Linux??????
???????????? ???????[ 2017/3/24 10:52:49 ] ?????????????? Linux
????Linux ???????
????????????????????????????????????????????写??????????????????????????些?????????????????????????????????????????????????????????????????些????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????貌??????????????薪?????????????????????????????????????????????味????????????????效??
??????? Grep ????
?????????????????????????????????????????????????????? grep ??????????泄????????? Linux ???邪?????校?????????????????????????????????????????????????写???????????????????????????????????????????????????????????
???????????
?????????懈?????????? Ubuntu ?????????????? “user hoover”??
????$ GREP "USER HOOVER" /VAR/LOG/AUTH.LOG
????ACCEPTED PASSWORD FOR HOOVER FROM 10.0.2.2 PORT 4792 SSH2
????PAM_UNIX(SSHD:SESSION): SESSION OPENED FOR USER HOOVER BY (UID=0)
????PAM_UNIX(SSHD:SESSION): SESSION CLOSED FOR USER HOOVER
??????????????????????????纾�???????????????????????????“4792” ??????????????????URLs??????????????????????????? Ubuntu ??????????????? Apache ???????????????????????
????$ grep "4792" /var/log/auth.log
????Accepted password for hoover from 10.0.2.2 port 4792 ssh2
????74.91.21.46 - - [31/Mar/2015:19:44:32 +0000] "GET /scripts/samples/search?q=4972HTTP/1.0" 404 545 "-" "-”
????????????
??????????????????????????grep ?????????????????????????????泻???????????????????????????????????????B ????????????????????????A ?????????????????????????????????????????????????? admin ????????? ???????????????????????????????效???????????????
????$ grep -B 3 -A 2 'Invalid user' /var/log/auth.log
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: reverse mapping checking getaddrinfo for 216-19-2-8.commspeed.net [216.19.2.8] failed - POSSIBLE BREAK-IN ATTEMPT!
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: <b>Invalid user</b>; admin from 216.19.2.8
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: input_userauth_request: invalid user admin [preauth]
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
????Tail????
???????????? tail ?? grep ??????????????????????校????????????????????????????薪????????????????????????????????????????谩?
????$ tail -f /var/log/auth.log | grep 'Invalid user'
????Apr 30 19:49:48 ip-172-31-11-241 sshd[6512]: Invalid user ubnt from 219.140.64.136
????Apr 30 19:49:49 ip-172-31-11-241 sshd[6514]: Invalid user; admin from 219.140.64.136
?????????? grep ????????????????????围??Ryan ???????懈??????????
????????????????懈???效???????????????????????????????????????胁????????????????????????????? G ???? T ??????????????锟�??? grep ??????????????????????????????小??????????????? Lucene ????????????????????????婀�??????????貌?????? ????????????蔚?????????????????
??????Cut??AWK ?? Grok ???????
?????????泄???
????Linux ??????????????????????????泄???????????????????????????????????????????????????????????
????Cut ????
????cut ???????????????????薪?????巍????????????????????????????????位??????
????????????????????????????????????
????pam_unix(su:auth): authentication failure; logname=hoover uid=1000 euid=0 tty=/dev/pts/0 ruser=hoover rhost= user=root
?????????????????????? cut ?????????????????????????? Ubuntu ????????
????$ grep "authentication failure" /var/log/auth.log | cut -d '=' -f 8
????root
????hoover
????root
????nagios
????nagios
????AWK ????
???????????????? awk??????懈?????????蔚?????????????????????????????????????魏魏????????????
?????????????????????? Ubuntu ???????渭?????????????????????????????
????Mar 24 08:28:18 ip-172-31-11-241 sshd[32701]: input_userauth_request: invalid user guest [preauth]
????????????? awk ???????????????????????? /sshd.*invalid user/ ??? sshd ??效?????????小??????? { print $9 } ?????????危??????????????????????????????
????$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
????guest
????admin
????info
????test
????ubnt
?????????? Awk ???????谢????????????????????????????蔚??????
?????????????
??????????????y???????????????????????????????????????????????????????????????????绻�?? Linux ????? web ????????????????????????????位??????????????????写???????????
????????????????????? sshd ????????????????????????????????巍??????????? Loggly?????????????????????????
???????????????????????????????????????????????? Grok????????????????????????????? JSON ????????? Grok ??????????????????? Logstash ???????? ??
????filter{
????grok {
????match => {"message" => "%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:duration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}"
????}
????}
?????????? Grok ???????????????
??????? Rsyslog ?? AWK ????
?????????????????????危??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????
????????????????????????????????????????????????????????????校??????????????????????????????????????????????????????????????????????????屑??????????
????1???? Rsyslog ??????????????????????????? sshd ??贸???????写????? sshd-messages ??????校?????????????????????????????????????????????????????? Rsyslog.conf ???????????
????:programname?? isequal?? “sshd” /var/log/sshd-messages
????&~
????2??????????泄?????? awk ??????????蔚????????? sshd ??????????? Ubuntu ????????
????$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
????guestadmin
????info
????test
????ubnt
????3???????????????????????????????????????????????泄??????????????? syslog ???????危?????????? Loggly ?????????????小?????????????????????????? sshd ?????谩?
??????????????????
?????????????????????????????械???????????????? syslog ???貌?????????????????????????????????????
?????????????????????????????????????????? rsyslog ???????????????????????校??????????????????????????????? Rsyslog ???????????????pri-text ??妫�?????????
????"<%pri-text%> : %timegenerated%??%HOSTNAME%??%syslogtag%??%msg%n"
??????????????????锟�?????????????? err??
????<authpriv.err> : Mar 11 18:18:00??hoover-VirtualBox??su[5026]:?? pam_authenticate: Authentication failure
??????????? awk ??grep ????????????????? Ubuntu ?渭?????????????????????? . ?? > ?????????????????巍?
????$ grep '.err>' /var/log/auth.log
????<authpriv.err> : Mar 11 18:18:00??hoover-VirtualBox??su[5026]:?? pam_authenticate: Authentication failure
????????????????????????????????????????????????? syslog ????????????????巍???????锟�??????????????????
???????? Loggly ??????????? syslog ??????危? Error ????????????????????????? Error ????
??????
???路???
??????????????????
2023/3/23 14:23:39???写?貌??????????
2023/3/22 16:17:39????????????????????些??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???路???????路
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com
