apache-log-geo 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 88358db0f03c32a5141201af91a3fa617f123b00c0fad7a8e063a4e51a1fe75e
+  data.tar.gz: 37906a57323328d07d516d3b7b6bb5cc71ffb200949158206f952708e1df0cb0
+SHA512:
+  metadata.gz: edba9d9da0d8e342b84403df8d6459f449aac6c65cb5d69b59f696a69562aea26c4a3a7febae2928d2852721301bb0b9564d38a38fa21fca6c1fe062e5c39234
+  data.tar.gz: dde46e90f32f32fc69b7292e12db7687f2319d3b6a308f088996f9fab24b91a30d4c355a75e38448e3eeff5fd7b5c35954a3acf7423b34230b55c3ced543698b

data/README.md

@@ -0,0 +1,109 @@
+# apache-log-geo
+
+An offline GeoIP CLI filter for Apache (common, combined) logs. It's
+like grep but with a knowledge about what data an ip holds. Supa
+handy!
+
+Reqs:
+
+* ruby
+* `dnf install libmaxminddb-devel geolite2-city`
+
+If there's no geolite2-city pkg (that contains `GeoLite2-City.mmdb`
+file) for your system, register on MaxMind's website, get a license
+key & install geoipupdate to fetch the db file.
+
+## Install
+
+    gem install apache-log-geo
+
+## Usage
+
+The pkg contains 2 CLI utils only. There's no reusable library code.
+
+### apache-log-geo
+
+This is a simple grep-like filter:
+
+~~~
+$ ./apache-log-geo -h
+Usage: apache-log-geo [-d GeoLite2-City.mmdb] [-v] [--key val ...]
+    -d path                          maxmind db file
+    -v                               invert match
+        --city regexp
+        --country regexp
+        --cc str                     2 letter country code
+        --continent regexp
+        --postcode regexp
+        --sub regexp                 subdivisions
+~~~
+
+It tries to guess the location of the .mmdb file, thus specifying `-d`
+opt is often unnecessary.
+
+Options that begin with `--` constitute test conditions for a
+filter. Conditions are anded. Unlike grep, specifying no conditions is
+not an error--the util will act as a pass through for each valid log
+line that starts with an ip address that is known to the GeoLite2 db.
+
+`--cc` opt is special: it doesn't take a regexp, but a 2-letter codes
+separated with `|`.
+
+#### Examples
+
+A pass through:
+
+~~~
+$ head -2 test/access.log | ./apache-log-geo
+52.18.122.238 - - [06/Mar/2020:00:02:00 -0500] "GET /~alex/doc/bunz%2Cmercedes__school-will-never-end/ HTTP/1.1" 200 17133 "-" "Apache-HttpClient/4.3.6 (java 1.5)"
+54.174.110.177 - - [06/Mar/2020:00:03:10 -0500] "GET /~alex/doc/bunz%2Cmercedes__school-will-never-end/ HTTP/1.1" 200 17133 "-" "Ruby"
+~~~
+
+Filter by a country code:
+
+~~~
+$ head -2 test/access.log | ./apache-log-geo --cc ie
+52.18.122.238 - - [06/Mar/2020:00:02:00 -0500] "GET /~alex/doc/bunz%2Cmercedes__school-will-never-end/ HTTP/1.1" 200 17133 "-" "Apache-HttpClient/4.3.6 (java 1.5)"
+
+$ cat test/access.log | ./apache-log-geo --cc 'ie|de' | wc -l
+11
+~~~
+
+### mmdb-lookup
+
+Renders the data about ip addresses in json (default) or a suitable
+for a shell script formats:
+
+~~~
+$ ./mmdb-lookup -h
+Usage: mmdb-lookup [-d GeoLite2-City.mmdb] [-f fmt] ip...
+    -d path                          maxmind db file
+    -f fmt                           output format: json, shell
+~~~
+
+IPs can come either from the command line or from the stdin. Again,
+`-d` is optional.
+
+#### Examples
+
+Evaluate a printed shell code:
+
+~~~
+$ (eval `./mmdb-lookup 5.1.0.0 -f shell`; echo $subdivisions)
+Kyiv City
+~~~
+
+Replicate `apache-log-geo` util--print only the requests from the Irish
+(the example requires `npm -g json`):
+
+    $ awk '{print $1}' test/access.log | ./mmdb-lookup | json -c 'this.country_code == "IE"' -a ip | grep -h -f - test/access.log
+
+## Exit status
+
+* 0 -- some lines were matched
+* 1 -- nothing was matched
+* 2 -- an error occurred
+
+## License
+
+MIT.

