secure日誌分析腳本
『壹』 SecureCRT杞浠舵庝箞鏌ョ湅鏃ュ織
鍛戒護琛屼笅媯鍜:
涓銆乴s 鍒楀嚭鏂囦歡鍜岀洰褰曟棌紲 錛堢浉褰撲簬dir錛宒ir涔熷彲浠ヤ嬌鐢錛 -A:鍒楀嚭鎵鏈夋枃浠訛紝鍖呭惈闅愯棌鏂囦歡銆 -l錛氬垪琛ㄥ艦寮忥紝鍖呭惈鏂囦歡鐨勭粷澶ч儴鍒嗗睘鎬с -R錛氶掑綊鏄劇ず銆 --help錛氭ゅ懡浠ょ殑甯鍔┿
浜屻乧d 鏀瑰彉鐩褰 cd /:榪涘叆鏍圭洰褰 cd 錛氬洖鍒拌嚜宸辯殑鐩褰曪紙鐢ㄦ埛涓嶅悓鍒欑洰褰曚篃涓嶅悓錛宺oot涓/root錛寈xt涓/home/xxt cd ..錛氬洖鍒頒笂綰х洰褰 pwd錛氭樉紺哄綋鍓嶆墍鍦ㄧ殑鐩褰
涓.less 鏂囦歡鍚嶏細鏌ョ湅鏂囦歡鍐呭廣
鍥.q 閫鍑烘墦寮鐨勬枃浠躲
浜.涓婁紶鏂囦歡錛 rz 閫夋嫨瑕佷紶閫佺殑鏂囦歡錛岀『瀹氥
鍏.涓嬭澆鏂囦歡錛 sz 鎸囧畾鏂囦歡鍚,enter鏁詫紝鍗充笅杞藉埌浜唖ecureCRT/download鐩褰曚笅銆傚囨敞錛氬懡浠 --help鏌ョ湅鍛戒護涓嬭︾粏鍙傛暟銆傚傦細rz --help sz --help
涓冿細鍒犻櫎鏂囦歡錛 rm 鍒犻櫎鏂囦歡 rmdir 鍒犻櫎絀虹洰褰曘
鍏.鏄劇ず: 鏈榪戣緭鍏ョ殑20鏉″懡浠ゆょ楃函銆
『貳』 甯蹇欏垎鏋/var/log/secure鏃ュ織錛屾槸鍚﹁鏀誨嚮錛
鍙戝竷:鐙鑷絳夊緟
涓婂ぉ鏌ョ湅浜嗘湇鍔″櫒瀹夊叏鏃ュ織錛岄槻鐏澧欏睆钄戒簡澶勭悊浜嗕竴浜涙毚鍔涚牬瑙ssh瀵嗙爜鐨剗p錛堝叾涓涓涓猧p鍦板潃涓哄寳浜涓瀹舵湁鍚嶇殑CDN鏈嶅姟鎻愪緵鍟嗭級錛岀劧鍚庢潕鎵掑垹闄や簡鎵鏈夌殑/var/log/secure* 鏃ュ織鍝鎺樻槍鏂囦歡銆
浠婂ぉ鍐嶆潵鏌ョ湅鏃ュ織鐨勬椂鍊欙紝鍙戠幇/var/log/secure絝熺劧娌℃湁璁板綍錛屾墠鎯沖埌鐩存帴鍒犻櫎鏃ュ織鏂囦歡鐨勬椂鍊欙紝瀵瑰簲鐨勬湇鍔¢渶瑕侀噸鍚銆傝繍琛屽懡浠わ細service syslog restart ;service sshd restart 鍚庢e父銆
欏轟究澶嶄範涓媠sh鍦╯yslog涓鐨勮劇疆鐨勭煡璇嗐
1銆/etc/ssh/鏁e枈sshd_config 涓鐨勮劇疆錛氾紙鍗:SyslogFacility 璁句負AUTHPRIV錛
[root@mail ~]# more /etc/ssh/sshd_config
#Port 22
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
<strong>SyslogFacility AUTHPRIV</strong>
#LogLevel INFO
#灝辨槸鎶妔shd鐨勬棩蹇楀畾涔夊湪authriv.info綰у埆銆
2銆侀厤鍚/etc/syslog.conf涓鐨勮劇疆錛
[root@mail ~]# more /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Dont log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
<strong>authpriv.* /var/log/secur</strong>e
