root / plugins / ssh / sshd_log @ cdb82255
Historique | Voir | Annoter | Télécharger (4,77 ko)
| 1 |
#!/bin/sh |
|---|---|
| 2 |
|
| 3 |
: <<=cut |
| 4 |
|
| 5 |
=head1 NAME |
| 6 |
|
| 7 |
sshd_log - Munin plugin to monitor auth.log or journald for sshd |
| 8 |
server events. |
| 9 |
|
| 10 |
=head1 CONFIGURATION |
| 11 |
|
| 12 |
This plugin requires read permission for the logfile or journald. |
| 13 |
|
| 14 |
On busy servers you can change value type to COUNTER and set min to 0 |
| 15 |
to avoid minus peaks at logrotate. |
| 16 |
|
| 17 |
The following environment variables are used by this plugin: |
| 18 |
|
| 19 |
logfile - path to the auth log file, or "journald" to use journald. |
| 20 |
default: /var/log/secure |
| 21 |
|
| 22 |
journalctlargs - space separated list of arguments to pass to |
| 23 |
journalctl to get the sshd logs. |
| 24 |
default: _COMM=sshd |
| 25 |
|
| 26 |
If the "logfile" environment variable is set to "journald" the sshd |
| 27 |
logs are read from journald, filtering on program "sshd". The filtering |
| 28 |
may be changed using "journalctlargs". |
| 29 |
|
| 30 |
|
| 31 |
Config examples for /etc/munin/plugin-conf.d/munin-node: |
| 32 |
|
| 33 |
[sshd_log] |
| 34 |
user root |
| 35 |
group root |
| 36 |
env.logfile /var/log/messages |
| 37 |
|
| 38 |
Config example with journald: |
| 39 |
|
| 40 |
[sshd_log] |
| 41 |
group systemd-journal |
| 42 |
env.logfile journald |
| 43 |
|
| 44 |
Config example with journald on the sshd.service unit only: |
| 45 |
|
| 46 |
[sshd_log] |
| 47 |
group systemd-journal |
| 48 |
env.logfile journald |
| 49 |
env.journalctlargs --unit=sshd.service |
| 50 |
|
| 51 |
=head1 MAGIC MARKERS |
| 52 |
|
| 53 |
#%# family=auto |
| 54 |
#%# capabilities=autoconf |
| 55 |
|
| 56 |
=head1 AUTHOR |
| 57 |
|
| 58 |
Revision 2.0 2016/11/11 15:42:00 Thomas Riccardi |
| 59 |
Revision 1.2 2010/03/19 15:03:00 pmoranga |
| 60 |
Revision 1.1 2009/04/26 23:28:00 ckujau |
| 61 |
Revision 1.0 2009/04/22 22:00:00 zlati |
| 62 |
|
| 63 |
=cut |
| 64 |
|
| 65 |
|
| 66 |
# Script parameters: |
| 67 |
# |
| 68 |
# config (required) |
| 69 |
# autoconf (optional - used by munin-config) |
| 70 |
|
| 71 |
|
| 72 |
LOG=${logfile:-/var/log/secure}
|
| 73 |
JOURNALCTL_ARGS=${journalctlargs:-_COMM=sshd}
|
| 74 |
|
| 75 |
|
| 76 |
if [ "$1" = "autoconf" ]; then |
| 77 |
if [ "$LOG" = "journald" ]; then |
| 78 |
# shellcheck disable=SC2086,SC2034 |
| 79 |
if journalctl --no-pager --quiet --lines=1 $JOURNALCTL_ARGS | read -r DUMMY; then |
| 80 |
echo "yes" |
| 81 |
else |
| 82 |
echo "no (journald empty log for '$JOURNALCTL_ARGS' not found)" |
| 83 |
fi |
| 84 |
else |
| 85 |
if [ -r "$LOG" ]; then |
| 86 |
echo "yes" |
| 87 |
else |
| 88 |
echo "no (logfile '$LOG' not readable)" |
| 89 |
fi |
| 90 |
fi |
| 91 |
exit 0 |
| 92 |
fi |
| 93 |
|
| 94 |
if [ "$1" = "config" ]; then |