data/apache-log-geo

@@ -0,0 +1,72 @@
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'mmdb'
+require_relative 'lib'
+include ApacheLogGeo
+
+# exact match: country_code, postcode
+# regexp: continent, country, subdivisions, city
+#
+# conditions are anded. no conditions == true
+def match_by_geo info, query
+  query.each do |k,v|
+    if k == :subdivisions # it's an array, one match of its elements is enough
+      return false unless (info[k] || []).any? {|val| val.to_s =~ /#{v}/i }
+    end
+
+    return false unless info[k].to_s =~ /#{v}/i
+  end
+
+  true
+end
+
+opt = {
+  db: geo_db_location,
+  v: false,
+  query: {}
+}
+
+OptionParser.new do |o|
+  o.banner = "Usage: #{File.basename $0} [-d GeoLite2-City.mmdb] [-v] [--key val ...]"
+  o.on("-d path", "maxmind db file") { |v| opt[:db] = v }
+  o.on("-v", "invert match") { |v| opt[:v] = v }
+  o.on("--city regexp") { |v| opt[:query][:city] = v }
+  o.on("--country regexp") { |v| opt[:query][:country] = v }
+  o.on("--cc str", "2 letter country code") { |v|
+    v.split('|').each do |cc|
+      errx 2, "invalid country code: #{cc}" unless COUNTRY_CODES.key? cc.upcase
+    end
+    opt[:query][:country_code] = v
+  }
+  o.on("--continent regexp") { |v| opt[:query][:continent] = v }
+  o.on("--postcode regexp") { |v| opt[:query][:postcode] = v }
+  o.on("--sub regexp", "subdivisions") { |v| opt[:query][:subdivisions] = v }
+end.parse!
+
+begin
+  geo = MaxMindDB.new opt[:db]
+rescue
+  errx 2, "failed to open #{opt[:db]}"
+end
+
+found_anything = false
+$stdin.each_line do |line|
+  next if line =~ /^\s*$/
+  ip = line.split[0]
+  begin
+    info = geo.lookup ip
+  rescue
+    warnx "no data, filtering the entry out: `${ip[0..15]}`"
+    next
+  end
+
+  match = match_by_geo info, opt[:query]
+  match = !match if opt[:v]
+  if match
+    found_anything = true
+    puts line
+  end
+end
+
+exit found_anything ? 0 : 1

