Juniper firewalls create large syslog files showing all connections between internal/external hosts.
import os
import re
from pprint import pprint
import socket
# IP Addresses
rip=re.compile("([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/([0-9]+)[- ]")
#date time 2017-05-06 23:59:59\t
rdt=re.compile("^([0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9])\t")
# description ?? JuniperSRX1500Perth RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received N/A: 192.168."
rdesc=re.compile("(JuniperSRX1500Perth RT_.*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/")
#rdesc=re.compile("(JuniperSRX1500Perth RT_.*): [0-9]+.")
ipsourcetable={}
iptargettable={}
ipsourcetargetcounttable={}
myfilename="/tmp/2017-05-29_SyslogCatchAll.txt"
myfilename="/tmp/2017-07-26_SyslogCatchAll.txt"
#myfilename="/tmp/test1.txt"
import os
#for myfilename in os.listdir('/mnt/pa_archives/pa_archives/IT/Syslog_Archives/') :
for myfilename in os.listdir('/tmp/2017_07_26_*.txt') :
print myfilename
if myfilename.startswith('2017-06'):
myfilename='/mnt/pa_archives/pa_archives/IT/Syslog_Archives/'+myfilename
for line in open(myfilename).readlines():
#parts=line.split(" ")
#pprint(line)
mydatetime=rdt.findall(line)
mydesc=rdesc.findall(line)
myips=(rip.findall(line))
#print len(mydesc)
#print len(myips)
if ( (len(mydesc) >= 1 ) and (len(myips) > 1 ) ) :
#pprint(myips[0][0])
#pprint(myips[1][0])
#pprint(myips[1][1])
mysource=myips[0][0]
mytarget=myips[1][0]
if mysource.startswith('192.168.'):
mytargetport=myips[1][1]
mytargetname=""
mynewline=(mydatetime[0][0]+ "," + mydatetime[0][1]+ "," + mysource + "," + mytarget + "," + mytargetname + "," + mytargetport + ",\"" + mydesc[0] + "\"" )
#print mynewline
with open('logs/'+mysource+'_log.txt', 'a') as the_file:
the_file.write(mynewline+'\n')
else:
with open('logs/errors_log.txt','a') as the_file:
the_file.write(line)
