Initial cross-server log inventory + anomaly scan
- 10 hosts (mo1, ams, ams2, ro1, ca1, ca2, ca3, fr1, sony, termux) - discover-logs.sh: portable inventory (Linux/FreeBSD/Termux) - scan-anomalies.sh: ERROR/WARN/CRITICAL counts + journalctl + kubectl - run-all.sh: parallel SSH fan-out - build-summary.py: aggregates into reports/SUMMARY.md - 5 HIGH-severity findings identified on ro1 (apache scanner traffic, mount_monitor warnings)
This commit is contained in:
51
scripts/discover-logs.sh
Executable file
51
scripts/discover-logs.sh
Executable file
@@ -0,0 +1,51 @@
|
||||
#!/bin/sh
|
||||
# discover-logs.sh — portable log inventory.
|
||||
# Outputs CSV: path,size_bytes,mtime_iso,service
|
||||
# Works on Linux (Debian/Ubuntu), FreeBSD, and Termux.
|
||||
|
||||
set -u
|
||||
HOST=$(hostname 2>/dev/null || uname -n)
|
||||
|
||||
# 1. Build candidate file list using fast tools when available.
|
||||
LIST=$(mktemp 2>/dev/null || echo /tmp/discover.$$)
|
||||
trap 'rm -f "$LIST"' EXIT
|
||||
|
||||
if command -v plocate >/dev/null 2>&1; then
|
||||
plocate /var/log 2>/dev/null > "$LIST"
|
||||
elif command -v locate >/dev/null 2>&1; then
|
||||
locate /var/log 2>/dev/null > "$LIST"
|
||||
else
|
||||
# No locate db: walk /var/log with du (faster than find for our purposes).
|
||||
if [ -d /var/log ]; then
|
||||
du -ab /var/log 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }' > "$LIST"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add Kubernetes / container log dirs explicitly (they may be outside locate db).
|
||||
for extra in /var/log/pods /var/log/containers /var/lib/docker/containers /var/log/journal; do
|
||||
[ -d "$extra" ] && du -ab "$extra" 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }' >> "$LIST"
|
||||
done
|
||||
|
||||
# Termux logs
|
||||
if [ -n "${PREFIX:-}" ] && [ -d "${PREFIX}/var/log" ]; then
|
||||
du -ab "${PREFIX}/var/log" 2>/dev/null | awk '{ $1=""; sub(/^ /,""); print }' >> "$LIST"
|
||||
fi
|
||||
|
||||
# 2. Filter to regular files matching log-ish patterns, emit CSV.
|
||||
# Service guessed from path component under /var/log/.
|
||||
sort -u "$LIST" | while IFS= read -r p; do
|
||||
[ -f "$p" ] || continue
|
||||
case "$p" in
|
||||
*.log|*.log.*|*.gz|*.zst|*.xz|*.zip|*/messages|*/syslog|*/auth*|*/kern*|*/daemon*|*/dmesg*|*/secure*) ;;
|
||||
*) continue ;;
|
||||
esac
|
||||
sz=$(stat -c '%s' "$p" 2>/dev/null || stat -f '%z' "$p" 2>/dev/null) || continue
|
||||
mt=$(stat -c '%y' "$p" 2>/dev/null | cut -d. -f1 || stat -f '%Sm' -t '%Y-%m-%d %H:%M:%S' "$p" 2>/dev/null) || continue
|
||||
svc=$(echo "$p" | awk -F/ '{
|
||||
for (i=1;i<=NF;i++) if ($i=="log" || $i=="logs") { print $(i+1); exit }
|
||||
}')
|
||||
[ -z "$svc" ] && svc="other"
|
||||
# CSV-escape quotes/commas in path
|
||||
esc=$(printf '%s' "$p" | sed 's/"/""/g')
|
||||
printf '"%s",%s,"%s","%s"\n' "$esc" "$sz" "$mt" "$svc"
|
||||
done
|
||||
Reference in New Issue
Block a user