feat: Add UFW log monitoring

- Added a new function `get_ufw_logs` to monitor `/var/log/ufw.log`. - Added a new table `ufw_logs` to the database to store UFW log data. - Updated `analyze_data_locally` to detect anomalies in UFW logs (high number of blocked connections). - Integrated the new functionality into the main monitoring loop.
2025-09-15 13:22:37 -05:00
parent 0f0bdd2da7
commit 12e6ba0135
6 changed files with 73 additions and 876 deletions
--- a/monitor_agent.py
+++ b/monitor_agent.py
@@ -42,9 +42,35 @@ logger.addHandler(console_handler)

 LOG_POSITION_FILE = 'log_position.txt'
 AUTH_LOG_POSITION_FILE = 'auth_log_position.txt'
+UFW_LOG_POSITION_FILE = 'ufw_log_position.txt'

 # --- Data Ingestion & Parsing Functions ---

+def get_ufw_logs():
+    """Gets new lines from /var/log/ufw.log since the last check."""
+    try:
+        last_position = 0
+        if os.path.exists(UFW_LOG_POSITION_FILE):
+            with open(UFW_LOG_POSITION_FILE, 'r') as f:
+                last_position = int(f.read())
+
+        with open("/var/log/ufw.log", "r") as f:
+            f.seek(last_position)
+            log_lines = f.readlines()
+            current_position = f.tell()
+
+        with open(UFW_LOG_POSITION_FILE, 'w') as f:
+            f.write(str(current_position))
+
+        return log_lines
+    except FileNotFoundError:
+        logger.error("/var/log/ufw.log not found.")
+        return []
+    except Exception as e:
+        logger.error(f"Error reading ufw.log: {e}")
+        return []
+
+
 def get_system_logs():
    """Gets new lines from /var/log/syslog since the last check."""
    try:
@@ -293,6 +319,24 @@ def analyze_data_locally(data, baselines, known_issues, port_applications):
                    "reason": f"Docker container '{container_name}' is not running. Current status: {status}"
                })

+    # UFW log analysis
+    ufw_logs = data.get("ufw_logs", [])
+    if ufw_logs:
+        blocked_ips = {}
+        for log_line in ufw_logs:
+            if "[UFW BLOCK]" in log_line:
+                match = re.search(r"SRC=([\d\.]+)", log_line)
+                if match:
+                    ip = match.group(1)
+                    blocked_ips[ip] = blocked_ips.get(ip, 0) + 1
+        
+        for ip, count in blocked_ips.items():
+            if count > 10:
+                anomalies.append({
+                    "severity": "high",
+                    "reason": f"High number of blocked connections ({count}) from IP address: {ip}"
+                })
+
    return anomalies

 # --- LLM Interaction Function ---
@@ -434,6 +478,7 @@ def run_monitoring_cycle(nmap_scan_counter):
    gpu_temp = get_gpu_temperature(sensors_output)
    login_attempts = get_login_attempts()
    docker_container_status = get_docker_container_status()
+    ufw_logs = get_ufw_logs()

    nmap_results = None
    if nmap_scan_counter == 0:
@@ -449,7 +494,8 @@ def run_monitoring_cycle(nmap_scan_counter):
            "cpu_temperature": cpu_temp,
            "gpu_temperature": gpu_temp,
            "login_attempts": login_attempts,
-            "docker_container_status": docker_container_status
+            "docker_container_status": docker_container_status,
+            "ufw_logs": ufw_logs
        }

        if nmap_results: