/plugins/ssh/sshd_log - Annoter - Munin contributed plugins - Koumbit's Redmine

Télécharger au format

root / plugins / ssh / sshd_log @ ff68f641

Historique | Voir | Annoter | Télécharger (4,05 ko)

1	4ab213e1	Artem Sheremet	#!/bin/sh
2			#
3	e6a18b5a	Thomas Riccardi	# Plugin to monitor auth.log or journald for sshd server events.
4	4ab213e1	Artem Sheremet	#
5	e6a18b5a	Thomas Riccardi	# Require read permitions for $LOG or journald
6	4ab213e1	Artem Sheremet	# (set in /etc/munin/plugin-conf.d/munin-node on debian)
7			#
8			# $Log$
9	e6a18b5a	Thomas Riccardi	# Revision 2.0 2016/11/11 15:42:00 Thomas Riccardi
10	4ab213e1	Artem Sheremet	# Revision 1.2 2010/03/19 15:03:00 pmoranga
11			# Revision 1.1 2009/04/26 23:28:00 ckujau
12			# Revision 1.0 2009/04/22 22:00:00 zlati
13			# Initial revision
14			#
15			# Parameters:
16			#
17			# config (required)
18			# autoconf (optional - used by munin-config)
19			#
20			# Magick markers (optional):
21			#%# family=auto
22			#%# capabilities=autoconf
23
24			# config example for /etc/munin/plugin-conf.d/munin-node
25			#[sshd_log]
26			#user root
27			#group root
28			#env.logfile /var/log/messages
29			#env.category users
30			#
31	e6a18b5a	Thomas Riccardi	# config example with journald
32			#[sshd_log]
33			#group systemd-journal
34			#env.logfile journald
35			#
36			# config example with journald on the sshd.service unit only
37			#[sshd_log]
38			#group systemd-journal
39			#env.logfile journald
40			#env.journalctlarg --unit=sshd.service
41			#
42	4ab213e1	Artem Sheremet
43			LOG=${logfile:-/var/log/secure}
44	e6a18b5a	Thomas Riccardi	JOURNALCTL_ARG=${journalctlarg:-_COMM=sshd}
45	4ab213e1	Artem Sheremet
46
47			if [ "$1" = "autoconf" ]; then
48	e6a18b5a	Thomas Riccardi	if [ "$LOG" = "journald" ]; then
49			if journalctl --no-pager --quiet --lines=1 "$JOURNALCTL_ARG" \| read -r DUMMY; then
50	ff68f641	Thomas Riccardi	echo "yes"
51	e6a18b5a	Thomas Riccardi	else
52	ff68f641	Thomas Riccardi	echo "no (journald empty log for '$JOURNALCTL_ARG' not found)"
53	e6a18b5a	Thomas Riccardi	fi
54	4ab213e1	Artem Sheremet	else
55	e6a18b5a	Thomas Riccardi	if [ -r "$LOG" ]; then
56	ff68f641	Thomas Riccardi	echo "yes"
57	e6a18b5a	Thomas Riccardi	else
58	ff68f641	Thomas Riccardi	echo "no (logfile '$LOG' not readable)"
59	e6a18b5a	Thomas Riccardi	fi
60	4ab213e1	Artem Sheremet	fi
61	ff68f641	Thomas Riccardi	exit 0
62	4ab213e1	Artem Sheremet	fi
63
64			if [ "$1" = "config" ]; then
65
66	e6a18b5a	Thomas Riccardi	if [ "$LOG" = "journald" ]; then
67			TYPE=ABSOLUTE
68			else
69			TYPE=DERIVE
70			fi
71
72	c04acf95	Thomas Riccardi	echo 'graph_title SSHD login stats from' "$LOG"
73	4ab213e1	Artem Sheremet	echo 'graph_args --base 1000 -l 0'
74			echo 'graph_vlabel logins'
75	3a6fdce8	dipohl	echo 'graph_category' security
76	4ab213e1	Artem Sheremet
77			echo 'LogPass.label Successful password logins'
78	e6a18b5a	Thomas Riccardi	echo 'LogPass.min 0'
79			echo 'LogPass.type' "$TYPE"
80
81	4ab213e1	Artem Sheremet	echo 'LogPassPAM.label Successful login via PAM'
82	e6a18b5a	Thomas Riccardi	echo 'LogPassPAM.min 0'
83			echo 'LogPassPAM.type' "$TYPE"
84
85	4ab213e1	Artem Sheremet	echo 'LogKey.label Successful PublicKey logins'
86	e6a18b5a	Thomas Riccardi	echo 'LogKey.min 0'
87			echo 'LogKey.type' "$TYPE"
88
89	4ab213e1	Artem Sheremet	echo 'NoID.label No identification from user'
90	e6a18b5a	Thomas Riccardi	echo 'NoID.min 0'
91			echo 'NoID.type' "$TYPE"
92
93	4ab213e1	Artem Sheremet	echo 'rootAttempt.label Root login attempts'
94	e6a18b5a	Thomas Riccardi	echo 'rootAttempt.min 0'
95			echo 'rootAttempt.type' "$TYPE"
96
97	4ab213e1	Artem Sheremet	echo 'InvUsr.label Invalid user login attepmts'
98	e6a18b5a	Thomas Riccardi	echo 'InvUsr.min 0'
99			echo 'InvUsr.type' "$TYPE"
100
101	4ab213e1	Artem Sheremet	echo 'NoRDNS.label No reverse DNS for peer'
102	e6a18b5a	Thomas Riccardi	echo 'NoRDNS.min 0'
103			echo 'NoRDNS.type' "$TYPE"
104
105	4ab213e1	Artem Sheremet	echo 'Breakin.label Potential Breakin Attempts'
106	e6a18b5a	Thomas Riccardi	echo 'Breakin.min 0'
107			echo 'Breakin.type' "$TYPE"
108
109	4ab213e1	Artem Sheremet	exit 0
110			fi
111
112	e6a18b5a	Thomas Riccardi	if [ "$LOG" = "journald" ]; then
113			CURSOR_FILE="$MUNIN_STATEFILE"
114			# read cursor
115			# format: "journald-cursor <cursor>"
116			CURSOR=
117			if [ -f "$CURSOR_FILE" ]; then
118			CURSOR=$(awk '/^journald-cursor / {print $2}' "$CURSOR_FILE")
119			fi
120			else
121			CURSOR_FILE=
122			fi
123
124			if [ "$LOG" = "journald" ]; then
125			journalctl --no-pager --quiet --show-cursor ${CURSOR:+"--after-cursor=$CURSOR"} "$JOURNALCTL_ARG"
126			else
127	c04acf95	Thomas Riccardi	cat "$LOG"
128	e6a18b5a	Thomas Riccardi	fi \| \
129			awk -v cursor_file="$CURSOR_FILE" 'BEGIN{c["LogPass"]=0;c["LogKey"]=0;c["NoID"]=0;c["rootAttempt"]=0;c["InvUsr"]=0;c["LogPassPAM"]=0;c["Breakin"]=0;c["NoRDNS"]=0; }
130	4ab213e1	Artem Sheremet	/sshd\[.*Accepted password for/{c["LogPass"]++}
131			/sshd\[.*Accepted publickey for/{c["LogKey"]++}
132			/sshd\[.*Did not receive identification string/{c["NoID"]++}
133			/sshd\[.*Failed password for root/{c["rootAttempt"]++}
134			/sshd\[.*Invalid user/{c["InvUsr"]++}
135			/sshd\[.*POSSIBLE BREAK-IN ATTEMPT!/{c["Breakin"]++}
136			/sshd\[.*keyboard-interactive\/pam/{c["LogPassPAM"]++}
137			/sshd\[.*reverse mapping checking getaddrinfo/{c["NoRDNS"]++}a
138	e6a18b5a	Thomas Riccardi	END{if (cursor_file != "") { print "journald-cursor " $3 > cursor_file };for(i in c){print i".value " c[i]} }'

Projet

Général

Profil

Munin contributed plugins

root / plugins / ssh / sshd_log @ ff68f641