Update log analysis script to use Maxmind GeoIP data
authorTom Hughes <tom@compton.nu>
Wed, 21 Jan 2015 18:37:54 +0000 (18:37 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 21 Jan 2015 21:08:30 +0000 (21:08 +0000)
bin/sumlogs

index 400a3631ca724753cf5e65469c21fe38b99406b1..c46bcbaed4ede083dd458f36eb34258122d72a16 100755 (executable)
@@ -3,41 +3,34 @@
 use strict;
 use warnings;
 
-use Net::Patricia;
+use Geo::IP;
 use YAML;
 
-my $pt = new Net::Patricia;
-
-open(COUNTRIES, "< countries.conf") || die "Can't open /etc/powerdns/countries.conf";
-
-while (my $line = <COUNTRIES>)
-{
-    if ($line =~ /^(\d+\.\d+\.\d+\.\d+\/\d+)\s+:127\.\d+\.\d+\.\d+:([a-z]{2})/)
-    {
-        my $address = $1;
-        my $country = uc($2);
-
-        $pt->add_string($address, $country);
-    }
-}
-
-close(COUNTRIES);
-
+my $gi = Geo::IP->open("/usr/share/GeoIP/GeoIP.dat", GEOIP_MEMORY_CACHE);
 my $total_bytes = 0;
 my %country_bytes;
 
 while (my $record = <>)
 {
-    if ($record =~ /^\d+\.\d+\s+\d+\s+(\d+\.\d+\.\d+\.\d+)\s+TCP_[A-Z_]+\/\d+\s+(\d+) (?:GET|HEAD|POST) /)
+    if ($record =~ /^\d+\.\d+\s+\d+\s+(\d+\.\d+\.\d+\.\d+)\s+TCP_[A-Z_]+\/\d+\s+(\d+) (?:GET|HEAD|POST|OPTIONS|PROPFIND) /)
     {
         my $ip = $1;
         my $bytes = $2;
-        my $country = $pt->match_string($ip);
+        my $country = $gi->country_code_by_addr($ip);
 
-        $country_bytes{$country} += $bytes if defined($country);
+        if (defined($country) &&
+            $country ne "A1" && $country ne "A2" && 
+            $country ne "01" && $country ne "--")
+        {
+            $country_bytes{$country} += $bytes;
+        }
 
         $total_bytes += $bytes;
     }
+    elsif ($record =~ /^\d+\.\d+\s+\d+\s+(\d+\.\d+\.\d+\.\d+)\s+TCP_DENIED\/\d+\s+(\d+) /)
+    {
+       # do nothing
+    }
     elsif ($record =~ /^\d+\.\d+\s+\d+\s+(\d+\.\d+\.\d+\.\d+)\s+UDP_[A-Z_]+\/\d+\s+(\d+) ICP_QUERY /)
     {
        # do nothing