『叄』 瀛︿範linux shell鑴氭湰錛岃佸笀鍑轟簡涓閬撻樸傚氨鏄鍦ㄦ棩蹇/var/log/secure 瀹夊叏淇℃伅涓
榪欎釜寰堢畝鍗曪紝鍙戜綘涓涓鎴戜互鍓嶅啓鐨
瓚呰繃鍗佹★紝灝辨坊鍔犲埌hosts.deny閲岄潰鍘
#!/bin/bash
date=`date +%Y%m%d`
file="/var/log/secure"
max=10
if [[ -f $file ]]
then
grep Failed $file | awk '{print $(NF-3)}' | sort -rn | uniq -c | awk '{print $2 "=" $1}'>/shell/ip.txt
fi
for a in `cat /shell/ip.txt`
do
if [[ `echo $a| awk -F"=" '{print $2}'` -gt $max ]]
then
b=`echo $a | awk -F"=" '{print $1}'`
grep $b /etc/hosts.deny >/dev/null
if [[ $? != 0 ]]
then
echo "sshd:$b" >> /etc/hosts.deny
echo "$b" || mail -s "鎶ヨ" [email protected]
fi
fi
done
『肆』 Secure CRT 鑷鍔ㄨ板綍鏃ュ織鍜屾椂闂存埑鍔熻兘閰嶇疆鐨勬柟娉
鎴戞槸寮濮嬪伐浣滃悗鎵嶄嬌鐢⊿ecureCRT,涓鐩存病璁板綍榪囨棩蹇椾笉榪囨悳浜嗕笅錛岀湅鐪嬭繖鍔熻兘涓嶉敊錛屽彲浠ョ湅鐪嬭嚜宸卞仛浠涔堬紝鏈夋椂鐢氳嚦鍙浠ョ湅鐪嬩箣鍓嶆槸涓嶆槸鐘浜嗕粈涔堥敊錛屽緢涓嶉敊鐨勫姛鑳芥墍浠ユ垜涔熷喅瀹氬紑濮嬭板綍鏃ュ織錛岃劇疆寰堢畝鍗曪紝涓嶈繃鎴戣嚜宸辯瀻鎹i紦鍙戠幇榪樺彲浠ヨ嚜鍔ㄥ垎鏂囦歡澶癸紝涓嶇煡閬撳ぇ瀹舵槸鍚﹂兘鐭ラ亾錛屽洜涓烘垜鎼滅殑鍑犵瘒鏂囩珷閮芥病鎻愬埌涓嬮潰寮濮嬭存庝箞璁劇疆鍚э紝甯屾湜鑳藉府鍒頒綘
鍦ㄨ彍鍗曢噷閫夋嫨"閫夐」"--"鍏ㄥ矓閫夐」"
鐒跺悗閫夋嫨甯歌勨斺旈粯璁や細璇濃斺旂紪杈戦粯璁よ劇疆
鐒跺悗閫夋嫨鏃ュ織鏂囦歡
鍦ㄦ棩蹇楁枃浠跺悕閲屽~鍏ヤ綘鎯充繚瀛樼殑鏃ュ織璺寰勫悕鍔犳棩蹇楁枃浠跺悕榪欓噷涓轟簡鍙浠ユ瘡涓浼氳瘽閮芥墦鎴愪竴涓鏃ュ織錛屽彲浠ラ噰鐢ㄦ敮鎸佺殑鍙傛暟%H 涓繪満鍚 %S 浼氳瘽鍚
%Y 騫翠喚 %M 鏈堜喚 %D 鏃
%h 灝忔椂 %m 鍒嗛挓 %s 縐
渚嬪傛垜濉鍐欑殑E:/Development/SecureCRT/Logs/%H/%Y-%M-%D_%h%m%s.log灝辨槸浼氫繚鎸佸湪E:/Development/SecureCRT/Logs/鐩褰曚笅錛岃礬寰勯噷涔熷彲鍜愯繜姝や互琛¤繀浣跨敤鍙傛棪鍗滄暟/%H/榪欐牱璁劇疆鍙浠ユ妸鍚屼竴涓涓繪満鐨勬棩蹇楀埌鍒頒竴涓鏂囦歡澶歸噷錛屾枃浠跺す鍚嶅氨鏄涓繪満鍚嶏紝娌℃湁浼氳嚜鍔ㄥ壋寤烘枃浠跺す榪欓噷鍙浠ュ嬀閫変笂榪炴帴涓婂紑濮嬭板綍鏃ュ織
鍥犱負鎴戜滑緇忓父寮鐫SecureCRT,浣嗕笉涓瀹氫竴鐩村湪鐢錛屼負浜嗙煡閬撴垜杈撳叆鐨勬瘡涓琛屽懡浠ゆ槸鍦ㄤ粈涔堟椂鍊欙紝鍙浠ュ湪"鍦ㄦ瘡琛"榪欎釜璁劇疆閲屽~鍐橻%h:%m:%s]
