secure日志分析脚本
‘壹’ SecureCRT杞浠舵庝箞镆ョ湅镞ュ织
锻戒护琛屼笅妫鍜:
涓銆乴s 鍒楀嚭鏂囦欢鍜岀洰褰曟棌绁 锛堢浉褰扑簬dir锛宒ir涔熷彲浠ヤ娇鐢锛 -A:鍒楀嚭镓链夋枃浠讹纴鍖呭惈闅愯棌鏂囦欢銆 -l锛氩垪琛ㄥ舰寮忥纴鍖呭惈鏂囦欢镄勭粷澶ч儴鍒嗗睘镐с -R锛氶掑綊鏄剧ず銆 --help锛氭ゅ懡浠ょ殑甯锷┿
浜屻乧d 鏀瑰彉鐩褰 cd /:杩涘叆镙圭洰褰 cd 锛氩洖鍒拌嚜宸辩殑鐩褰曪纸鐢ㄦ埛涓嶅悓鍒欑洰褰曚篃涓嶅悓锛宺oot涓/root锛寈xt涓/home/xxt cd ..锛氩洖鍒颁笂绾х洰褰 pwd锛氭樉绀哄綋鍓嶆墍鍦ㄧ殑鐩褰
涓.less 鏂囦欢钖嶏细镆ョ湅鏂囦欢鍐呭广
锲.q 阃鍑烘墦寮镄勬枃浠躲
浜.涓娄紶鏂囦欢锛 rz 阃夋嫨瑕佷紶阃佺殑鏂囦欢锛岀‘瀹氥
鍏.涓嬭浇鏂囦欢锛 sz 鎸囧畾鏂囦欢钖,enter鏁诧纴鍗充笅杞藉埌浜唖ecureCRT/download鐩褰曚笅銆傚囨敞锛氩懡浠 --help镆ョ湅锻戒护涓嬭︾粏鍙傛暟銆傚傦细rz --help sz --help
涓冿细鍒犻櫎鏂囦欢锛 rm 鍒犻櫎鏂囦欢 rmdir 鍒犻櫎绌虹洰褰曘
鍏.鏄剧ず: 链杩戣緭鍏ョ殑20𨱒″懡浠ゆょ楃函銆
‘贰’ 甯蹇椤垎鏋/var/log/secure镞ュ织锛屾槸钖﹁鏀诲嚮锛
鍙戝竷:镫镊绛夊緟
涓婂ぉ镆ョ湅浜嗘湇锷″櫒瀹夊叏镞ュ织锛岄槻𨱔澧椤睆钄戒简澶勭悊浜嗕竴浜涙毚锷涚牬瑙ssh瀵嗙爜镄刬p锛埚叾涓涓涓猧p鍦板潃涓哄寳浜涓瀹舵湁钖岖殑CDN链嶅姟鎻愪緵鍟嗭级锛岀劧钖庢潕镓掑垹闄や简镓链夌殑/var/log/secure* 镞ュ织鍝鎺樻枪鏂囦欢銆
浠婂ぉ鍐嶆潵镆ョ湅镞ュ织镄勬椂鍊欙纴鍙戠幇/var/log/secure绔熺劧娌℃湁璁板綍锛屾墠𨱍冲埌鐩存帴鍒犻櫎镞ュ织鏂囦欢镄勬椂鍊欙纴瀵瑰簲镄勬湇锷¢渶瑕侀吨钖銆傝繍琛屽懡浠わ细service syslog restart ;service sshd restart 钖庢e父銆
椤轰究澶崭範涓媠sh鍦╯yslog涓镄勮剧疆镄勭煡璇嗐
1銆/etc/ssh/鏁e枈sshd_config 涓镄勮剧疆锛氾纸鍗:SyslogFacility 璁句负AUTHPRIV锛
[root@mail ~]# more /etc/ssh/sshd_config
#Port 22
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
<strong>SyslogFacility AUTHPRIV</strong>
#LogLevel INFO
#灏辨槸鎶妔shd镄勬棩蹇楀畾涔夊湪authriv.info绾у埆銆
2銆侀厤钖/etc/syslog.conf涓镄勮剧疆锛
[root@mail ~]# more /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Dont log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
<strong>authpriv.* /var/log/secur</strong>e
‘叁’ 瀛︿範linux shell鑴氭湰锛岃佸笀鍑轰简涓阆挞樸傚氨鏄鍦ㄦ棩蹇/var/log/secure 瀹夊叏淇℃伅涓
杩欎釜寰堢亩鍗曪纴鍙戜綘涓涓鎴戜互鍓嶅啓镄
瓒呰繃鍗佹★纴灏辨坊锷犲埌hosts.deny閲岄溃铡
#!/bin/bash
date=`date +%Y%m%d`
file="/var/log/secure"
max=10
if [[ -f $file ]]
then
grep Failed $file | awk '{print $(NF-3)}' | sort -rn | uniq -c | awk '{print $2 "=" $1}'>/shell/ip.txt
fi
for a in `cat /shell/ip.txt`
do
if [[ `echo $a| awk -F"=" '{print $2}'` -gt $max ]]
then
b=`echo $a | awk -F"=" '{print $1}'`
grep $b /etc/hosts.deny >/dev/null
if [[ $? != 0 ]]
then
echo "sshd:$b" >> /etc/hosts.deny
echo "$b" || mail -s "鎶ヨ" [email protected]
fi
fi
done
‘肆’ Secure CRT 镊锷ㄨ板綍镞ュ织鍜屾椂闂存埑锷熻兘閰岖疆镄勬柟娉
鎴戞槸寮濮嫔伐浣滃悗镓崭娇鐢⊿ecureCRT,涓鐩存病璁板綍杩囨棩蹇椾笉杩囨悳浜嗕笅锛岀湅鐪嬭繖锷熻兘涓嶉敊锛屽彲浠ョ湅鐪嬭嚜宸卞仛浠涔堬纴链夋椂鐢氲呖鍙浠ョ湅鐪嬩箣鍓嶆槸涓嶆槸鐘浜嗕粈涔堥敊锛屽緢涓嶉敊镄勫姛鑳芥墍浠ユ垜涔熷喅瀹氩紑濮嬭板綍镞ュ织锛岃剧疆寰堢亩鍗曪纴涓嶈繃鎴戣嚜宸辩瀻鎹i紦鍙戠幇杩桦彲浠ヨ嚜锷ㄥ垎鏂囦欢澶癸纴涓岖煡阆揿ぇ瀹舵槸钖﹂兘鐭ラ亾锛屽洜涓烘垜鎼灭殑鍑犵瘒鏂囩珷閮芥病鎻愬埌涓嬮溃寮濮嬭存庝箞璁剧疆钖э纴甯屾湜鑳藉府鍒颁綘
鍦ㄨ彍鍗曢噷阃夋嫨"阃夐”"--"鍏ㄥ眬阃夐”"
铹跺悗阃夋嫨甯歌勨斺旈粯璁や细璇浓斺旂紪杈戦粯璁よ剧疆
铹跺悗阃夋嫨镞ュ织鏂囦欢
鍦ㄦ棩蹇楁枃浠跺悕閲屽~鍏ヤ綘𨱍充缭瀛樼殑镞ュ织璺寰勫悕锷犳棩蹇楁枃浠跺悕杩欓噷涓轰简鍙浠ユ疮涓浼氲瘽閮芥墦鎴愪竴涓镞ュ织锛屽彲浠ラ噰鐢ㄦ敮鎸佺殑鍙傛暟%H 涓绘満钖 %S 浼氲瘽钖
%Y 骞翠唤 %M 链堜唤 %D 镞
%h 灏忔椂 %m 鍒嗛挓 %s 绉
渚嫔傛垜濉鍐欑殑E:/Development/SecureCRT/Logs/%H/%Y-%M-%D_%h%m%s.log灏辨槸浼氢缭鎸佸湪E:/Development/SecureCRT/Logs/鐩褰曚笅锛岃矾寰勯噷涔熷彲鍜愯繜姝や互琛¤繀浣跨敤鍙傛棪鍗沧暟/%H/杩欐牱璁剧疆鍙浠ユ妸钖屼竴涓涓绘満镄勬棩蹇楀埌鍒颁竴涓鏂囦欢澶归噷锛屾枃浠跺す钖嶅氨鏄涓绘満钖嶏纴娌℃湁浼氲嚜锷ㄥ垱寤烘枃浠跺す杩欓噷鍙浠ュ嬀阃変笂杩炴帴涓婂紑濮嬭板綍镞ュ织
锲犱负鎴戜滑缁忓父寮镌SecureCRT,浣嗕笉涓瀹氢竴鐩村湪鐢锛屼负浜嗙煡阆撴垜杈揿叆镄勬疮涓琛屽懡浠ゆ槸鍦ㄤ粈涔堟椂鍊欙纴鍙浠ュ湪"鍦ㄦ疮琛"杩欎釜璁剧疆閲屽~鍐橻%h:%m:%s]
杩欐牱灏变细璁板綍姣忚屾棩蹇楁墦鍏ョ殑镞堕棿鍟︼纴璋㈣阿阒呰伙纴甯屾湜鑳藉府鍒板ぇ瀹讹纴璇风户缁鍏虫敞锛屾垜浠浼氩姫锷涘垎浜镟村氢紭绉镄勬枃绔犮
‘伍’ Linux绯荤粺镞ュ织鍒嗘瀽镄勫熀链鏁欑▼
棣栧厛锛屾垜浠灏嗘弿杩版湁鍏 Linux 镞ュ织鏄浠涔堬纴鍒板摢鍎垮幓镓惧畠浠锛屼互涔辩爜鍙婂畠浠鏄濡备綍鍒涘缓镄勫熀纭鐭ヨ瘑
Linux 绯荤粺镞ュ织
璁稿氭湁浠峰肩殑镞ュ织鏂囦欢閮芥槸鐢 Linux 镊锷ㄥ湴涓轰綘鍒涘缓镄勚备綘鍙浠ュ湪 /var/log 鐩褰曚腑镓惧埌瀹冧滑銆备笅闱㈡槸鍦ㄤ竴涓鍏稿瀷镄 Ubuntu 绯荤粺涓杩欎釜鐩褰旷殑镙峰瓙锛
銆涓浜涙渶涓洪吨瑕佺殑 Linux 绯荤粺镞ュ织鍖呮嫭锛
/var/log/syslog 鎴 /var/log/messages 瀛桦偍镓链夌殑鍏ㄥ眬绯荤粺娲诲姩鏁版嵁锛屽寘𨰾寮链轰俊鎭銆傚熀浜 Debian 镄勭郴缁熷 Ubuntu 鍦 /var/log/syslog 涓瀛桦偍瀹冧滑锛岃屽熀浜 RedHat 镄勭郴缁熷 RHEL 鎴 CentOS 鍒椤湪 /var/log/messages 涓瀛桦偍瀹冧滑銆
/var/log/auth.log 鎴 /var/log/secure 瀛桦偍𨱒ヨ嚜鍙鎻挜》涔庢嫈璁よ瘉妯″潡(PAM)镄勬棩蹇楋纴鍖呮嫭鎴愬姛镄勭橱褰曪纴澶辫触镄勭橱褰曞皾璇曞拰璁よ瘉鏂瑰纺銆俇buntu 鍜 Debian 鍦 /var/log/auth.log 涓瀛桦偍璁よ瘉淇℃伅锛岃 RedHat 鍜 CentOS 鍒椤湪 /var/log/secure 涓瀛桦偍璇ヤ俊鎭銆
/var/log/kern 瀛桦偍鍐呮牳镄勯敊璇鍜岃﹀憡鏁版嵁锛岃繖瀵逛簬鎺挜櫎涓庡畾鍒跺唴镙哥浉鍏崇殑鏁呴㱩灏や负瀹炵敤銆
/var/log/cron 瀛桦偍链夊叧 cron 浣滀笟镄勪俊鎭銆备娇鐢ㄨ繖涓鏁版嵁𨱒ョ‘淇濅綘镄 cron 浣滀笟姝f垚锷熷湴杩愯岀潃銆
Digital Ocean 链変竴涓鍏充簬杩欎簺鏂囦欢镄勫畬鏁存暀绋嬶纴浠嬬粛浜 rsyslog 濡备綍鍦ㄥ父瑙佺殑鍙戣岀増链濡 RedHat 鍜 CentOS 涓鍒涘缓瀹冧滑銆
搴旂敤绋嫔簭涔熶细鍦ㄨ繖涓鐩褰曚腑鍐椤叆镞ュ织鏂囦欢銆备緥濡傚儚 Apache锛孨ginx锛孧ySQL 绛夊父瑙佺殑链嶅姟鍣ㄧ▼搴忓彲浠ュ湪杩欎釜鐩褰曚腑鍐椤叆镞ュ织鏂囦欢銆傚叾涓涓浜涙棩蹇楁枃浠剁敱搴旂敤绋嫔簭镊宸卞垱寤猴纴鍏朵粬镄勫垯阃氲繃 syslog (鍏蜂綋瑙佷笅鏂)𨱒ュ垱寤恒
浠涔堟槸 Syslog?
Linux 绯荤粺镞ュ织鏂囦欢鏄濡备綍鍒涘缓镄勫憿?绛旀堟槸阃氲繃 syslog 瀹堟姢绋嫔簭锛屽畠鍦 syslog 濂楁帴瀛 /dev/log 涓婄洃钖镞ュ织淇℃伅锛岀劧钖庡皢瀹冧滑鍐椤叆阃傚綋镄勬棩蹇楁枃浠朵腑銆
鍗曡瘝钬渟yslog钬 浠h〃鍑犱釜镒忔濓纴骞剁粡甯歌鍝椾箮鍝鐢ㄦ潵绠绉板备笅镄勫嚑涓钖岖О涔嬩竴锛
Syslog 瀹堟姢杩涚▼ 钬 涓涓鐢ㄦ潵鎺ユ敹銆佸勭悊鍜屽彂阃 syslog 淇℃伅镄勭▼搴忋傚畠鍙浠ヨ繙绋嫔彂阃 syslog 鍒颁竴涓闆嗕腑寮忕殑链嶅姟鍣ㄦ垨鍐椤叆鍒颁竴涓链鍦版枃浠躲傚父瑙佺殑渚嫔瓙鍖呮嫭 rsyslogd 鍜 syslog-ng銆傚湪杩欑崭娇鐢ㄦ柟寮忎腑锛屼汉浠甯歌粹滃彂阃佸埌 syslog钬濄
Syslog 鍗忚 钬 涓涓鎸囧畾镞ュ织濡备綍阃氲繃缃戠粶𨱒ヤ紶阃佺殑浼犺緭鍗忚鍜屼竴涓阍埚 syslog 淇℃伅(鍏蜂綋瑙佷笅鏂) 镄勬暟鎹镙煎纺镄勫畾涔夈傚畠鍦 RFC-5424 涓琚姝e纺瀹氢箟銆傚逛簬鏂囨湰镞ュ织锛屾爣鍑嗙殑绔鍙f槸 514锛屽逛簬锷犲瘑镞ュ织锛岀鍙f槸 6514銆傚湪杩欑崭娇鐢ㄦ柟寮忎腑锛屼汉浠甯歌粹滈氲繃 syslog 浼犻佲濄
Syslog 淇℃伅 钬 syslog 镙煎纺镄勬棩蹇椾俊鎭鎴栦簨浠讹纴瀹冨寘𨰾涓涓甯︽湁鍑犱釜镙囧嗳瀛楁电殑娑堟伅澶淬傚湪杩欑崭娇鐢ㄦ柟寮忎腑锛屼汉浠甯歌粹滃彂阃 syslog钬濄
Syslog 淇℃伅鎴栦簨浠跺寘𨰾涓涓甯︽湁鍑犱釜镙囧嗳瀛楁电殑娑堟伅澶达纴鍙浠ヤ娇鍒嗘瀽鍜岃矾鐢辨洿鏂逛究銆傚畠浠鍖呮嫭镞堕棿鎴炽佸簲鐢ㄧ▼搴忕殑钖岖О銆佸湪绯荤粺涓淇℃伅𨱒ユ簮镄勫垎绫绘垨浣岖疆銆佷互鍙娄簨浠剁殑浼桦厛绾с
涓嬮溃灞旷ず镄勬槸涓涓鍖呭惈 syslog 娑堟伅澶寸殑镞ュ织淇℃伅锛屽畠𨱒ヨ嚜浜庢带鍒剁潃鍒拌ョ郴缁熺殑杩灭▼锏诲綍镄 sshd 瀹堟姢杩涚▼锛岃繖涓淇℃伅鎻忚堪镄勬槸涓娆″け璐ョ殑锏诲綍灏濊瘯锛
341 2003-10-11T22:14:15.003Z server1.com sshd - - pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2
Syslog 镙煎纺鍜屽瓧娈
姣忔浔 syslog 淇℃伅鍖呭惈涓涓甯︽湁瀛楁电殑淇℃伅澶达纴杩欎簺瀛楁垫槸缁撴瀯鍖栫殑鏁版嵁锛屼娇寰楀垎鏋愬拰璺鐢变簨浠舵洿锷犲规槗銆备笅闱㈡槸鎴戜滑浣跨敤镄勭敤𨱒ヤ骇鐢熶笂闱㈢殑 syslog 渚嫔瓙镄勬牸寮忥纴浣犲彲浠ュ皢姣忎釜鍊煎尮閰嶅埌涓涓鐗瑰畾镄勫瓧娈电殑钖岖О涓娿
澶嶅埗浠g爜
浠g爜濡备笅:
%pri%%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% %msg%n
涓嬮溃锛屼綘灏嗙湅鍒颁竴浜涘湪镆ユ垒鎴栨帓阌欐椂链甯镐娇鐢ㄧ殑 syslog 瀛楁碉细
镞堕棿鎴
镞堕棿鎴 (涓婇溃镄勪緥瀛愪负 2003-10-11T22:14:15.003Z) 𨱌楃ず浜嗗湪绯荤粺涓鍙戦佽ヤ俊鎭镄勬椂闂村拰镞ユ湡銆傝繖涓镞堕棿鍦ㄥ彟涓绯荤粺涓婃帴鏀惰ヤ俊鎭镞跺彲鑳戒细链夋墍涓嶅悓銆备笂闱渚嫔瓙涓镄勬椂闂存埑鍙浠ュ垎瑙d负锛
2003-10-11 骞达纴链堬纴镞ャ
T 涓烘椂闂存埑镄勫繀闇鍏幂礌锛屽畠灏嗘棩链熷拰镞堕棿鍒嗛殧寮銆
22:14:15.003 鏄 24 灏忔椂鍒剁殑镞堕棿锛屽寘𨰾杩涘叆涓嬩竴绉掔殑姣绉掓暟(003)銆
Z 鏄涓涓鍙阃夊厓绱狅纴鎸囩殑鏄 UTC 镞堕棿锛岄櫎浜 Z锛岃繖涓渚嫔瓙杩桦彲浠ュ寘𨰾涓涓锅忕Щ閲忥纴渚嫔 -08:00锛岃繖镒忓懗镌镞堕棿浠 UTC 锅忕Щ 8 灏忔椂锛屽嵆 PST 镞堕棿銆
涓绘満钖
涓绘満钖 瀛楁(鍦ㄤ笂闱㈢殑渚嫔瓙涓瀵瑰簲 server1.com) 鎸囩殑鏄涓绘満镄勫悕绉版垨鍙戦佷俊鎭镄勭郴缁.
搴旂敤钖
搴旂敤钖 瀛楁(鍦ㄤ笂闱㈢殑渚嫔瓙涓瀵瑰簲 sshd:auth) 鎸囩殑鏄鍙戦佷俊鎭镄勭▼搴忕殑钖岖О.
