/plugins/ssh/sshd_log - Annoter - Munin contributed plugins - Koumbit's Redmine

Télécharger au format

root / plugins / ssh / sshd_log @ bc1e78ae

Historique | Voir | Annoter | Télécharger (4,68 ko)

1	4ab213e1	Artem Sheremet	#!/bin/sh
2	26181ead	Thomas Riccardi
3			: <<=cut
4
5			=head1 NAME
6
7			sshd_log - Munin plugin to monitor auth.log or journald for sshd
8			server events.
9
10			=head1 CONFIGURATION
11
12			This plugin requires read permission for the logfile or journald.
13
14			On busy servers you can change value type to COUNTER and set min to 0
15			to avoid minus peaks at logrotate.
16
17			The following environment variables are used by this plugin:
18
19			logfile - path to the auth log file, or "journald" to use journald.
20			default: /var/log/secure
21
22			journalctlargs - space separated list of arguments to pass to
23			journalctl to get the sshd logs.
24			default: _COMM=sshd
25
26			If the "logfile" environment variable is set to "journald" the sshd
27			logs are read from journald, filtering on program "sshd". The filtering
28			may be changed using "journalctlarg".
29
30
31			Config examples for /etc/munin/plugin-conf.d/munin-node:
32
33			[sshd_log]
34			user root
35			group root
36			env.logfile /var/log/messages
37
38			Config example with journald:
39
40			[sshd_log]
41			group systemd-journal
42			env.logfile journald
43
44			Config example with journald on the sshd.service unit only:
45
46			[sshd_log]
47			group systemd-journal
48			env.logfile journald
49			env.journalctlarg --unit=sshd.service
50
51			=head1 MAGIC MARKERS
52
53			#%# family=auto
54			#%# capabilities=autoconf
55
56			=head1 AUTHOR
57
58			Revision 2.0 2016/11/11 15:42:00 Thomas Riccardi
59			Revision 1.2 2010/03/19 15:03:00 pmoranga
60			Revision 1.1 2009/04/26 23:28:00 ckujau
61			Revision 1.0 2009/04/22 22:00:00 zlati
62
63			=cut
64
65
66			# Script parameters:
67	4ab213e1	Artem Sheremet	#
68			# config (required)
69			# autoconf (optional - used by munin-config)
70	26181ead	Thomas Riccardi
71	4ab213e1	Artem Sheremet
72			LOG=${logfile:-/var/log/secure}
73	e6a18b5a	Thomas Riccardi	JOURNALCTL_ARG=${journalctlarg:-_COMM=sshd}
74	4ab213e1	Artem Sheremet
75
76			if [ "$1" = "autoconf" ]; then
77	e6a18b5a	Thomas Riccardi	if [ "$LOG" = "journald" ]; then
78			if journalctl --no-pager --quiet --lines=1 "$JOURNALCTL_ARG" \| read -r DUMMY; then
79	ff68f641	Thomas Riccardi	echo "yes"
80	e6a18b5a	Thomas Riccardi	else
81	ff68f641	Thomas Riccardi	echo "no (journald empty log for '$JOURNALCTL_ARG' not found)"
82	e6a18b5a	Thomas Riccardi	fi
83	4ab213e1	Artem Sheremet	else
84	e6a18b5a	Thomas Riccardi	if [ -r "$LOG" ]; then
85	ff68f641	Thomas Riccardi	echo "yes"
86	e6a18b5a	Thomas Riccardi	else
87	ff68f641	Thomas Riccardi	echo "no (logfile '$LOG' not readable)"
88	e6a18b5a	Thomas Riccardi	fi
89	4ab213e1	Artem Sheremet	fi
90	ff68f641	Thomas Riccardi	exit 0
91	4ab213e1	Artem Sheremet	fi
92
93			if [ "$1" = "config" ]; then
94
95	e6a18b5a	Thomas Riccardi	if [ "$LOG" = "journald" ]; then
96			TYPE=ABSOLUTE
97			else
98			TYPE=DERIVE
