port_programs rectification

sorting rectification sudo for ss
2019-09-24 14:37:20 +05:30
parent 2adb3890a2
commit 24ba825eeb
1 changed files with 23 additions and 8 deletions
--- a/ufw.awk
+++ b/ufw.awk
@@ -4,7 +4,6 @@
    # Warn on blank log
    # Incorrect timestamp - very old TS or latest TS older than older TS
        # out of order or blocks of time are missing
-# Combine it with system-log file
 # Give options to process only a certain number of day's log
 # Check if mawk is available -> if yes, use that

@@ -13,7 +12,7 @@ LC_ALL=C

 # Adding the port-program mapping to a shell variable
 # We shall pass it to awk later
-declare port_programs=$(ss -lpntu | 
+declare port_programs=$(sudo ss -lpntu | 
    awk 'BEGIN {FS=":"} 
         NR>1 && $1 !~ "\\[" {print $2, $NF} # Row does NOT contains [ -> Fetch 2nd and last columns
         NR>1 && $1 ~ "\\[" {print $4, $NF}  # Row contains [ -> Fetch 4th and last columns
@@ -69,8 +68,7 @@ cat /var/log/ufw.log |
            }
            
            print EVENT, IN, OUT, SRC, DST, SRCPORT, DSTPORT, PROTO
-    }' | 
-    sort | uniq -c | 
+    }' | uniq -c | sort -n |
    awk -v port_programs_bash="$port_programs" '
        BEGIN{
            # Column headers
@@ -78,8 +76,8 @@ cat /var/log/ufw.log |
            print "-----------------------------------------------------------------------------------------------------------------------------"

            #Deserialize the port_programs_bash
-            split(port_programs_bash, temp)
-            for (i=2;i<=length(temp);i+=2) {
+            len=split(port_programs_bash, temp)
+            for (i=2;i<=len;i+=2) {
                port_programs[temp[i-1]]=temp[i]
            }
            i=0
@@ -88,7 +86,7 @@ cat /var/log/ufw.log |
            total+=$1
            SRC_IPS[$5]+=$1
            DST_IPS[$6]+=$1
-            printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9,port_programs[$7])
+            printf ("%6d %15s %10s %10s %15s %15s %8d %8d %8s %20s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, port_programs[$7])
        }
        END	{
            print ""
@@ -115,3 +113,20 @@ cat /var/log/ufw.log |
            print "Total records parsed = "total
        }
 '
+
+# Check if there are huge gaps in TS
+cat /var/log/ufw.log |
+    awk '{
+        curr_ts=$1
+        
+        # TS out of order
+        if(last_ts != "" && curr_ts < last_ts)
+            something_wrong_at[i++]=curr_ts
+
+        
+        if (last_ts != "" && curr_ts > (last_ts + huge_gap))
+            gaps_at[++j]=curr_ts
+
+        last_ts=curr_ts
+    }
+    '