浼桦厛绾
浼桦厛绾у瓧娈垫垨缂╁啓涓 pri (鍦ㄤ笂闱㈢殑渚嫔瓙涓瀵瑰簲 ) 锻婅瘔鎴戜滑杩欎釜浜嬩欢链夊氱揣镐ユ垨澶氢弗宄汇傚畠鐢变袱涓鏁板瓧瀛楁电粍鎴愶细璁惧囧瓧娈靛拰绱фユу瓧娈点傜揣镐ユу瓧娈典粠浠h〃 debug 绫讳簨浠剁殑鏁板瓧 7 涓鐩村埌浠h〃绱фヤ簨浠剁殑鏁板瓧 0 銆傝惧囧瓧娈垫弿杩颁简鍝涓杩涚▼鍒涘缓浜呜ヤ簨浠躲傚畠浠庝唬琛ㄥ唴镙镐俊鎭镄勬暟瀛 0 鍒颁唬琛ㄦ湰鍦板簲鐢ㄤ娇鐢ㄧ殑 23 銆
Pri 链変袱绉嶈緭鍑烘柟寮忋傜涓绉嶆槸浠ヤ竴涓鍗旷嫭镄勬暟瀛楄〃绀猴纴鍙浠ヨ繖镙疯$畻锛氩厛鐢ㄨ惧囧瓧娈电殑鍊间箻浠 8锛屽啀锷犱笂绱фユу瓧娈电殑鍊硷细(璁惧囧瓧娈)(8) + (绱фユу瓧娈)銆傜浜岀嶆槸 pri 鏂囨湰锛屽皢浠モ滆惧囧瓧娈.绱фユу瓧娈碘 镄勫瓧绗︿覆镙煎纺杈揿嚭銆傚悗涓绉嶆牸寮忔洿鏂逛究阒呰诲拰鎼灭储锛屼絾鍗犳嵁镟村氱殑瀛桦偍绌洪棿銆
鍒嗘瀽 Linux 镞ュ织
镞ュ织涓链夊ぇ閲忕殑淇℃伅闇瑕佷綘澶勭悊锛屽敖绠℃湁镞跺欐兂瑕佹彁鍙栧苟闱炴兂璞′腑镄勫规槗銆傚湪杩欑瘒鏂囩珷涓鎴戜滑浼氢粙缁崭竴浜涗綘鐜板湪灏辫兘锅氱殑锘烘湰镞ュ织鍒嗘瀽渚嫔瓙(鍙闇瑕佹悳绱㈠嵆鍙)銆傛垜浠杩桦皢娑夊强涓浜涙洿楂樼骇镄勫垎鏋愶纴浣呜繖浜涢渶瑕佷綘鍓嶆湡锷锷涘仛鍑洪傚綋镄勮剧疆锛屽悗链熷氨鑳借妭鐪佸緢澶氭椂闂淬傚规暟鎹杩涜岄珮绾у垎鏋愮殑渚嫔瓙鍖呮嫭鐢熸垚姹囨昏℃暟銆佸规湁鏁埚艰繘琛岃繃婊わ纴绛夌瓑銆
鎴戜滑棣栧厛浼氩悜浣犲𪾢绀哄备綍鍦ㄥ懡浠よ屼腑浣跨敤澶氢釜涓嶅悓镄勫伐鍏凤纴铹跺悗灞旷ず浜嗕竴涓镞ュ织绠$悊宸ュ叿濡备綍鑳借嚜锷ㄥ畬鎴愬ぇ閮ㄥ垎绻侀吨宸ヤ綔浠庤屼娇寰楁棩蹇楀垎鏋愬彉寰楃亩鍗曘
鐢 Grep 鎼灭储
鎼灭储鏂囨湰鏄镆ユ垒淇℃伅链锘烘湰镄勬柟寮忋傛悳绱㈡枃链链甯哥敤镄勫伐鍏锋槸 grep銆傝繖涓锻戒护琛屽伐鍏峰湪澶ч儴鍒 Linux 鍙戣岀増涓閮芥湁锛屽畠鍏佽镐綘鐢ㄦe垯琛ㄨ揪寮忔悳绱㈡棩蹇椼傛e垯琛ㄨ揪寮忔槸涓绉岖敤鐗规畩镄勮瑷鍐欑殑銆佽兘璇嗗埆鍖归厤鏂囨湰镄勬ā寮忋傛渶绠鍗旷殑妯″纺灏辨槸鐢ㄥ紩鍙锋妸浣犳兂瑕佹煡镓剧殑瀛楃︿覆𨰾璧锋潵銆
姝e垯琛ㄨ揪寮
杩欐槸涓涓鍦 Ubuntu 绯荤粺镄勮よ瘉镞ュ织涓镆ユ垒 钬涡ser hoover钬 镄勪緥瀛愶细
澶嶅埗浠g爜
浠g爜濡备笅:
$ grep "user hoover" /var/log/auth.log
Accepted password for hoover from 10.0.2.2 port 4792 ssh2
pam_unix(sshd:session): session opened for user hoover by (uid=0)
pam_unix(sshd:session): session closed for user hoover
鏋勫缓绮剧‘镄勬e垯琛ㄨ揪寮忓彲鑳藉緢闅俱备緥濡傦纴濡傛灉鎴戜滑𨱍宠佹悳绱涓涓绫讳技绔鍙 钬4792钬 镄勬暟瀛楋纴瀹冨彲鑳戒篃浼氩尮閰嶆椂闂存埑銆乁RL 浠ュ强鍏跺畠涓嶉渶瑕佺殑鏁版嵁銆俇buntu 涓涓嬮溃镄勪緥瀛愶纴瀹冨尮閰崭简涓涓鎴戜滑涓嶆兂瑕佺殑 Apache 镞ュ织銆
澶嶅埗浠g爜
浠g爜濡备笅:
$ grep "4792" /var/log/auth.log
Accepted password for hoover from 10.0.2.2 port 4792 ssh2
74.91.21.46 - - [31/Mar/2015:19:44:32 +0000] "GET /scripts/samples/search?q=4972 HTTP/1.0" 404 545 "-" "-钬
鐜缁曟悳绱
鍙︿竴涓链夌敤镄勫皬鎶宸ф槸浣犲彲浠ョ敤 grep 锅氱幆缁曟悳绱銆傝繖浼氩悜浣犲𪾢绀轰竴涓鍖归厤鍓嶉溃鎴栧悗闱㈠嚑琛屾槸浠涔堛傚畠鑳藉府锷╀綘璋冭瘯瀵艰嚧阌栾鎴栭梾棰樼殑涓滆タ銆侭 阃夐”灞旷ず鍓嶉溃鍑犺岋纴A 阃夐”灞旷ず钖庨溃鍑犺屻备妇涓渚嫔瓙锛屾垜浠鐭ラ亾褰扑竴涓浜轰互绠$悊锻桦憳韬浠界橱褰曞け璐ユ椂锛屽悓镞朵粬浠镄 IP 涔熸病链夊弽钖戣В鏋愶纴涔熷氨镒忓懗镌浠栦滑鍙鑳芥病链夋湁鏁堢殑锘熷悕銆傝繖闱炲父鍙鐤!