榪欐牱灝變細璁板綍姣忚屾棩蹇楁墦鍏ョ殑鏃墮棿鍟︼紝璋㈣阿闃呰伙紝甯屾湜鑳藉府鍒板ぇ瀹訛紝璇風戶緇鍏蟲敞錛屾垜浠浼氬姫鍔涘垎浜鏇村氫紭縐鐨勬枃絝犮
『伍』 Linux緋葷粺鏃ュ織鍒嗘瀽鐨勫熀鏈鏁欑▼
棣栧厛錛屾垜浠灝嗘弿榪版湁鍏 Linux 鏃ュ織鏄浠涔堬紝鍒板摢鍎垮幓鎵懼畠浠錛屼互涔辯爜鍙婂畠浠鏄濡備綍鍒涘緩鐨勫熀紜鐭ヨ瘑
Linux 緋葷粺鏃ュ織
璁稿氭湁浠峰肩殑鏃ュ織鏂囦歡閮芥槸鐢 Linux 鑷鍔ㄥ湴涓轟綘鍒涘緩鐨勩備綘鍙浠ュ湪 /var/log 鐩褰曚腑鎵懼埌瀹冧滑銆備笅闈㈡槸鍦ㄤ竴涓鍏稿瀷鐨 Ubuntu 緋葷粺涓榪欎釜鐩褰曠殑鏍峰瓙錛
銆涓浜涙渶涓洪噸瑕佺殑 Linux 緋葷粺鏃ュ織鍖呮嫭錛
/var/log/syslog 鎴 /var/log/messages 瀛樺偍鎵鏈夌殑鍏ㄥ矓緋葷粺媧誨姩鏁版嵁錛屽寘鎷寮鏈轟俊鎮銆傚熀浜 Debian 鐨勭郴緇熷 Ubuntu 鍦 /var/log/syslog 涓瀛樺偍瀹冧滑錛岃屽熀浜 RedHat 鐨勭郴緇熷 RHEL 鎴 CentOS 鍒欏湪 /var/log/messages 涓瀛樺偍瀹冧滑銆
/var/log/auth.log 鎴 /var/log/secure 瀛樺偍鏉ヨ嚜鍙鎻掗》涔庢嫈璁よ瘉妯″潡(PAM)鐨勬棩蹇楋紝鍖呮嫭鎴愬姛鐨勭櫥褰曪紝澶辮觸鐨勭櫥褰曞皾璇曞拰璁よ瘉鏂瑰紡銆俇buntu 鍜 Debian 鍦 /var/log/auth.log 涓瀛樺偍璁よ瘉淇℃伅錛岃 RedHat 鍜 CentOS 鍒欏湪 /var/log/secure 涓瀛樺偍璇ヤ俊鎮銆
/var/log/kern 瀛樺偍鍐呮牳鐨勯敊璇鍜岃﹀憡鏁版嵁錛岃繖瀵逛簬鎺掗櫎涓庡畾鍒跺唴鏍哥浉鍏崇殑鏁呴殰灝や負瀹炵敤銆
/var/log/cron 瀛樺偍鏈夊叧 cron 浣滀笟鐨勪俊鎮銆備嬌鐢ㄨ繖涓鏁版嵁鏉ョ『淇濅綘鐨 cron 浣滀笟姝f垚鍔熷湴榪愯岀潃銆
Digital Ocean 鏈変竴涓鍏充簬榪欎簺鏂囦歡鐨勫畬鏁存暀紼嬶紝浠嬬粛浜 rsyslog 濡備綍鍦ㄥ父瑙佺殑鍙戣岀増鏈濡 RedHat 鍜 CentOS 涓鍒涘緩瀹冧滑銆
搴旂敤紼嬪簭涔熶細鍦ㄨ繖涓鐩褰曚腑鍐欏叆鏃ュ織鏂囦歡銆備緥濡傚儚 Apache錛孨ginx錛孧ySQL 絳夊父瑙佺殑鏈嶅姟鍣ㄧ▼搴忓彲浠ュ湪榪欎釜鐩褰曚腑鍐欏叆鏃ュ織鏂囦歡銆傚叾涓涓浜涙棩蹇楁枃浠剁敱搴旂敤紼嬪簭鑷宸卞壋寤猴紝鍏朵粬鐨勫垯閫氳繃 syslog (鍏蜂綋瑙佷笅鏂)鏉ュ壋寤恆
浠涔堟槸 Syslog?
Linux 緋葷粺鏃ュ織鏂囦歡鏄濡備綍鍒涘緩鐨勫憿?絳旀堟槸閫氳繃 syslog 瀹堟姢紼嬪簭錛屽畠鍦 syslog 濂楁帴瀛 /dev/log 涓婄洃鍚鏃ュ織淇℃伅錛岀劧鍚庡皢瀹冧滑鍐欏叆閫傚綋鐨勬棩蹇楁枃浠朵腑銆
鍗曡瘝鈥渟yslog鈥 浠h〃鍑犱釜鎰忔濓紝騫剁粡甯歌鍝椾箮鍝鐢ㄦ潵綆縐板備笅鐨勫嚑涓鍚嶇О涔嬩竴錛
Syslog 瀹堟姢榪涚▼ 鈥 涓涓鐢ㄦ潵鎺ユ敹銆佸勭悊鍜屽彂閫 syslog 淇℃伅鐨勭▼搴忋傚畠鍙浠ヨ繙紼嬪彂閫 syslog 鍒頒竴涓闆嗕腑寮忕殑鏈嶅姟鍣ㄦ垨鍐欏叆鍒頒竴涓鏈鍦版枃浠躲傚父瑙佺殑渚嬪瓙鍖呮嫭 rsyslogd 鍜 syslog-ng銆傚湪榪欑嶄嬌鐢ㄦ柟寮忎腑錛屼漢浠甯歌粹滃彂閫佸埌 syslog鈥濄