data/lib.rb

@@ -0,0 +1,275 @@
+# coding: utf-8
+module ApacheLogGeo
+  # save user some typing if we can guess the OS
+  def geo_db_location
+    datadir = case RUBY_PLATFORM
+              when /linux/ then '/usr/share'
+              when /cygwin|msys/ then '/usr/share'
+              when /darwin/ then '/usr/local/var' # untested
+              when /freebsd/ then '/usr/local/share'
+              else nil
+              end
+    return 'GeoLite2-City.mmdb' unless datadir
+    File.join datadir, 'GeoIP/GeoLite2-City.mmdb'
+  end
+
+  def errx exit_code, msg
+    $stderr.puts "#{File.basename $0} error: #{msg}"
+    exit exit_code
+  end
+
+  def warnx msg; $stderr.puts "#{File.basename $0} warning: #{msg}"; end
+
+  # https://datahub.io/core/country-list
+  COUNTRY_CODES = {
+    "AF" => "Afghanistan",
+    "AX" => "Åland Islands",
+    "AL" => "Albania",
+    "DZ" => "Algeria",
+    "AS" => "American Samoa",
+    "AD" => "Andorra",
+    "AO" => "Angola",
+    "AI" => "Anguilla",
+    "AQ" => "Antarctica",
+    "AG" => "Antigua and Barbuda",
+    "AR" => "Argentina",
+    "AM" => "Armenia",
+    "AW" => "Aruba",
+    "AU" => "Australia",
+    "AT" => "Austria",
+    "AZ" => "Azerbaijan",
+    "BS" => "Bahamas",
+    "BH" => "Bahrain",
+    "BD" => "Bangladesh",
+    "BB" => "Barbados",
+    "BY" => "Belarus",
+    "BE" => "Belgium",
+    "BZ" => "Belize",
+    "BJ" => "Benin",
+    "BM" => "Bermuda",
+    "BT" => "Bhutan",
+    "BO" => "Bolivia, Plurinational State of",
+    "BQ" => "Bonaire, Sint Eustatius and Saba",
+    "BA" => "Bosnia and Herzegovina",
+    "BW" => "Botswana",
+    "BV" => "Bouvet Island",
+    "BR" => "Brazil",
+    "IO" => "British Indian Ocean Territory",
+    "BN" => "Brunei Darussalam",
+    "BG" => "Bulgaria",
+    "BF" => "Burkina Faso",
+    "BI" => "Burundi",
+    "KH" => "Cambodia",
+    "CM" => "Cameroon",
+    "CA" => "Canada",
+    "CV" => "Cape Verde",
+    "KY" => "Cayman Islands",
+    "CF" => "Central African Republic",
+    "TD" => "Chad",
+    "CL" => "Chile",
+    "CN" => "China",
+    "CX" => "Christmas Island",
+    "CC" => "Cocos (Keeling) Islands",
+    "CO" => "Colombia",
+    "KM" => "Comoros",
+    "CG" => "Congo",
+    "CD" => "Congo, the Democratic Republic of the",
+    "CK" => "Cook Islands",
+    "CR" => "Costa Rica",
+    "CI" => "Côte d'Ivoire",
+    "HR" => "Croatia",
+    "CU" => "Cuba",
+    "CW" => "Curaçao",
+    "CY" => "Cyprus",
+    "CZ" => "Czech Republic",
+    "DK" => "Denmark",
+    "DJ" => "Djibouti",
+    "DM" => "Dominica",
+    "DO" => "Dominican Republic",
+    "EC" => "Ecuador",
+    "EG" => "Egypt",
+    "SV" => "El Salvador",
+    "GQ" => "Equatorial Guinea",
+    "ER" => "Eritrea",
+    "EE" => "Estonia",
+    "ET" => "Ethiopia",
+    "FK" => "Falkland Islands (Malvinas)",
+    "FO" => "Faroe Islands",
+    "FJ" => "Fiji",
+    "FI" => "Finland",
+    "FR" => "France",
+    "GF" => "French Guiana",
+    "PF" => "French Polynesia",
+    "TF" => "French Southern Territories",
+    "GA" => "Gabon",
+    "GM" => "Gambia",
+    "GE" => "Georgia",
+    "DE" => "Germany",
+    "GH" => "Ghana",
+    "GI" => "Gibraltar",
+    "GR" => "Greece",
+    "GL" => "Greenland",
+    "GD" => "Grenada",
+    "GP" => "Guadeloupe",
+    "GU" => "Guam",
+    "GT" => "Guatemala",
+    "GG" => "Guernsey",
+    "GN" => "Guinea",
+    "GW" => "Guinea-Bissau",
+    "GY" => "Guyana",
+    "HT" => "Haiti",
+    "HM" => "Heard Island and McDonald Islands",
+    "VA" => "Holy See (Vatican City State)",
+    "HN" => "Honduras",
+    "HK" => "Hong Kong",
+    "HU" => "Hungary",
+    "IS" => "Iceland",
+    "IN" => "India",
+    "ID" => "Indonesia",
+    "IR" => "Iran, Islamic Republic of",
+    "IQ" => "Iraq",
+    "IE" => "Ireland",
+    "IM" => "Isle of Man",
+    "IL" => "Israel",
+    "IT" => "Italy",
+    "JM" => "Jamaica",
+    "JP" => "Japan",
+    "JE" => "Jersey",
+    "JO" => "Jordan",
+    "KZ" => "Kazakhstan",