澶嶅埗浠g爜
浠g爜濡备笅:
$ grep -B 3 -A 2 'Invalid user' /var/log/auth.log
Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: reverse mapping checking getaddrinfo for 216-19-2-8.commspeed.net [216.19.2.8] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Invalid user admin from 216.19.2.8
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: input_userauth_request: invalid user admin [preauth]
Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
Tail
浣犱篃鍙浠ユ妸 grep 鍜 tail 缁揿悎浣跨敤𨱒ヨ幏鍙栦竴涓鏂囦欢镄勬渶钖庡嚑琛岋纴鎴栬呰窡韪镞ュ织骞跺疄镞舵墦鍗般傝繖鍦ㄤ綘锅氢氦浜掑纺镟存敼镄勬椂鍊欓潪甯告湁鐢锛屼緥濡傚惎锷ㄦ湇锷″櫒鎴栬呮祴璇曚唬镰佹洿鏀广
澶嶅埗浠g爜
浠g爜濡备笅:
$ tail -f /var/log/auth.log | grep 'Invalid user'
Apr 30 19:49:48 ip-172-31-11-241 sshd[6512]: Invalid user ubnt from 219.140.64.136
Apr 30 19:49:49 ip-172-31-11-241 sshd[6514]: Invalid user admin from 219.140.64.136
鍏充簬 grep 鍜屾e垯琛ㄨ揪寮忕殑璇︾粏浠嬬粛骞朵笉鍦ㄦ湰鎸囧崡镄勮寖锲达纴浣 Ryan钬檚 Tutorials 链夋洿娣卞叆镄勪粙缁嶃
镞ュ织绠$悊绯荤粺链夋洿楂樼殑镐ц兘鍜屾洿寮哄ぇ镄勬悳绱㈣兘锷涖傚畠浠阃氩父浼氱储寮曟暟鎹骞惰繘琛屽苟琛屾煡璇锛屽洜姝や綘鍙浠ュ緢蹇镄勫湪鍑犵掑唴灏辫兘鎼灭储 GB 鎴 TB 镄勬棩蹇椼傜浉姣斾箣涓嬶纴grep 灏遍渶瑕佸嚑鍒嗛挓锛屽湪鏋佺𨱍呭喌涓嫔彲鑳界敋镊冲嚑灏忔椂銆傛棩蹇楃$悊绯荤粺涔熶娇鐢ㄧ被浼 Lucene 镄勬煡璇㈣瑷锛屽畠鎻愪緵镟寸亩鍗旷殑璇娉曟潵妫绱㈡暟瀛椼佸烟浠ュ强鍏跺畠銆
鐢 Cut銆 AWK銆 鍜 Grok 瑙f瀽
Linux 鎻愪緵浜嗗氢釜锻戒护琛屽伐鍏风敤浜庢枃链瑙f瀽鍜屽垎鏋愩傚綋浣犳兂瑕佸揩阃熻В鏋愬皯閲忔暟鎹镞堕潪甯告湁鐢锛屼絾澶勭悊澶ч噺鏁版嵁镞跺彲鑳介渶瑕佸緢闀挎椂闂淬
Cut
cut 锻戒护鍏佽镐綘浠庢湁鍒嗛殧绗︾殑镞ュ织瑙f瀽瀛楁点傚垎闅旂︽槸鎸囱兘鍒嗗紑瀛楁垫垨阌鍊煎圭殑绛夊彿鎴栭楀彿绛夈
锅囱炬垜浠𨱍充粠涓嬮溃镄勬棩蹇椾腑瑙f瀽鍑虹敤鎴凤细
澶嶅埗浠g爜
浠g爜濡备笅:
pam_unix(su:auth): authentication failure; logname=hoover uid=1000 euid=0 tty=/dev/pts/0 ruser=hoover rhost= user=root
鎴戜滑鍙浠ュ儚涓嬮溃杩欐牱鐢 cut 锻戒护銮峰彇鐢ㄧ瓑鍙峰垎鍓插悗镄勭鍏涓瀛楁电殑鏂囨湰銆傝繖鏄涓涓 Ubuntu 绯荤粺涓婄殑渚嫔瓙锛
