2016/5/24
用logfmon即時比對 Log 透過 gcalcli 存入線上行事曆
指令列串接 Google 日曆打造超炫全自動系統日誌
吳惠麟
URL http://netadmin.pcuser.com.tw/article_content.aspx?sn=1605130016&jump=1
這個 Idea 真的很好,但我這裡僅只試了 logfmon 這個程式.
主要拿它來做簡單的網管運用,
依據上面的文章 logfmon 這支程式是放在
http://sourceforge.net/projects/logfmon/
供人下載與安裝,但我使用之時,它是在 github 上.
https://github.com/nicm/logfmon
不過沒差,還是OK的.
看一下 logfmon 流程
http://netadmin.pcuser.com.tw/images/news/NP160513001616051315272705.png
應該跟 Swatch 的用法差不多,
https://sourceforge.net/projects/swatch/
拿它來做簡單的網路設備 log 分析應該不錯.
所以參照我之前用 Swatch 的技法,
改為 logfmon 的技法!
Swatch 的技法,請自行參閱
http://xrcd2.blogspot.tw/2012/05/cacti-xsmsapi-soap-cacti-sms.html
or
http://xrcd2.blogspot.tw/2016/01/cisco-ios-configuration-cisco-config.html
本文開始
以 CentOS 6.X Linux 為 LAB
(1) 安裝 logfmon
#git clone https://github.com/nicm/logfmon
#cd logfmon
#./autogen.sh
#./configure
#make
#make install
預設裝在哪??
[root@bbb logfmon]# whereis logfmon
logfmon: /usr/local/bin/logfmon
man 一下好了..
[root@bbb logfmon]# man logfmon
LOGFMON(8) BSD System Manager’s Manual LOGFMON(8)
NAME
logfmon - log file monitoring daemon
SYNOPSIS
logfmon [-dsv] [-f conffile] [-c cachefile] [-p pidfile]
DESCRIPTION
The logfmon daemon monitors a set of syslog log files and matches each new entry against the rules defined in its configuration file. Each rule may be
tested against entries from a single file, a set of files or from all files. Depending on the rule, a command may be executed or the entry may be
ignored. All unmatched messages are batched together and mailed every 15 minutes, or whatever alternative time is specified in the configuration file.
Messages may also be collected into contexts and piped to a command after a final message is found or a number of messages is reached. See
logfmon.conf(5) for more details of this.
The options are as follows:
-c cachefile
Specify the cache file location. Default is /var/db/logfmon.cache.
This overrides any location specified in the configuration file.
-d Run in the foreground and log to stderr.
This option also causes additional debugging messages to be generated. This option may be specified multiple times for increasing levels of
verbosity.
-s Monitor stdin. This causes logfmon to remain in the foreground and filter log messages passed on stdin.
-f conffile
Specify the configuration file location. Default is /etc/logfmon.conf.
-p pidfile Specify the pid file location. Default is /var/run/logfmon.pid.
This overrides any location specified in the configuration file.
-v Display the logfmon version, and exit.
FILES
/etc/logfmon.conf default logfmon configuration file
SEE ALSO
syslog(3), logfmon.conf(5)
.....
這樣 logfmon 就裝好了.
(2) 設定 rsyslog
[root@bbb net]# vi /etc/rsyslog.conf
1 # rsyslog v5 configuration file
2
3 # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
4 # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
5
6 #### MODULES ####
7
8 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
9 $ModLoad imklog # provides kernel logging support (previously done by rklogd)
10 #$ModLoad immark # provides --MARK-- message capability
11
12 # Provides UDP syslog reception
13 $ModLoad imudp
14 $UDPServerRun 514
設定 rsyslog 可以對外收 syslog message
12 # Provides UDP syslog reception
--> $ModLoad imudp
--> $UDPServerRun 514
並指定收到 主機或某網段 的 syslog message 存入某一個檔案中,
預備成為 logfmon 被監控的檔案
--> 88 if $fromhost-ip == '192.168.111.61' then /var/log/net/vyos.log
重啟 rsyslog 服務
#service rsyslog restart
設定 192.168.111.61 (client )這台 vyos 的 config ,
宣告它的 syslog host 為 192.168.111.247 ( Rsyslog + logfmon Server )
所以 topolog 為 192.168.111.61 (client ) ---> 192.168.111.247 (Server)
Client 端只要是支援標準的 syslog 即可使用.
Server 端是透過 Rsyslog 作為 syslog server 的角色.
