495e845a79
Correct the rsyslog template to include timestamps in logs, ensuring compatibility with the Python parser. This change also refactors the log filtering to capture only incoming connections, significantly reducing log volume. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: c2f849f9-105f-452a-bdc3-a956d102c54b Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/6ZTQSoP
176 lines
6.6 KiB
Bash
Executable File
176 lines
6.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# =============================================================================
|
|
# TEST LOG FORMAT - Verifica formato log e parser
|
|
# =============================================================================
|
|
# Script di test per verificare che rsyslog generi il formato corretto
|
|
# e che il parser Python riesca a processare i log
|
|
# =============================================================================
|
|
|
|
set -e
|
|
|
|
# Colori
|
|
GREEN='\033[0;32m'
|
|
BLUE='\033[0;34m'
|
|
YELLOW='\033[1;33m'
|
|
RED='\033[0;31m'
|
|
NC='\033[0m'
|
|
|
|
LOG_FILE="/var/log/mikrotik/raw.log"
|
|
|
|
echo -e "${BLUE}🧪 TEST FORMATO LOG MIKROTIK${NC}"
|
|
echo ""
|
|
|
|
# Test 1: Verifica file log esiste
|
|
echo -e "${BLUE}📋 Test 1: Verifica file log${NC}"
|
|
if [ ! -f "$LOG_FILE" ]; then
|
|
echo -e "${RED}❌ File log non esiste: $LOG_FILE${NC}"
|
|
exit 1
|
|
fi
|
|
echo -e "${GREEN}✅ File log esiste${NC}"
|
|
echo ""
|
|
|
|
# Test 2: Verifica formato timestamp
|
|
echo -e "${BLUE}📋 Test 2: Verifica formato timestamp${NC}"
|
|
echo -e "${YELLOW} Ultimi 5 log:${NC}"
|
|
tail -5 "$LOG_FILE" || echo "File vuoto"
|
|
echo ""
|
|
|
|
# Conta log con timestamp corretto (formato: Nov 22 08:15:30)
|
|
LOGS_WITH_TIMESTAMP=$(tail -100 "$LOG_FILE" 2>/dev/null | grep -E "^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}" | wc -l || echo "0")
|
|
TOTAL_LOGS=$(tail -100 "$LOG_FILE" 2>/dev/null | wc -l || echo "0")
|
|
|
|
echo -e "${BLUE} Log con timestamp corretto: $LOGS_WITH_TIMESTAMP / $TOTAL_LOGS${NC}"
|
|
|
|
if [ "$TOTAL_LOGS" -eq 0 ]; then
|
|
echo -e "${YELLOW}⚠ File log vuoto - attendi arrivo log dai router${NC}"
|
|
elif [ "$LOGS_WITH_TIMESTAMP" -eq 0 ]; then
|
|
echo -e "${RED}❌ ERRORE: Nessun log con timestamp!${NC}"
|
|
echo -e "${YELLOW} Template rsyslog NON configurato correttamente${NC}"
|
|
echo -e "${YELLOW} Esegui: sudo /opt/ids/deployment/setup_rsyslog.sh${NC}"
|
|
exit 1
|
|
else
|
|
PERCENTAGE=$((LOGS_WITH_TIMESTAMP * 100 / TOTAL_LOGS))
|
|
if [ "$PERCENTAGE" -ge 80 ]; then
|
|
echo -e "${GREEN}✅ Formato timestamp corretto ($PERCENTAGE%)${NC}"
|
|
else
|
|
echo -e "${YELLOW}⚠ Solo $PERCENTAGE% log con timestamp corretto${NC}"
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
# Test 3: Verifica pattern parser
|
|
echo -e "${BLUE}📋 Test 3: Verifica compatibilità parser${NC}"
|
|
|
|
# Estrai un log esempio
|
|
SAMPLE_LOG=$(tail -10 "$LOG_FILE" 2>/dev/null | grep "forward:" | head -1 || echo "")
|
|
|
|
if [ -z "$SAMPLE_LOG" ]; then
|
|
echo -e "${YELLOW}⚠ Nessun log 'forward' trovato - file vuoto o formato non corretto${NC}"
|
|
else
|
|
echo -e "${YELLOW} Log esempio:${NC}"
|
|
echo " $SAMPLE_LOG"
|
|
echo ""
|
|
|
|
# Verifica componenti essenziali
|
|
ERRORS=0
|
|
|
|
# Verifica timestamp (formato: Nov 22 08:15:30)
|
|
if echo "$SAMPLE_LOG" | grep -qE "^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}"; then
|
|
echo -e "${GREEN} ✅ Timestamp presente${NC}"
|
|
else
|
|
echo -e "${RED} ❌ Timestamp mancante o formato errato${NC}"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
# Verifica hostname
|
|
