#!/bin/bash
#Version 1.0
#Created by: Louis Bernardo
#Copyright Siemonster 2024
#Description: Support information collector

#Variables 
logfolder=/data/support/support-logs-$(date +%Y%m%d)
container_logs=$logfolder/container_logs/
configs=$logfolder/configs/
service_configs=$logfolder/service_configs/
user_history=$logfolder/user_history
ossec_logs=$logfolder/ossec_logs
mytar=$(echo $logfolder |cut -d "/" -f4).tar.gz


#Check if folder exists and if it doesn't exist to create the relevant logs folder
echo -e "********** NOTE: If support logs already exists for current day it will be removed and a new folder created.********** \n********** Please only rerun script if initial run failed or requested to do so by SIEMonster support!! **********"

sleep 5

if [ -d "$logfolder" ]; then
        echo "Logs directory exists, removing!" && rm -rf $logfolder 2>&1
else
        mkdir -p $logfolder 
fi

mkdir $container_logs
mkdir $configs
mkdir $service_configs
mkdir $user_history
mkdir $ossec_logs

########## General information
echo -e "********** Starting collection of general information, this will take a while ********** \n********** To cancel this script at any time press [CTRL]+C**********"

#The following collects all open ports on the localhost
netstat -plunt >> $logfolder/netstat.log

#The following provides a top snapshot sorted by CPU
top -b -n1 -eg -o %CPU >> $logfolder/top.txt

#The following provides a list of all the interfaces and their assigned IP addresses.
ifconfig >> $logfolder/interfaces.txt

#The following provides disk capacity exclude snap and overlay
df -h |grep -iv "overlay\|tmpfs" >> $logfolder/storage.txt

#The following outputs dmesg is a format with color coding, this can be echo'd out to the terminal
script -q -c "dmesg -T" $logfolder/dmesg.log > /dev/null

#The following outputs dmesg unformated into plain text with no color coding
dmesg -T > $logfolder/dmesg.unformatted


########## Container information
echo "********** Starting collection of container information **********"
#The following lists containers
docker ps --size >> $logfolder/container_list.log

#Container statistics
docker stats --no-stream >> $logfolder/docker_stats.txt 

#Extract the logs from each runing container and place the logs in the logs folder with the container name
echo "********** extracting container logs **********"
for i in $(docker ps --format '{{ '{{' }}.Names'{{ '}}' }})
do
        docker logs $i > $container_logs/container-$i.log 2>&1 
done
echo "********** extracting container logs complete **********"


########## Config collection
#Getting all sevice configs
echo "********** retrieving services **********"
for i in $(docker ps --format '{{ '{{' }}.Names'{{ '}}' }})
do
        cp /etc/systemd/system/$i.service $service_configs/
done
echo "********** Retrieving services complete **********"

echo "********** copying configs **********"
docker cp -q wazuh:/var/ossec/etc/ossec.conf $configs/ossec.conf
docker cp -q wazuh:/var/ossec/logs/ossec.log $ossec_logs/ossec.log
docker cp -q wazuh:/var/ossec/logs/cluster.log $ossec_logs/cluster.log
cp /var/lib/cloud/seed/nocloud-net/user-data $configs/user-data

for i in /home/*
do
        user=$(echo $i|cut -d "/" -f3)
        cp $i/.bash_history  $user_history/$user.bash_history 2>/dev/null
        cp /root/.bash_history $user_history/root_bash_history 2>/dev/null
done

last > $logfolder/last.txt
uptime >> $logfolder/uptime.txt

echo "********** Compresssing Archive **********"

tar -czf $mytar $logfolder 2>/dev/null

rm -rf $logfolder

echo -e "********** The support file extraction is complete ********** \n********** Please attach the $mytar file to your support ticket **********"