| 95 |
|
| 96 |
if [ "$LOG" = "journald" ]; then |
| 97 |
TYPE=ABSOLUTE |
| 98 |
else |
| 99 |
TYPE=DERIVE |
| 100 |
fi |
| 101 |
|
| 102 |
echo 'graph_title SSHD login stats from' "$LOG" |
| 103 |
echo 'graph_args --base 1000 -l 0' |
| 104 |
echo 'graph_vlabel logins' |
| 105 |
echo 'graph_category' security |
| 106 |
|
| 107 |
echo 'LogPass.label Successful password logins' |
| 108 |
echo 'LogPass.min 0' |
| 109 |
echo 'LogPass.type' "$TYPE" |
| 110 |
|
| 111 |
echo 'LogPassPAM.label Successful login via PAM' |
| 112 |
echo 'LogPassPAM.min 0' |
| 113 |
echo 'LogPassPAM.type' "$TYPE" |
| 114 |
|
| 115 |
echo 'LogKey.label Successful PublicKey logins' |
| 116 |
echo 'LogKey.min 0' |
| 117 |
echo 'LogKey.type' "$TYPE" |
| 118 |
|
| 119 |
echo 'NoID.label No identification from user' |
| 120 |
echo 'NoID.min 0' |
| 121 |
echo 'NoID.type' "$TYPE" |
| 122 |
|
| 123 |
echo 'rootAttempt.label Root login attempts' |
| 124 |
echo 'rootAttempt.min 0' |
| 125 |
echo 'rootAttempt.type' "$TYPE" |
| 126 |
|
| 127 |
echo 'InvUsr.label Invalid user login attempts' |
| 128 |
echo 'InvUsr.min 0' |
| 129 |
echo 'InvUsr.type' "$TYPE" |
| 130 |
|
| 131 |
echo 'NoRDNS.label No reverse DNS for peer' |
| 132 |
echo 'NoRDNS.min 0' |
| 133 |
echo 'NoRDNS.type' "$TYPE" |
| 134 |
|
| 135 |
echo 'Breakin.label Potential Breakin Attempts' |
| 136 |
echo 'Breakin.min 0' |
| 137 |
echo 'Breakin.type' "$TYPE" |
| 138 |
|
| 139 |
exit 0 |
| 140 |
fi |
| 141 |
|
| 142 |
if [ "$LOG" = "journald" ]; then |
| 143 |
CURSOR_FILE="$MUNIN_STATEFILE" |
| 144 |
# read cursor |
| 145 |
# format: "journald-cursor <cursor>" |
| 146 |
CURSOR= |
| 147 |
if [ -f "$CURSOR_FILE" ]; then |
| 148 |
CURSOR=$(awk '/^journald-cursor / {print $2}' "$CURSOR_FILE")
|
| 149 |
fi |
| 150 |
else |
| 151 |
CURSOR_FILE= |
| 152 |
fi |
| 153 |
|
| 154 |
if [ "$LOG" = "journald" ]; then |
| 155 |
# shellcheck disable=SC2086 |
| 156 |
journalctl --no-pager --quiet --show-cursor ${CURSOR:+"--after-cursor=$CURSOR"} $JOURNALCTL_ARGS
|
| 157 |
else |
| 158 |
cat "$LOG" |
| 159 |
fi | \ |
| 160 |
awk -v cursor_file="$CURSOR_FILE" 'BEGIN{c["LogPass"]=0;c["LogKey"]=0;c["NoID"]=0;c["rootAttempt"]=0;c["InvUsr"]=0;c["LogPassPAM"]=0;c["Breakin"]=0;c["NoRDNS"]=0; }
|
| 161 |
/sshd\[.*Accepted password for/{c["LogPass"]++}
|
| 162 |
/sshd\[.*Accepted publickey for/{c["LogKey"]++}
|
| 163 |
/sshd\[.*Did not receive identification string/{c["NoID"]++}
|
| 164 |
/sshd\[.*Failed password for root/{c["rootAttempt"]++}
|
| 165 |
/sshd\[.*Invalid user/{c["InvUsr"]++}
|
| 166 |
/sshd\[.*POSSIBLE BREAK-IN ATTEMPT!/{c["Breakin"]++}
|
| 167 |
/sshd\[.*keyboard-interactive\/pam/{c["LogPassPAM"]++}
|
| 168 |
/sshd\[.*reverse mapping checking getaddrinfo/{c["NoRDNS"]++}a
|
| 169 |
END{if (cursor_file != "") { print "journald-cursor " $3 > cursor_file };for(i in c){print i".value " c[i]} }'
|