#!/bin/bash

# Default values for the log file path and time threshold
log_file="/var/log/nc_audit/suspicious_file_detector.log"
allowed_time_diff=3600  # Default: 3600 seconds (1 hour)

# Function to display usage
usage() {
    echo "Usage: $0 [-f log_file] [-t allowed_time_difference_in_seconds]"
    exit 3
}

# Parse command-line arguments
while getopts "f:t:" opt; do
    case ${opt} in
        f)
            log_file="${OPTARG}"
            ;;
        t)
            allowed_time_diff="${OPTARG}"
            ;;
        *)
            usage
            ;;
    esac
done

# Check if the log file exists and is not empty
if [[ ! -f "${log_file}" || ! -s "${log_file}" ]]; then
    echo "ERROR: Log file ${log_file} does not exist or is empty."
    exit 1
fi

# Check the last modification time of the log file
current_time=$(date +%s)
file_mod_time=$(stat -c %Y "${log_file}")
time_diff=$((current_time - file_mod_time))

if (( time_diff > allowed_time_diff )); then
    echo "CRITICAL!: Log file was modified more than $((allowed_time_diff / 60)) minutes ago."
    exit 2
fi

# Get the last line of the log file
last_line=$(tail -n 1 "$log_file")

if [[ "${last_line}" == *"CRITICAL!"* ]]; then
    echo "${last_line}"
    exit 2
elif [[ "${last_line}" == *"WARNING"* ]]; then
    echo "${last_line}"
    exit 1
elif [[ "${last_line}" == *"OK!"* ]]; then
    echo "${last_line}"
    exit 0
else
    echo "UNKNOWN: ${last_line}"
    exit 3
fi