+    "KE" => "Kenya",
+    "KI" => "Kiribati",
+    "KP" => "Korea, Democratic People's Republic of",
+    "KR" => "Korea, Republic of",
+    "KW" => "Kuwait",
+    "KG" => "Kyrgyzstan",
+    "LA" => "Lao People's Democratic Republic",
+    "LV" => "Latvia",
+    "LB" => "Lebanon",
+    "LS" => "Lesotho",
+    "LR" => "Liberia",
+    "LY" => "Libya",
+    "LI" => "Liechtenstein",
+    "LT" => "Lithuania",
+    "LU" => "Luxembourg",
+    "MO" => "Macao",
+    "MK" => "Macedonia, the Former Yugoslav Republic of",
+    "MG" => "Madagascar",
+    "MW" => "Malawi",
+    "MY" => "Malaysia",
+    "MV" => "Maldives",
+    "ML" => "Mali",
+    "MT" => "Malta",
+    "MH" => "Marshall Islands",
+    "MQ" => "Martinique",
+    "MR" => "Mauritania",
+    "MU" => "Mauritius",
+    "YT" => "Mayotte",
+    "MX" => "Mexico",
+    "FM" => "Micronesia, Federated States of",
+    "MD" => "Moldova, Republic of",
+    "MC" => "Monaco",
+    "MN" => "Mongolia",
+    "ME" => "Montenegro",
+    "MS" => "Montserrat",
+    "MA" => "Morocco",
+    "MZ" => "Mozambique",
+    "MM" => "Myanmar",
+    "NA" => "Namibia",
+    "NR" => "Nauru",
+    "NP" => "Nepal",
+    "NL" => "Netherlands",
+    "NC" => "New Caledonia",
+    "NZ" => "New Zealand",
+    "NI" => "Nicaragua",
+    "NE" => "Niger",
+    "NG" => "Nigeria",
+    "NU" => "Niue",
+    "NF" => "Norfolk Island",
+    "MP" => "Northern Mariana Islands",
+    "NO" => "Norway",
+    "OM" => "Oman",
+    "PK" => "Pakistan",
+    "PW" => "Palau",
+    "PS" => "Palestine, State of",
+    "PA" => "Panama",
+    "PG" => "Papua New Guinea",
+    "PY" => "Paraguay",
+    "PE" => "Peru",
+    "PH" => "Philippines",
+    "PN" => "Pitcairn",
+    "PL" => "Poland",
+    "PT" => "Portugal",
+    "PR" => "Puerto Rico",
+    "QA" => "Qatar",
+    "RE" => "Réunion",
+    "RO" => "Romania",
+    "RU" => "Russian Federation",
+    "RW" => "Rwanda",
+    "BL" => "Saint Barthélemy",
+    "SH" => "Saint Helena, Ascension and Tristan da Cunha",
+    "KN" => "Saint Kitts and Nevis",
+    "LC" => "Saint Lucia",
+    "MF" => "Saint Martin (French part)",
+    "PM" => "Saint Pierre and Miquelon",
+    "VC" => "Saint Vincent and the Grenadines",
+    "WS" => "Samoa",
+    "SM" => "San Marino",
+    "ST" => "Sao Tome and Principe",
+    "SA" => "Saudi Arabia",
+    "SN" => "Senegal",
+    "RS" => "Serbia",
+    "SC" => "Seychelles",
+    "SL" => "Sierra Leone",
+    "SG" => "Singapore",
+    "SX" => "Sint Maarten (Dutch part)",
+    "SK" => "Slovakia",
+    "SI" => "Slovenia",
+    "SB" => "Solomon Islands",
+    "SO" => "Somalia",
+    "ZA" => "South Africa",
+    "GS" => "South Georgia and the South Sandwich Islands",
+    "SS" => "South Sudan",
+    "ES" => "Spain",
+    "LK" => "Sri Lanka",
+    "SD" => "Sudan",
+    "SR" => "Suriname",
+    "SJ" => "Svalbard and Jan Mayen",
+    "SZ" => "Swaziland",
+    "SE" => "Sweden",
+    "CH" => "Switzerland",
+    "SY" => "Syrian Arab Republic",
+    "TW" => "Taiwan, Province of China",
+    "TJ" => "Tajikistan",
+    "TZ" => "Tanzania, United Republic of",
+    "TH" => "Thailand",
+    "TL" => "Timor-Leste",
+    "TG" => "Togo",
+    "TK" => "Tokelau",
+    "TO" => "Tonga",
+    "TT" => "Trinidad and Tobago",
+    "TN" => "Tunisia",
+    "TR" => "Turkey",
+    "TM" => "Turkmenistan",
+    "TC" => "Turks and Caicos Islands",
+    "TV" => "Tuvalu",
+    "UG" => "Uganda",
+    "UA" => "Ukraine",
+    "AE" => "United Arab Emirates",
+    "GB" => "United Kingdom",
+    "US" => "United States",
+    "UM" => "United States Minor Outlying Islands",
+    "UY" => "Uruguay",
+    "UZ" => "Uzbekistan",
+    "VU" => "Vanuatu",
+    "VE" => "Venezuela, Bolivarian Republic of",
+    "VN" => "Viet Nam",
+    "VG" => "Virgin Islands, British",
+    "VI" => "Virgin Islands, U.S.",
+    "WF" => "Wallis and Futuna",
+    "EH" => "Western Sahara",
+    "YE" => "Yemen",
+    "ZM" => "Zambia",
+    "ZW" => "Zimbabwe"
+  }
+end