99			fi
100
101	c04acf95	Thomas Riccardi	echo 'graph_title SSHD login stats from' "$LOG"
102	4ab213e1	Artem Sheremet	echo 'graph_args --base 1000 -l 0'
103			echo 'graph_vlabel logins'
104	3a6fdce8	dipohl	echo 'graph_category' security
105	4ab213e1	Artem Sheremet
106			echo 'LogPass.label Successful password logins'
107	e6a18b5a	Thomas Riccardi	echo 'LogPass.min 0'
108			echo 'LogPass.type' "$TYPE"
109
110	4ab213e1	Artem Sheremet	echo 'LogPassPAM.label Successful login via PAM'
111	e6a18b5a	Thomas Riccardi	echo 'LogPassPAM.min 0'
112			echo 'LogPassPAM.type' "$TYPE"
113
114	4ab213e1	Artem Sheremet	echo 'LogKey.label Successful PublicKey logins'
115	e6a18b5a	Thomas Riccardi	echo 'LogKey.min 0'
116			echo 'LogKey.type' "$TYPE"
117
118	4ab213e1	Artem Sheremet	echo 'NoID.label No identification from user'
119	e6a18b5a	Thomas Riccardi	echo 'NoID.min 0'
120			echo 'NoID.type' "$TYPE"
121
122	4ab213e1	Artem Sheremet	echo 'rootAttempt.label Root login attempts'
123	e6a18b5a	Thomas Riccardi	echo 'rootAttempt.min 0'
124			echo 'rootAttempt.type' "$TYPE"
125
126	4ab213e1	Artem Sheremet	echo 'InvUsr.label Invalid user login attepmts'
127	e6a18b5a	Thomas Riccardi	echo 'InvUsr.min 0'
128			echo 'InvUsr.type' "$TYPE"
129
130	4ab213e1	Artem Sheremet	echo 'NoRDNS.label No reverse DNS for peer'
131	e6a18b5a	Thomas Riccardi	echo 'NoRDNS.min 0'
132			echo 'NoRDNS.type' "$TYPE"
133
134	4ab213e1	Artem Sheremet	echo 'Breakin.label Potential Breakin Attempts'
135	e6a18b5a	Thomas Riccardi	echo 'Breakin.min 0'
136			echo 'Breakin.type' "$TYPE"
137
138	4ab213e1	Artem Sheremet	exit 0
139			fi
140
141	e6a18b5a	Thomas Riccardi	if [ "$LOG" = "journald" ]; then
142			CURSOR_FILE="$MUNIN_STATEFILE"
143			# read cursor
144			# format: "journald-cursor <cursor>"
145			CURSOR=
146			if [ -f "$CURSOR_FILE" ]; then
147			CURSOR=$(awk '/^journald-cursor / {print $2}' "$CURSOR_FILE")
148			fi
149			else
150			CURSOR_FILE=
151			fi
152
153			if [ "$LOG" = "journald" ]; then
154			journalctl --no-pager --quiet --show-cursor ${CURSOR:+"--after-cursor=$CURSOR"} "$JOURNALCTL_ARG"
155			else
156	c04acf95	Thomas Riccardi	cat "$LOG"
157	e6a18b5a	Thomas Riccardi	fi \| \
158			awk -v cursor_file="$CURSOR_FILE" 'BEGIN{c["LogPass"]=0;c["LogKey"]=0;c["NoID"]=0;c["rootAttempt"]=0;c["InvUsr"]=0;c["LogPassPAM"]=0;c["Breakin"]=0;c["NoRDNS"]=0; }
159	4ab213e1	Artem Sheremet	/sshd\[.*Accepted password for/{c["LogPass"]++}
160			/sshd\[.*Accepted publickey for/{c["LogKey"]++}
161			/sshd\[.*Did not receive identification string/{c["NoID"]++}
162			/sshd\[.*Failed password for root/{c["rootAttempt"]++}
163			/sshd\[.*Invalid user/{c["InvUsr"]++}
164			/sshd\[.*POSSIBLE BREAK-IN ATTEMPT!/{c["Breakin"]++}
165			/sshd\[.*keyboard-interactive\/pam/{c["LogPassPAM"]++}
166			/sshd\[.*reverse mapping checking getaddrinfo/{c["NoRDNS"]++}a
167	e6a18b5a	Thomas Riccardi	END{if (cursor_file != "") { print "journald-cursor " $3 > cursor_file };for(i in c){print i".value " c[i]} }'

Projet

Général

Profil

Munin contributed plugins

root / plugins / ssh / sshd_log @ bc1e78ae