Syslog 鍗忚 鈥 涓涓鎸囧畾鏃ュ織濡備綍閫氳繃緗戠粶鏉ヤ紶閫佺殑浼犺緭鍗忚鍜屼竴涓閽堝 syslog 淇℃伅(鍏蜂綋瑙佷笅鏂) 鐨勬暟鎹鏍煎紡鐨勫畾涔夈傚畠鍦 RFC-5424 涓琚姝e紡瀹氫箟銆傚逛簬鏂囨湰鏃ュ織錛屾爣鍑嗙殑絝鍙f槸 514錛屽逛簬鍔犲瘑鏃ュ織錛岀鍙f槸 6514銆傚湪榪欑嶄嬌鐢ㄦ柟寮忎腑錛屼漢浠甯歌粹滈氳繃 syslog 浼犻佲濄
Syslog 淇℃伅 鈥 syslog 鏍煎紡鐨勬棩蹇椾俊鎮鎴栦簨浠訛紝瀹冨寘鎷涓涓甯︽湁鍑犱釜鏍囧噯瀛楁電殑娑堟伅澶淬傚湪榪欑嶄嬌鐢ㄦ柟寮忎腑錛屼漢浠甯歌粹滃彂閫 syslog鈥濄
Syslog 淇℃伅鎴栦簨浠跺寘鎷涓涓甯︽湁鍑犱釜鏍囧噯瀛楁電殑娑堟伅澶達紝鍙浠ヤ嬌鍒嗘瀽鍜岃礬鐢辨洿鏂逛究銆傚畠浠鍖呮嫭鏃墮棿鎴熾佸簲鐢ㄧ▼搴忕殑鍚嶇О銆佸湪緋葷粺涓淇℃伅鏉ユ簮鐨勫垎綾繪垨浣嶇疆銆佷互鍙婁簨浠剁殑浼樺厛綰с
涓嬮潰灞曠ず鐨勬槸涓涓鍖呭惈 syslog 娑堟伅澶寸殑鏃ュ織淇℃伅錛屽畠鏉ヨ嚜浜庢帶鍒剁潃鍒拌ョ郴緇熺殑榪滅▼鐧誨綍鐨 sshd 瀹堟姢榪涚▼錛岃繖涓淇℃伅鎻忚堪鐨勬槸涓嬈″け璐ョ殑鐧誨綍灝濊瘯錛
341 2003-10-11T22:14:15.003Z server1.com sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2
Syslog 鏍煎紡鍜屽瓧孌
姣忔潯 syslog 淇℃伅鍖呭惈涓涓甯︽湁瀛楁電殑淇℃伅澶達紝榪欎簺瀛楁墊槸緇撴瀯鍖栫殑鏁版嵁錛屼嬌寰楀垎鏋愬拰璺鐢變簨浠舵洿鍔犲規槗銆備笅闈㈡槸鎴戜滑浣跨敤鐨勭敤鏉ヤ駭鐢熶笂闈㈢殑 syslog 渚嬪瓙鐨勬牸寮忥紝浣犲彲浠ュ皢姣忎釜鍊煎尮閰嶅埌涓涓鐗瑰畾鐨勫瓧孌電殑鍚嶇О涓娿
澶嶅埗浠g爜
浠g爜濡備笅:
%pri%%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% %msg%n
涓嬮潰錛屼綘灝嗙湅鍒頒竴浜涘湪鏌ユ壘鎴栨帓閿欐椂鏈甯鎬嬌鐢ㄧ殑 syslog 瀛楁碉細
鏃墮棿鎴
鏃墮棿鎴 (涓婇潰鐨勪緥瀛愪負 2003-10-11T22:14:15.003Z) 鏆楃ず浜嗗湪緋葷粺涓鍙戦佽ヤ俊鎮鐨勬椂闂村拰鏃ユ湡銆傝繖涓鏃墮棿鍦ㄥ彟涓緋葷粺涓婃帴鏀惰ヤ俊鎮鏃跺彲鑳戒細鏈夋墍涓嶅悓銆備笂闈渚嬪瓙涓鐨勬椂闂存埑鍙浠ュ垎瑙d負錛
2003-10-11 騫達紝鏈堬紝鏃ャ
T 涓烘椂闂存埑鐨勫繀闇鍏冪礌錛屽畠灝嗘棩鏈熷拰鏃墮棿鍒嗛殧寮銆
22:14:15.003 鏄 24 灝忔椂鍒剁殑鏃墮棿錛屽寘鎷榪涘叆涓嬩竴縐掔殑姣縐掓暟(003)銆
Z 鏄涓涓鍙閫夊厓緔狅紝鎸囩殑鏄 UTC 鏃墮棿錛岄櫎浜 Z錛岃繖涓渚嬪瓙榪樺彲浠ュ寘鎷涓涓鍋忕Щ閲忥紝渚嬪 -08:00錛岃繖鎰忓懗鐫鏃墮棿浠 UTC 鍋忕Щ 8 灝忔椂錛屽嵆 PST 鏃墮棿銆
涓繪満鍚
涓繪満鍚 瀛楁(鍦ㄤ笂闈㈢殑渚嬪瓙涓瀵瑰簲 server1.com) 鎸囩殑鏄涓繪満鐨勫悕縐版垨鍙戦佷俊鎮鐨勭郴緇.
搴旂敤鍚
搴旂敤鍚 瀛楁(鍦ㄤ笂闈㈢殑渚嬪瓙涓瀵瑰簲 sshd:auth) 鎸囩殑鏄鍙戦佷俊鎮鐨勭▼搴忕殑鍚嶇О.