澶嶅埗浠g爜
浠g爜濡备笅:
$ grep "authentication failure" /var/log/auth.log | cut -d '=' -f 8
root
hoover
root
nagios
nagios
AWK
鍙﹀栵纴浣犱篃鍙浠ヤ娇鐢 awk锛屽畠鑳芥彁渚涙洿寮哄ぇ镄勮В鏋愬瓧娈靛姛鑳姐傚畠鎻愪緵浜嗕竴涓鑴氭湰璇瑷锛屼綘鍙浠ヨ繃婊ゅ嚭鍑犱箮浠讳綍涓岖浉骞茬殑涓滆タ銆
渚嫔傦纴锅囱惧湪 Ubuntu 绯荤粺涓鎴戜滑链変笅闱㈢殑涓琛屾棩蹇楋纴鎴戜滑𨱍宠佹彁鍙栫橱褰曞け璐ョ殑鐢ㄦ埛钖岖О锛
澶嶅埗浠g爜
浠g爜濡备笅:
Mar 24 08:28:18 ip-172-31-11-241 sshd[32701]: input_userauth_request: invalid user guest [preauth]
浣犲彲浠ュ儚涓嬮溃杩欐牱浣跨敤 awk 锻戒护銆傞栧厛锛岀敤涓涓姝e垯琛ㄨ揪寮 /sshd.*invalid user/ 𨱒ュ尮閰 sshd invalid user 琛屻傜劧钖庣敤 { print $9 } 镙规嵁榛樿ょ殑鍒嗛殧绗︾┖镙兼墦鍗扮涔濅釜瀛楁点傝繖镙峰氨杈揿嚭浜嗙敤鎴峰悕銆
澶嶅埗浠g爜
浠g爜濡备笅:
$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
guest
admin
info
test
ubnt
浣犲彲浠ュ湪 Awk 鐢ㄦ埛鎸囧崡 涓阒呰绘洿澶氩叧浜庡备綍浣跨敤姝e垯琛ㄨ揪寮忓拰杈揿嚭瀛楁电殑淇℃伅銆
镞ュ织绠$悊绯荤粺
镞ュ织绠$悊绯荤粺浣垮缑瑙f瀽鍙桦缑镟村姞绠鍗曪纴浣跨敤鎴疯兘蹇阃熺殑鍒嗘瀽寰埚氱殑镞ュ织鏂囦欢銆备粬浠鑳借嚜锷ㄨВ鏋愭爣鍑嗙殑镞ュ织镙煎纺锛屾瘆濡傚父瑙佺殑 Linux 镞ュ织鍜 Web 链嶅姟鍣ㄦ棩蹇椼傝繖鑳借妭鐪佸緢澶氭椂闂达纴锲犱负褰揿勭悊绯荤粺闂棰樼殑镞跺欎綘涓嶉渶瑕佽冭槛镊宸卞啓瑙f瀽阃昏緫銆
涓嬮溃鏄涓涓 sshd 镞ュ织娑堟伅镄勪緥瀛愶纴瑙f瀽鍑轰简姣忎釜 remoteHost 鍜 user銆傝繖鏄 Loggly 涓镄勪竴寮犳埅锲撅纴瀹冩槸涓涓锘轰簬浜戠殑镞ュ织绠$悊链嶅姟銆
銆浣犱篃鍙浠ュ归潪镙囧嗳镙煎纺镊瀹氢箟瑙f瀽銆备竴涓甯哥敤镄勫伐鍏锋槸 Grok锛屽畠鐢ㄤ竴涓甯歌佹e垯琛ㄨ揪寮忓簱锛屽彲浠ヨВ鏋愬师濮嬫枃链涓虹粨鏋勫寲 JSON銆备笅闱㈡槸涓涓 Grok 鍦 Logstash 涓瑙f瀽鍐呮牳镞ュ织鏂囦欢镄勪簨渚嬮厤缃锛
澶嶅埗浠g爜
浠g爜濡备笅:
filter{
grok {
match = {"message" = "%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:ration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}"
}
}
涓嫔浘鏄 Grok 瑙f瀽钖庤緭鍑虹殑缁撴灉锛
銆鐢 Rsyslog 鍜 AWK 杩囨护
杩囨护浣垮缑浣犺兘妫绱涓涓鐗瑰畾镄勫瓧娈靛艰屼笉鏄杩涜屽叏鏂囨绱銆傝繖浣夸綘镄勬棩蹇楀垎鏋愭洿锷犲嗳纭锛屽洜涓哄畠浼氩拷鐣ユ潵镊鍏跺畠閮ㄥ垎镞ュ织淇℃伅涓嶉渶瑕佺殑鍖归厤銆备负浜嗗逛竴涓瀛楁靛艰繘琛屾悳绱锛屼綘棣栧厛闇瑕佽В鏋愭棩蹇楁垨钥呰呖灏戞湁瀵逛簨浠剁粨鏋勮繘琛屾绱㈢殑鏂瑰纺銆
濡备綍瀵瑰簲鐢ㄨ繘琛岃繃婊