用其它的也可,只是 logfmon 只能用在 log 檔案的分析.
vyos 的設定如下;(模擬成網路設備,Client 端角色)
vyos@vyos:~$ show configuration commands
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$wycLUv4kpl$WEywQMIvFUqIC9yA3HPb42IG0328X1iNqa1967sFWEce6oC6SrvcV3Nn2hQF1n4bTE/vyQ9e9LyF813VEx9HS.'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '168.95.1.1'
set system name-server '168.95.192.1'
set system ntp server 'clock.hinet.net'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system syslog host 192.168.111.247 facility all level 'all'
set system time-zone 'Asia/Taipei'
vyos@vyos:~$
到目前為止,已有 Syslog Message Client + Server 也安裝好了 logfmon 了.
設定 logfmon.conf (依據 man 的說明是寫在 /etc/logfmon.conf 中),
內容依實務需求撰寫之.
# cat /etc/logfmon.conf
set logregexp "(.*)"
file "/var/log/net/vyos.log" tag login
match in login "(.*)(Accepted password for)(.*)" exec "/usr/bin/perl /root/shell/sendmail.pl \"$1\" \"$2\" \"$3\""
match in login "(.*)(session closed for user)(.*)" exec "/usr/bin/perl /root/shell/sendmail.pl \"$1\" \"$2\" \"$3\""
原始的 log 內文 如下.
Nov 18 14:00:25 vyos sshd[7071]: Accepted password for vyos from 192.168.1.115 port 50960 ssh2
Nov 18 14:01:08 vyos sshd[7071]: pam_unix(sshd:session): session closed for user vyos
參照(正規化表示法比對)
match in login "(.*)(Accepted password for)(.*)"
match in login "(.*)(session closed for user)(.*)"
exec ... sendmail .... (執行自定指令)
# cat /root/shell/sendmail.pl
#!/usr/bin/perl
use Mail::Sender;
print " \n Start \n ";
$sender = new Mail::Sender
{smtp => '192.168.1.xxx', from => 'Test-Alert@abc.com.tw'} or die "Error in mailing : $Mail::Sender::Error\n";
$sender->MailMsg({to => 'xrcd2@abc.com.tw',subject => 'Test_Alert',msg => "My Test \n\n $ARGV[0] $ARGV[1] $ARGV[2] \n ",debug => $DEBUG,debug_level => 4});
print " \n END \n\n";
print " \n $DEBUG \n ";
DEMO
執行 logfmon
[root@bbb net]# logfmon -f /etc/logfmon.conf
驗證 logfmon 是否有被正常執行,如它無法正常被執行,
請再檢核該 conf 的設定與配置是否正確?!
[root@bbb net]# ps -ef | grep logfmon
root 19091 1 0 15:56 ? 00:00:00 logfmon -f /etc/logfmon.conf
root 19113 15664 0 15:59 pts/1 00:00:00 grep logfmon
[root@bbb net]#
rsyslog 收到 log 後會存入於此.
[root@bbb net]# pwd
/var/log/net
[root@bbb net]# ll
total 0
-rw------- 1 root root 0 Nov 18 15:58 vyos.log
[root@bbb net]#
ssh 到 vyos 做 登入與登出的以驗證 rsyslog + logfmon + sendmail
[root@bbb net]# cat /var/log/net/vyos.log
Nov 18 16:04:01 vyos sshd[7653]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Nov 18 16:04:05 vyos sshd[7653]: Accepted password for vyos from 192.168.1.115 port 52045 ssh2
Nov 18 16:04:05 vyos sshd[7653]: pam_unix(sshd:session): session opened for user vyos by (uid=0)
Nov 18 16:04:34 vyos sshd[7655]: error: Received disconnect from 192.168.1.115: 0:
Nov 18 16:04:34 vyos sshd[7653]: pam_unix(sshd:session): session closed for user vyos
[root@bbb net]#
Accepted password for ( Mail Alert )
session closed for user ( Mail Alert )
Topology
運用的實例可參考如下:
圖中的 syslog2msn 即為 rsyslog + logfmon + shell (組合變化而來)
http://xrcd2.blogspot.tw/2012/05/cacti-xsmsapi-soap-cacti-sms.html
其它更進階的運如下:
那個 Swatch 可由 logfmon 取代之,也是可由 rsyslog + swatch + shell (組合變化而來)
http://xrcd2.blogspot.tw/2016/01/cisco-ios-configuration-cisco-config.html