浼樺厛綰
浼樺厛綰у瓧孌墊垨緙╁啓涓 pri (鍦ㄤ笂闈㈢殑渚嬪瓙涓瀵瑰簲 ) 鍛婅瘔鎴戜滑榪欎釜浜嬩歡鏈夊氱揣鎬ユ垨澶氫弗宄匯傚畠鐢變袱涓鏁板瓧瀛楁電粍鎴愶細璁懼囧瓧孌靛拰緔фユу瓧孌點傜揣鎬ユу瓧孌典粠浠h〃 debug 綾諱簨浠剁殑鏁板瓧 7 涓鐩村埌浠h〃緔фヤ簨浠剁殑鏁板瓧 0 銆傝懼囧瓧孌墊弿榪頒簡鍝涓榪涚▼鍒涘緩浜嗚ヤ簨浠躲傚畠浠庝唬琛ㄥ唴鏍鎬俊鎮鐨勬暟瀛 0 鍒頒唬琛ㄦ湰鍦板簲鐢ㄤ嬌鐢ㄧ殑 23 銆
Pri 鏈変袱縐嶈緭鍑烘柟寮忋傜涓縐嶆槸浠ヤ竴涓鍗曠嫭鐨勬暟瀛楄〃紺猴紝鍙浠ヨ繖鏍瘋$畻錛氬厛鐢ㄨ懼囧瓧孌電殑鍊間箻浠 8錛屽啀鍔犱笂緔фユу瓧孌電殑鍊礆細(璁懼囧瓧孌)(8) + (緔фユу瓧孌)銆傜浜岀嶆槸 pri 鏂囨湰錛屽皢浠モ滆懼囧瓧孌.緔фユу瓧孌碘 鐨勫瓧絎︿覆鏍煎紡杈撳嚭銆傚悗涓縐嶆牸寮忔洿鏂逛究闃呰誨拰鎼滅儲錛屼絾鍗犳嵁鏇村氱殑瀛樺偍絀洪棿銆
鍒嗘瀽 Linux 鏃ュ織
鏃ュ織涓鏈夊ぇ閲忕殑淇℃伅闇瑕佷綘澶勭悊錛屽敖綆℃湁鏃跺欐兂瑕佹彁鍙栧苟闈炴兂璞′腑鐨勫規槗銆傚湪榪欑瘒鏂囩珷涓鎴戜滑浼氫粙緇嶄竴浜涗綘鐜板湪灝辮兘鍋氱殑鍩烘湰鏃ュ織鍒嗘瀽渚嬪瓙(鍙闇瑕佹悳緔㈠嵆鍙)銆傛垜浠榪樺皢娑夊強涓浜涙洿楂樼駭鐨勫垎鏋愶紝浣嗚繖浜涢渶瑕佷綘鍓嶆湡鍔鍔涘仛鍑洪傚綋鐨勮劇疆錛屽悗鏈熷氨鑳借妭鐪佸緢澶氭椂闂淬傚規暟鎹榪涜岄珮綰у垎鏋愮殑渚嬪瓙鍖呮嫭鐢熸垚奼囨昏℃暟銆佸規湁鏁堝艱繘琛岃繃婊わ紝絳夌瓑銆
鎴戜滑棣栧厛浼氬悜浣犲睍紺哄備綍鍦ㄥ懡浠よ屼腑浣跨敤澶氫釜涓嶅悓鐨勫伐鍏鳳紝鐒跺悗灞曠ず浜嗕竴涓鏃ュ織綆$悊宸ュ叿濡備綍鑳借嚜鍔ㄥ畬鎴愬ぇ閮ㄥ垎綣侀噸宸ヤ綔浠庤屼嬌寰楁棩蹇楀垎鏋愬彉寰楃畝鍗曘
鐢 Grep 鎼滅儲
鎼滅儲鏂囨湰鏄鏌ユ壘淇℃伅鏈鍩烘湰鐨勬柟寮忋傛悳緔㈡枃鏈鏈甯哥敤鐨勫伐鍏鋒槸 grep銆傝繖涓鍛戒護琛屽伐鍏峰湪澶ч儴鍒 Linux 鍙戣岀増涓閮芥湁錛屽畠鍏佽鎬綘鐢ㄦe垯琛ㄨ揪寮忔悳緔㈡棩蹇椼傛e垯琛ㄨ揪寮忔槸涓縐嶇敤鐗規畩鐨勮璦鍐欑殑銆佽兘璇嗗埆鍖歸厤鏂囨湰鐨勬ā寮忋傛渶綆鍗曠殑妯″紡灝辨槸鐢ㄥ紩鍙鋒妸浣犳兂瑕佹煡鎵劇殑瀛楃︿覆鎷璧鋒潵銆
姝e垯琛ㄨ揪寮
榪欐槸涓涓鍦 Ubuntu 緋葷粺鐨勮よ瘉鏃ュ織涓鏌ユ壘 鈥渦ser hoover鈥 鐨勪緥瀛愶細
澶嶅埗浠g爜
浠g爜濡備笅:
$ grep "user hoover" /var/log/auth.log
Accepted password for hoover from 10.0.2.2 port 4792 ssh2
pam_unix(sshd:session): session opened for user hoover by (uid=0)
pam_unix(sshd:session): session closed for user hoover
鏋勫緩綺劇『鐨勬e垯琛ㄨ揪寮忓彲鑳藉緢闅俱備緥濡傦紝濡傛灉鎴戜滑鎯寵佹悳緔涓涓綾諱技絝鍙 鈥4792鈥 鐨勬暟瀛楋紝瀹冨彲鑳戒篃浼氬尮閰嶆椂闂存埑銆乁RL 浠ュ強鍏跺畠涓嶉渶瑕佺殑鏁版嵁銆俇buntu 涓涓嬮潰鐨勪緥瀛愶紝瀹冨尮閰嶄簡涓涓鎴戜滑涓嶆兂瑕佺殑 Apache 鏃ュ織銆
澶嶅埗浠g爜
浠g爜濡備笅:
$ grep "4792" /var/log/auth.log
Accepted password for hoover from 10.0.2.2 port 4792 ssh2
74.91.21.46 - - [31/Mar/2015:19:44:32 +0000] "GET /scripts/samples/search?q=4972 HTTP/1.0" 404 545 "-" "-鈥
鐜緇曟悳緔
鍙︿竴涓鏈夌敤鐨勫皬鎶宸ф槸浣犲彲浠ョ敤 grep 鍋氱幆緇曟悳緔銆傝繖浼氬悜浣犲睍紺轟竴涓鍖歸厤鍓嶉潰鎴栧悗闈㈠嚑琛屾槸浠涔堛傚畠鑳藉府鍔╀綘璋冭瘯瀵艱嚧閿欒鎴栭棶棰樼殑涓滆タ銆侭 閫夐」灞曠ず鍓嶉潰鍑犺岋紝A 閫夐」灞曠ず鍚庨潰鍑犺屻備婦涓渚嬪瓙錛屾垜浠鐭ラ亾褰撲竴涓浜轟互綆$悊鍛樺憳韜浠界櫥褰曞け璐ユ椂錛屽悓鏃朵粬浠鐨 IP 涔熸病鏈夊弽鍚戣В鏋愶紝涔熷氨鎰忓懗鐫浠栦滑鍙鑳芥病鏈夋湁鏁堢殑鍩熷悕銆傝繖闈炲父鍙鐤!
