : parts [7 ],
596+ Address : parts [9 ],
597+ Port : parts [11 ],
598+ Status : constant .StatusFailed ,
599+ }
570600 }
571601 if strings .Contains (line , ": " ) {
572602 data .Message = strings .Split (line , ": " )[1 ]
@@ -577,21 +607,39 @@ func loadFailedAuthDatas(line string) dto.SSHHistory {
577607func loadFailedSecureDatas (line string ) dto.SSHHistory {
578608 var data dto.SSHHistory
579609 parts := strings .Fields (line )
580- if len (parts ) < 14 {
581- return data
582- }
583- data = dto.SSHHistory {
584- DateStr : fmt .Sprintf ("%s %s %s" , parts [0 ], parts [1 ], parts [2 ]),
585- AuthMode : parts [6 ],
586- User : parts [8 ],
587- Address : parts [10 ],
588- Port : parts [12 ],
589- Status : constant .StatusFailed ,
610+ t , err := time .Parse ("2006-01-02T15:04:05.999999-07:00" , parts [0 ])
611+ if err != nil {
612+ if len (parts ) < 14 {
613+ return data
614+ }
615+ data = dto.SSHHistory {
616+ DateStr : fmt .Sprintf ("%s %s %s" , parts [0 ], parts [1 ], parts [2 ]),
617+ AuthMode : parts [6 ],
618+ User : parts [8 ],
619+ Address : parts [10 ],
620+ Port : parts [12 ],
621+ Status : constant .StatusFailed ,
622+ }
623+ } else {
624+ if len (parts ) < 12 {
625+ return data
626+ }
627+ index := 0
628+ if strings .Contains ("line" , " invalid user" ) {
629+ index = 2
630+ }
631+ data = dto.SSHHistory {
632+ DateStr : t .Format ("2006 Jan 2 15:04:05" ),
633+ AuthMode : parts [4 ],
634+ User : parts [index + 6 ],
635+ Address : parts [index + 8 ],
636+ Port : parts [index + 10 ],
637+ Status : constant .StatusFailed ,
638+ }
590639 }
591640 if strings .Contains (line , ": " ) {
592641 data .Message = strings .Split (line , ": " )[1 ]
593642 }
594-
595643 return data
596644}
597645
@@ -610,3 +658,11 @@ func loadServiceName() (string, error) {
610658 }
611659 return "" , errors .New ("The ssh or sshd service is unavailable" )
612660}
661+
662+ func loadDate (currentYear int , DateStr string , nyc * time.Location ) time.Time {
663+ itemDate , err := time .ParseInLocation ("2006 Jan 2 15:04:05" , fmt .Sprintf ("%d %s" , currentYear , DateStr ), nyc )
664+ if err != nil {
665+ itemDate , _ = time .ParseInLocation ("2006 Jan 2 15:04:05" , DateStr , nyc )
666+ }
667+ return itemDate
668+ }
0 commit comments