data/mmdb-lookup

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+
+require 'optparse'
+require 'mmdb'
+require_relative 'lib'
+include ApacheLogGeo
+
+class FMT
+  def initialize input, geo
+    @input = input; @geo = geo
+    @errors = 0
+  end
+  attr_accessor :errors
+
+  def shell                     # print only the 1st entry
+    require 'shellwords'
+    ip = @input.to_enum.next.split.first
+    r = ["ip=#{ip.shellescape}"]
+
+    info = @geo.lookup ip rescue nil
+    if !info
+      r << "error=#{@errors += 1}"
+    else
+      r += info.map do |k,v|
+        "#{k}=#{(v.is_a?(Array) ? v.join(',') : v.to_s).shellescape}"
+      end
+    end
+    r.join "\n"
+  end
+
+  def json
+    require 'json'
+    @input.map do |list|
+      list.split.map do |ip|
+        r = {ip: ip}
+        info = @geo.lookup ip rescue nil
+        info ? r.merge(info) : r.merge({error: @errors += 1})
+      end
+     end.flatten.to_json
+  end
+end
+
+
+opt = {
+  db: geo_db_location,
+  fmt: 'json'
+}
+
+OptionParser.new do |o|
+  o.banner = "Usage: #{File.basename $0} [-d GeoLite2-City.mmdb] [-f fmt] ip..."
+  o.on("-d path", "maxmind db file") { |v| opt[:db] = v }
+  o.on("-f fmt", "output format: json, shell") { |v| opt[:fmt] = v }
+end.parse!
+
+begin
+  geo = MaxMindDB.new opt[:db]
+rescue
+  errx 2, "failed to open #{opt[:db]}"
+end
+
+fmt = FMT.new (ARGV.size > 0 ? ARGV : $stdin), geo
+puts fmt.send opt[:fmt]
+exit fmt.errors > 0 ? 1 : 0

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: apache-log-geo
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Alexander Gromnitsky
+autorequire: 
+bindir: "."
+cert_chain: []
+date: 2020-03-08 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: mmdb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.2
+description: |
+  It's like grep but with a knowledge about what data an ip
+  holds. Requires MaxMind's GeoLite2 DB (GeoLite2-City.mmdb) installed.
+email: alexander.gromnitsky@gmail.com
+executables:
+- apache-log-geo
+- mmdb-lookup
+extensions: []
+extra_rdoc_files: []
+files:
+- "./apache-log-geo"
+- "./mmdb-lookup"
+- README.md
+- apache-log-geo
+- lib.rb
+- mmdb-lookup
+homepage: https://github.com/gromnitsky/apache-log-geo
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: An offline GeoIP CLI filter for Apache (common, combined) logs.
+test_files: []