How to analyse Dante Socks server logs with GoAccess?

allinurl / goaccess

GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

https://goaccess.io

MIT License

18.51k stars 1.11k forks source link

How to analyse Dante Socks server logs with GoAccess? #1087

Closed Enfield closed 6 years ago

Enfield commented 6 years ago

For example:

Apr 13 11:35:13 (1523619313.153088) danted[6894]: info: pass(1): tcp/connect [: username%MY_USERNAME@94.25.169.233.27725 167.99.247.172.1080 -> 167.99.247.172.27725 149.154.163.37.44

Date is three different columns, can i parse it with GoAccess?

allinurl commented 6 years ago

Can you please describe the fields you've got in there? Thanks.

Enfield commented 6 years ago

For this string (it's a SOCKS5 proxy):

Apr 13 11:35:13 (1523619313.153088) danted[6894]: info: pass(1): tcp/connect [: username%MY_USERNAME@94.25.169.233.27725 167.99.247.172.1080 -> 167.99.247.172.27725 149.154.163.37.44

fields be:

month day time (timestamp with milliseconds) ignore ignore request_status protocol/action[:username%login@incoming_ipv4.port server_ipv4.port -> server_ipv4.port outcoming_ipv4.port

allinurl commented 6 years ago

Unfortunately there's no delimiter for those IPs, e.g., 94.25.169.233.27725. If you could split the last part, then it you could do:

goaccess access.log --log-format='%^(%x.%^) %v: %^ %^ %U %^ %e@%h:%^ %^ %^' --date-format=%s --time-format=%s --ignore-panel=REQUESTS_STATIC --ignore-panel=NOT_FOUND --ignore-panel=OS --ignore-panel=BROWSERS --ignore-panel=REFERRERS --ignore-panel=REFERRING_SITES --ignore-panel=STATUS_CODES --http-method=no --http-protocol=no

Enfield commented 6 years ago

Thx!