澶嶅埗浠g爜
浠g爜濡備笅:
$ grep -B 3 -A 2 'Invalid user' /var/log/auth.log
Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: reverse mapping checking getaddrinfo for 216-19-2-8.commspeed.net [216.19.2.8] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Invalid user admin from 216.19.2.8
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: input_userauth_request: invalid user admin [preauth]
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
Tail
浣犱篃鍙浠ユ妸 grep 鍜 tail 緇撳悎浣跨敤鏉ヨ幏鍙栦竴涓鏂囦歡鐨勬渶鍚庡嚑琛岋紝鎴栬呰窡韙鏃ュ織騫跺疄鏃舵墦鍗般傝繖鍦ㄤ綘鍋氫氦浜掑紡鏇存敼鐨勬椂鍊欓潪甯告湁鐢錛屼緥濡傚惎鍔ㄦ湇鍔″櫒鎴栬呮祴璇曚唬鐮佹洿鏀廣
澶嶅埗浠g爜
浠g爜濡備笅:
$ tail -f /var/log/auth.log | grep 'Invalid user'
Apr 30 19:49:48 ip-172-31-11-241 sshd[6512]: Invalid user ubnt from 219.140.64.136
Apr 30 19:49:49 ip-172-31-11-241 sshd[6514]: Invalid user admin from 219.140.64.136
鍏充簬 grep 鍜屾e垯琛ㄨ揪寮忕殑璇︾粏浠嬬粛騫朵笉鍦ㄦ湰鎸囧崡鐨勮寖鍥達紝浣 Ryan鈥檚 Tutorials 鏈夋洿娣卞叆鐨勪粙緇嶃
鏃ュ織綆$悊緋葷粺鏈夋洿楂樼殑鎬ц兘鍜屾洿寮哄ぇ鐨勬悳緔㈣兘鍔涖傚畠浠閫氬父浼氱儲寮曟暟鎹騫惰繘琛屽苟琛屾煡璇錛屽洜姝や綘鍙浠ュ緢蹇鐨勫湪鍑犵掑唴灝辮兘鎼滅儲 GB 鎴 TB 鐨勬棩蹇椼傜浉姣斾箣涓嬶紝grep 灝遍渶瑕佸嚑鍒嗛挓錛屽湪鏋佺鎯呭喌涓嬪彲鑳界敋鑷沖嚑灝忔椂銆傛棩蹇楃$悊緋葷粺涔熶嬌鐢ㄧ被浼 Lucene 鐨勬煡璇㈣璦錛屽畠鎻愪緵鏇寸畝鍗曠殑璇娉曟潵媯緔㈡暟瀛椼佸煙浠ュ強鍏跺畠銆
鐢 Cut銆 AWK銆 鍜 Grok 瑙f瀽
Linux 鎻愪緵浜嗗氫釜鍛戒護琛屽伐鍏風敤浜庢枃鏈瑙f瀽鍜屽垎鏋愩傚綋浣犳兂瑕佸揩閫熻В鏋愬皯閲忔暟鎹鏃墮潪甯告湁鐢錛屼絾澶勭悊澶ч噺鏁版嵁鏃跺彲鑳介渶瑕佸緢闀挎椂闂淬
Cut
cut 鍛戒護鍏佽鎬綘浠庢湁鍒嗛殧絎︾殑鏃ュ織瑙f瀽瀛楁點傚垎闅旂︽槸鎸囪兘鍒嗗紑瀛楁墊垨閿鍊煎圭殑絳夊彿鎴栭楀彿絳夈
鍋囪炬垜浠鎯充粠涓嬮潰鐨勬棩蹇椾腑瑙f瀽鍑虹敤鎴鳳細
澶嶅埗浠g爜
浠g爜濡備笅:
pam_unix(su:auth): authentication failure; logname=hoover uid=1000 euid=0 tty=/dev/pts/0 ruser=hoover rhost= user=root
鎴戜滑鍙浠ュ儚涓嬮潰榪欐牱鐢 cut 鍛戒護鑾峰彇鐢ㄧ瓑鍙峰垎鍓插悗鐨勭鍏涓瀛楁電殑鏂囨湰銆傝繖鏄涓涓 Ubuntu 緋葷粺涓婄殑渚嬪瓙錛