if echo "$SAMPLE_LOG" | grep -qE "^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\S+\s+"; then
|
|
echo -e "${GREEN} ✅ Hostname presente${NC}"
|
|
else
|
|
echo -e "${RED} ❌ Hostname mancante${NC}"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
# Verifica proto UDP/TCP/ICMP
|
|
if echo "$SAMPLE_LOG" | grep -qiE "proto (UDP|TCP|ICMP)"; then
|
|
echo -e "${GREEN} ✅ Protocollo riconosciuto${NC}"
|
|
else
|
|
echo -e "${RED} ❌ Protocollo non riconosciuto${NC}"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
# Verifica formato IP:PORT->IP:PORT
|
|
if echo "$SAMPLE_LOG" | grep -qE "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d+->\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d+"; then
|
|
echo -e "${GREEN} ✅ Formato IP:PORT corretto${NC}"
|
|
else
|
|
echo -e "${RED} ❌ Formato IP:PORT errato${NC}"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
# Verifica len
|
|
if echo "$SAMPLE_LOG" | grep -qE "len\s+\d+"; then
|
|
echo -e "${GREEN} ✅ Packet length presente${NC}"
|
|
else
|
|
echo -e "${RED} ❌ Packet length mancante${NC}"
|
|
ERRORS=$((ERRORS + 1))
|
|
fi
|
|
|
|
echo ""
|
|
if [ "$ERRORS" -eq 0 ]; then
|
|
echo -e "${GREEN}✅ Log formato correttamente - parser compatibile${NC}"
|
|
else
|
|
echo -e "${RED}❌ $ERRORS errori rilevati - parser potrebbe fallire${NC}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
# Test 4: Verifica database popolato
|
|
echo -e "${BLUE}📋 Test 4: Verifica database popolato${NC}"
|
|
|
|
if [ -z "$DATABASE_URL" ]; then
|
|
echo -e "${YELLOW}⚠ DATABASE_URL non configurato - skip test database${NC}"
|
|
else
|
|
# Conta log ultimi 5 minuti
|
|
DB_LOGS=$(psql "$DATABASE_URL" -t -c "SELECT COUNT(*) FROM network_logs WHERE timestamp > NOW() - INTERVAL '5 minutes';" 2>/dev/null | tr -d ' ' || echo "0")
|
|
|
|
if [ "$DB_LOGS" -gt 0 ]; then
|
|
echo -e "${GREEN}✅ Database popolato: $DB_LOGS log ultimi 5 minuti${NC}"
|
|
|
|
# Mostra ultimi log
|
|
echo -e "${BLUE} Ultimi 3 log nel database:${NC}"
|
|
psql "$DATABASE_URL" -c "SELECT timestamp, router_name, source_ip, destination_ip, protocol, action FROM network_logs ORDER BY timestamp DESC LIMIT 3;" 2>/dev/null || true
|
|
else
|
|
echo -e "${YELLOW}⚠ Database vuoto negli ultimi 5 minuti${NC}"
|
|
echo -e "${YELLOW} Verifica che il parser sia attivo:${NC}"
|
|
echo -e "${YELLOW} sudo systemctl status ids-syslog-parser${NC}"
|
|
fi
|
|
fi
|
|
echo ""
|
|
|
|
# Test 5: Verifica volume log ridotto
|
|
echo -e "${BLUE}📋 Test 5: Verifica volume log (solo connessioni in ingresso)${NC}"
|
|
|
|
# Conta log ultimi 60 secondi
|
|
RECENT_LOGS=$(tail -1000 "$LOG_FILE" 2>/dev/null | wc -l || echo "0")
|
|
echo -e "${BLUE} Log ultimi ~1000 righe: $RECENT_LOGS${NC}"
|
|
|
|
if [ "$RECENT_LOGS" -lt 100 ]; then
|
|
echo -e "${GREEN}✅ Volume log ridotto (filtro connessioni in ingresso attivo)${NC}"
|
|
elif [ "$RECENT_LOGS" -lt 500 ]; then
|
|
echo -e "${YELLOW}⚠ Volume log moderato${NC}"
|
|
else
|
|
echo -e "${YELLOW}⚠ Volume log elevato - verifica filtro MikroTik${NC}"
|
|
fi
|
|
echo ""
|
|
|
|
# Riepilogo finale
|
|
echo -e "${GREEN}╔═══════════════════════════════════════════════╗${NC}"
|
|
echo -e "${GREEN}║ ✅ TEST COMPLETATO ║${NC}"
|
|
echo -e "${GREEN}╚═══════════════════════════════════════════════╝${NC}"
|
|
echo ""
|
|
echo -e "${BLUE}📊 PROSSIMI PASSI:${NC}"
|
|
echo -e " 1. Verifica parser attivo: ${YELLOW}sudo systemctl status ids-syslog-parser${NC}"
|
|
echo -e " 2. Monitora log: ${YELLOW}tail -f $LOG_FILE${NC}"
|
|
echo -e " 3. Verifica database: ${YELLOW}psql \$DATABASE_URL -c 'SELECT COUNT(*) FROM network_logs;'${NC}"
|
|
echo ""
|