阃氩父锛屼綘鍙鑳藉彧𨱍崇湅涓涓搴旂敤镄勬棩蹇椼傚傛灉浣犵殑搴旂敤鎶婅板綍閮戒缭瀛桦埌涓涓鏂囦欢涓灏变细寰埚规槗銆傚傛灉浣犻渶瑕佸湪涓涓镵氶泦鎴栭泦涓寮忔棩蹇椾腑杩囨护涓涓搴旂敤灏变细姣旇缉澶嶆潅銆备笅闱㈡湁鍑犵嶆柟娉曟潵瀹炵幇锛
鐢 rsyslog 瀹堟姢杩涚▼瑙f瀽鍜岃繃婊ゆ棩蹇椼备笅闱㈢殑渚嫔瓙灏 sshd 搴旂敤镄勬棩蹇楀啓鍏ヤ竴涓钖崭负 sshd-message 镄勬枃浠讹纴铹跺悗涓㈠纯浜嬩欢浠ヤ究瀹冧笉浼氩湪鍏跺畠鍦版柟閲嶅嶅嚭鐜般备綘鍙浠ュ皢瀹冩坊锷犲埌浣犵殑 rsyslog.conf 鏂囦欢涓娴嬭瘯杩欎釜渚嫔瓙銆
澶嶅埗浠g爜
浠g爜濡备笅:
:programname, isequal, 钬渟shd钬 /var/log/sshd-messages
~
鐢ㄧ被浼 awk 镄勫懡浠よ屽伐鍏锋彁鍙栫壒瀹氩瓧娈电殑鍊硷纴渚嫔 sshd 鐢ㄦ埛钖嶃备笅闱㈡槸 Ubuntu 绯荤粺涓镄勪竴涓渚嫔瓙銆
澶嶅埗浠g爜
浠g爜濡备笅:
$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
guest
admin
info
test
ubnt
鐢ㄦ棩蹇楃$悊绯荤粺镊锷ㄨВ鏋愭棩蹇楋纴铹跺悗鍦ㄩ渶瑕佺殑搴旂敤钖岖О涓婄偣鍑昏繃婊ゃ备笅闱㈡槸鍦 Loggly 镞ュ织绠$悊链嶅姟涓鎻愬彇 syslog 锘熺殑鎴锲俱傛垜浠瀵瑰簲鐢ㄥ悕绉 钬渟shd钬 杩涜岃繃婊わ纴濡傜淮鎭╁浘锲炬爣镓绀恒
銆濡备綍杩囨护阌栾
涓涓浜烘渶甯屾湜鐪嫔埌镞ュ织涓镄勯敊璇銆备笉骞哥殑鏄锛岄粯璁ょ殑 syslog 閰岖疆涓岖洿鎺ヨ緭鍑洪敊璇镄勪弗閲嶆э纴涔熷氨浣垮缑闅句互杩囨护瀹冧滑銆
杩欓噷链変袱涓瑙e喅璇ラ梾棰樼殑鏂规硶銆傞栧厛锛屼綘鍙浠ヤ慨鏀逛綘镄 rsyslog 閰岖疆锛屽湪镞ュ织鏂囦欢涓杈揿嚭阌栾镄勪弗閲嶆э纴浣垮缑渚夸簬镆ョ湅鍜屾绱銆傚湪浣犵殑 rsyslog 閰岖疆涓浣犲彲浠ョ敤 pri-text 娣诲姞涓涓 妯℃澘锛屽儚涓嬮溃杩欐牱锛
澶嶅埗浠g爜
浠g爜濡备笅:
"%pri-text% : %timegenerated%,%HOSTNAME%,%syslogtag%,%msg%n"
杩欎釜渚嫔瓙浼氭寜镦т笅闱㈢殑镙煎纺杈揿嚭銆备綘鍙浠ョ湅鍒拌ヤ俊鎭涓鎸囩ず阌栾镄 err銆
澶嶅埗浠g爜
浠g爜濡备笅:
: Mar 11 18:18:00,hoover-VirtualBox,su[5026]:, pam_authenticate: Authentication failure
浣犲彲浠ョ敤 awk 鎴栬 grep 妫绱㈤敊璇淇℃伅銆傚湪 Ubuntu 涓锛屽硅繖涓渚嫔瓙锛屾垜浠鍙浠ョ敤涓浜涜娉旷壒寰侊纴渚嫔 . 鍜 锛屽畠浠鍙浼氩尮閰嶈繖涓锘熴
澶嶅埗浠g爜
浠g爜濡备笅:
$ grep '.err' /var/log/auth.log
: Mar 11 18:18:00,hoover-VirtualBox,su[5026]:, pam_authenticate: Authentication failure
浣犵殑绗浜屼釜阃夋嫨鏄浣跨敤镞ュ织绠$悊绯荤粺銆傚ソ镄勬棩蹇楃$悊绯荤粺鑳借嚜锷ㄨВ鏋 syslog 娑堟伅骞舵娊鍙栭敊璇锘熴傚畠浠涔熷厑璁镐綘鐢ㄧ亩鍗旷殑镣瑰嚮杩囨护镞ュ织娑堟伅涓镄勭壒瀹氶敊璇銆
涓嬮溃鏄 Loggly 涓涓涓鎴锲撅纴鏄剧ず浜嗛珮浜阌栾涓ラ吨镐х殑 syslog 锘燂纴琛ㄧず鎴戜滑姝e湪杩囨护阌栾锛