澶嶅埗浠g爜
浠g爜濡備笅:
$ grep "authentication failure" /var/log/auth.log | cut -d '=' -f 8
root
hoover
root
nagios
nagios
AWK
鍙﹀栵紝浣犱篃鍙浠ヤ嬌鐢 awk錛屽畠鑳芥彁渚涙洿寮哄ぇ鐨勮В鏋愬瓧孌靛姛鑳姐傚畠鎻愪緵浜嗕竴涓鑴氭湰璇璦錛屼綘鍙浠ヨ繃婊ゅ嚭鍑犱箮浠諱綍涓嶇浉騫茬殑涓滆タ銆
渚嬪傦紝鍋囪懼湪 Ubuntu 緋葷粺涓鎴戜滑鏈変笅闈㈢殑涓琛屾棩蹇楋紝鎴戜滑鎯寵佹彁鍙栫櫥褰曞け璐ョ殑鐢ㄦ埛鍚嶇О錛
澶嶅埗浠g爜
浠g爜濡備笅:
Mar 24 08:28:18 ip-172-31-11-241 sshd[32701]: input_userauth_request: invalid user guest [preauth]
浣犲彲浠ュ儚涓嬮潰榪欐牱浣跨敤 awk 鍛戒護銆傞栧厛錛岀敤涓涓姝e垯琛ㄨ揪寮 /sshd.*invalid user/ 鏉ュ尮閰 sshd invalid user 琛屻傜劧鍚庣敤 { print $9 } 鏍規嵁榛樿ょ殑鍒嗛殧絎︾┖鏍兼墦鍗扮涔濅釜瀛楁點傝繖鏍峰氨杈撳嚭浜嗙敤鎴峰悕銆
澶嶅埗浠g爜
浠g爜濡備笅:
$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
guest
admin
info
test
ubnt
浣犲彲浠ュ湪 Awk 鐢ㄦ埛鎸囧崡 涓闃呰繪洿澶氬叧浜庡備綍浣跨敤姝e垯琛ㄨ揪寮忓拰杈撳嚭瀛楁電殑淇℃伅銆
鏃ュ織綆$悊緋葷粺
鏃ュ織綆$悊緋葷粺浣垮緱瑙f瀽鍙樺緱鏇村姞綆鍗曪紝浣跨敤鎴瘋兘蹇閫熺殑鍒嗘瀽寰堝氱殑鏃ュ織鏂囦歡銆備粬浠鑳借嚜鍔ㄨВ鏋愭爣鍑嗙殑鏃ュ織鏍煎紡錛屾瘮濡傚父瑙佺殑 Linux 鏃ュ織鍜 Web 鏈嶅姟鍣ㄦ棩蹇椼傝繖鑳借妭鐪佸緢澶氭椂闂達紝鍥犱負褰撳勭悊緋葷粺闂棰樼殑鏃跺欎綘涓嶉渶瑕佽冭檻鑷宸卞啓瑙f瀽閫昏緫銆
涓嬮潰鏄涓涓 sshd 鏃ュ織娑堟伅鐨勪緥瀛愶紝瑙f瀽鍑轟簡姣忎釜 remoteHost 鍜 user銆傝繖鏄 Loggly 涓鐨勪竴寮犳埅鍥撅紝瀹冩槸涓涓鍩轟簬浜戠殑鏃ュ織綆$悊鏈嶅姟銆
銆浣犱篃鍙浠ュ歸潪鏍囧噯鏍煎紡鑷瀹氫箟瑙f瀽銆備竴涓甯哥敤鐨勫伐鍏鋒槸 Grok錛屽畠鐢ㄤ竴涓甯歌佹e垯琛ㄨ揪寮忓簱錛屽彲浠ヨВ鏋愬師濮嬫枃鏈涓虹粨鏋勫寲 JSON銆備笅闈㈡槸涓涓 Grok 鍦 Logstash 涓瑙f瀽鍐呮牳鏃ュ織鏂囦歡鐨勪簨渚嬮厤緗錛
澶嶅埗浠g爜
浠g爜濡備笅:
filter{
grok {
match = {"message" = "%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:ration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}"
}
}
涓嬪浘鏄 Grok 瑙f瀽鍚庤緭鍑虹殑緇撴灉錛
銆鐢 Rsyslog 鍜 AWK 榪囨護
榪囨護浣垮緱浣犺兘媯緔涓涓鐗瑰畾鐨勫瓧孌靛艱屼笉鏄榪涜屽叏鏂囨緔銆傝繖浣誇綘鐨勬棩蹇楀垎鏋愭洿鍔犲噯紜錛屽洜涓哄畠浼氬拷鐣ユ潵鑷鍏跺畠閮ㄥ垎鏃ュ織淇℃伅涓嶉渶瑕佺殑鍖歸厤銆備負浜嗗逛竴涓瀛楁靛艱繘琛屾悳緔錛屼綘棣栧厛闇瑕佽В鏋愭棩蹇楁垨鑰呰嚦灝戞湁瀵逛簨浠剁粨鏋勮繘琛屾緔㈢殑鏂瑰紡銆
濡備綍瀵瑰簲鐢ㄨ繘琛岃繃婊
