Linux ??????????????
???????????? ???????[ 2015/8/4 10:46:46 ] ??????????????
??????????д????????????????????????????????????????е??????????????????????????Щ??????????????????????????????????????????????????漰?Щ????????????????Щ????????????????????????????????????????????????и???????????????????????????????Ч????й????????
??????η??? Linux ???
?????????????????????????????????????????????????????????????????????????????????????????????????????ü???
?????? Grep ????
?????????????????????????????????????????????? grep??????????й???????? Linux ???а??ж??У??????????????????????????????????????????????????д??????????????????????????????????????????????????????????
???????????
????????????? Ubuntu ???????????в??? “user hoover” ???????
????$ grep "user hoover" /var/log/auth.log
????Accepted password for hoover from 10.0.2.2 port 4792 ssh2
????pam_unix(sshd:session): session opened for user hoover by (uid=0)
????pam_unix(sshd:session): session closed for user hoover
???????????????????????????????磬??????????????????????? “4792” ?????????????????????????URL ???????????????????Ubuntu ???????????????????????????????? Apache ?????
????$ grep "4792" /var/log/auth.log
????Accepted password for hoover from 10.0.2.2 port 4792 ssh2
????74.91.21.46 - - [31/Mar/2015:19:44:32 +0000] "GET /scripts/samples/search?q=4972 HTTP/1.0" 404 545 "-" "-”
????????????
??????????????С????????????? grep ?????????????????????????????????漸??????????????????????′??????????????B ???????漸?У?A ????????漸?С???????????????????????????????????????????????? IP ???з???????????ζ??????????????Ч?????????????????
????$ grep -B 3 -A 2 'Invalid user' /var/log/auth.log
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: reverse mapping checking getaddrinfo for 216-19-2-8.commspeed.net [216.19.2.8] failed - POSSIBLE BREAK-IN ATTEMPT!
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Invalid user admin from 216.19.2.8
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: input_userauth_request: invalid user admin [preauth]
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
????Tail
???????????? grep ?? tail ?????????????????????У???????????????????????????????????????????????????????????????????????????
????$ tail -f /var/log/auth.log | grep 'Invalid user'
????Apr 30 19:49:48 ip-172-31-11-241 sshd[6512]: Invalid user ubnt from 219.140.64.136
????Apr 30 19:49:49 ip-172-31-11-241 sshd[6514]: Invalid user admin from 219.140.64.136
???????? grep ?????????????????????????????Χ???? Ryan’s Tutorials ?и??????????
??????????????и?????????????????????????????????????????????в??в???????????????????????????? GB ?? TB ????????????£?grep ?????????????????????????????С???????????????????? Lucene ???????????????????????????????????????????
?????? Cut?? AWK?? ?? Grok ????
?????????й???
????Linux ???????????й???????????????????????????????????????????????????????????????????????????????
????Cut
????cut ????????????з??????????????????????????????λ?????????????
????????????????????????н??????????
????pam_unix(su:auth): authentication failure; logname=hoover uid=1000 euid=0 tty=/dev/pts/0 ruser=hoover rhost= user=root
??????????????????????? cut ???????????????????ε????????????? Ubuntu ??????????
????$ grep "authentication failure" /var/log/auth.log | cut -d '=' -f 8
????root
????hoover
????root
????nagios
????nagios
????AWK
?????????????????? awk???????????????????ι???????????????????????????????????κβ??????????
???????磬?????? Ubuntu ????????????????????????????????????????????????
????Mar 24 08:28:18 ip-172-31-11-241 sshd[32701]: input_userauth_request: invalid user guest [preauth]
?????????????????????? awk ???????????????????? /sshd.*invalid user/ ????? sshd invalid user ?С?????? { print $9 } ??????????????????????Ρ?????????????????
????$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
????guest
????admin
????info
????test
????ubnt
??????????? Awk ?????? ????????????????????????????????ε??????
?????????????
???????????????y??????????????????????????????????????????????????????????????????糣???? Linux ????? Web ??????????????????????????????????????????????????????д?????????
????????????? sshd ???????????????????????? remoteHost ?? user?????? Loggly ?е????????????????????????????????
??????η??? Linux ???
????????????????????????????????????????? Grok??????????????????????????????????????? JSON??????????? Grok ?? Logstash ?н???????????????????????
????filter{
????grok {
????match => {"message" => "%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:duration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}"
????}
????}
????????? Grok ???????????????
??????η??? Linux ???
?????? Rsyslog ?? AWK ????
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????ж?????????м?????????
??????ζ???y??й???
?????????????????????????????????????e????????浽???????л????????????????????????????????й?????????????????????м????????????
?????? rsyslog ?????????????????????????????? sshd ???????д???????? sshd-message ???????????????????????????????????????????????????????? rsyslog.conf ????в???????????
????:programname?? isequal?? “sshd” /var/log/sshd-messages
????&~
?????????? awk ???????й???????????ε???????? sshd ????????????? Ubuntu ???е?????????
????$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
????guest
????admin
????info
????test
????ubnt
????????????????????????????????????????????????????????????? Loggly ??????????????? syslog ??????????????????? “sshd” ???й??????????????????
??????ι??????
????????????????????е???????????????? syslog ???ò???????????????????????????????????
????????????????????????????????????????????? rsyslog ????????????????????????????????????????????????? rsyslog ????????????? pri-text ?????? ??壬????????????
????"<%pri-text%> : %timegenerated%??%HOSTNAME%??%syslogtag%??%msg%n"
???????????????????????????????????????????????? err??
????<authpriv.err> : Mar 11 18:18:00??hoover-VirtualBox??su[5026]:?? pam_authenticate: Authentication failure
??????????? awk ???? grep ??????????????? Ubuntu ?У?????????????????????Щ???????????? . ?? >?????????????????
????$ grep '.err>' /var/log/auth.log
????<authpriv.err> : Mar 11 18:18:00??hoover-VirtualBox??su[5026]:?? pam_authenticate: Authentication failure
??????????????????????????????????????????????????? syslog ??????????????????????????ü????????????????е????????
?????????? Loggly ????????????????????????????? syslog ???????????????????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com