閫氬父錛屼綘鍙鑳藉彧鎯崇湅涓涓搴旂敤鐨勬棩蹇椼傚傛灉浣犵殑搴旂敤鎶婅板綍閮戒繚瀛樺埌涓涓鏂囦歡涓灝變細寰堝規槗銆傚傛灉浣犻渶瑕佸湪涓涓鑱氶泦鎴栭泦涓寮忔棩蹇椾腑榪囨護涓涓搴旂敤灝變細姣旇緝澶嶆潅銆備笅闈㈡湁鍑犵嶆柟娉曟潵瀹炵幇錛
鐢 rsyslog 瀹堟姢榪涚▼瑙f瀽鍜岃繃婊ゆ棩蹇椼備笅闈㈢殑渚嬪瓙灝 sshd 搴旂敤鐨勬棩蹇楀啓鍏ヤ竴涓鍚嶄負 sshd-message 鐨勬枃浠訛紝鐒跺悗涓㈠純浜嬩歡浠ヤ究瀹冧笉浼氬湪鍏跺畠鍦版柟閲嶅嶅嚭鐜般備綘鍙浠ュ皢瀹冩坊鍔犲埌浣犵殑 rsyslog.conf 鏂囦歡涓嫻嬭瘯榪欎釜渚嬪瓙銆
澶嶅埗浠g爜
浠g爜濡備笅:
:programname, isequal, 鈥渟shd鈥 /var/log/sshd-messages
~
鐢ㄧ被浼 awk 鐨勫懡浠よ屽伐鍏鋒彁鍙栫壒瀹氬瓧孌電殑鍊礆紝渚嬪 sshd 鐢ㄦ埛鍚嶃備笅闈㈡槸 Ubuntu 緋葷粺涓鐨勪竴涓渚嬪瓙銆
澶嶅埗浠g爜
浠g爜濡備笅:
$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
guest
admin
info
test
ubnt
鐢ㄦ棩蹇楃$悊緋葷粺鑷鍔ㄨВ鏋愭棩蹇楋紝鐒跺悗鍦ㄩ渶瑕佺殑搴旂敤鍚嶇О涓婄偣鍑昏繃婊ゃ備笅闈㈡槸鍦 Loggly 鏃ュ織綆$悊鏈嶅姟涓鎻愬彇 syslog 鍩熺殑鎴鍥俱傛垜浠瀵瑰簲鐢ㄥ悕縐 鈥渟shd鈥 榪涜岃繃婊わ紝濡傜淮鎮╁浘鍥炬爣鎵紺恆
銆濡備綍榪囨護閿欒
涓涓浜烘渶甯屾湜鐪嬪埌鏃ュ織涓鐨勯敊璇銆備笉騫哥殑鏄錛岄粯璁ょ殑 syslog 閰嶇疆涓嶇洿鎺ヨ緭鍑洪敊璇鐨勪弗閲嶆э紝涔熷氨浣垮緱闅句互榪囨護瀹冧滑銆
榪欓噷鏈変袱涓瑙e喅璇ラ棶棰樼殑鏂規硶銆傞栧厛錛屼綘鍙浠ヤ慨鏀逛綘鐨 rsyslog 閰嶇疆錛屽湪鏃ュ織鏂囦歡涓杈撳嚭閿欒鐨勪弗閲嶆э紝浣垮緱渚誇簬鏌ョ湅鍜屾緔銆傚湪浣犵殑 rsyslog 閰嶇疆涓浣犲彲浠ョ敤 pri-text 娣誨姞涓涓 妯℃澘錛屽儚涓嬮潰榪欐牱錛
澶嶅埗浠g爜
浠g爜濡備笅:
"%pri-text% : %timegenerated%,%HOSTNAME%,%syslogtag%,%msg%n"
榪欎釜渚嬪瓙浼氭寜鐓т笅闈㈢殑鏍煎紡杈撳嚭銆備綘鍙浠ョ湅鍒拌ヤ俊鎮涓鎸囩ず閿欒鐨 err銆
澶嶅埗浠g爜
浠g爜濡備笅:
: Mar 11 18:18:00,hoover-VirtualBox,su[5026]:, pam_authenticate: Authentication failure
浣犲彲浠ョ敤 awk 鎴栬 grep 媯緔㈤敊璇淇℃伅銆傚湪 Ubuntu 涓錛屽硅繖涓渚嬪瓙錛屾垜浠鍙浠ョ敤涓浜涜娉曠壒寰侊紝渚嬪 . 鍜 錛屽畠浠鍙浼氬尮閰嶈繖涓鍩熴
澶嶅埗浠g爜
浠g爜濡備笅:
$ grep '.err' /var/log/auth.log
: Mar 11 18:18:00,hoover-VirtualBox,su[5026]:, pam_authenticate: Authentication failure
浣犵殑絎浜屼釜閫夋嫨鏄浣跨敤鏃ュ織綆$悊緋葷粺銆傚ソ鐨勬棩蹇楃$悊緋葷粺鑳借嚜鍔ㄨВ鏋 syslog 娑堟伅騫舵娊鍙栭敊璇鍩熴傚畠浠涔熷厑璁鎬綘鐢ㄧ畝鍗曠殑鐐瑰嚮榪囨護鏃ュ織娑堟伅涓鐨勭壒瀹氶敊璇銆
涓嬮潰鏄 Loggly 涓涓涓鎴鍥撅紝鏄劇ず浜嗛珮浜閿欒涓ラ噸鎬х殑 syslog 鍩燂紝琛ㄧず鎴戜滑姝e湪榪囨護閿欒錛