Unix Shell腳本 - 特定模式的監視器登錄失敗

Question

我正在尋找一種方法來完成我的要求之一，我想使用Unix Shell腳本以特定模式自動執行「失敗登錄嘗試」的日誌文件監視。

下面是一個日誌片斷

sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 

注意：在日誌文件中的 「RESULT_CODE = 2」 表示失敗的登錄。

下面的要求和模式

• 監視器日誌文件一致（access.log的）
• 如果無效的密碼在日誌文件在一分鐘內發現相同用戶 超過50倍，觸發帶有用戶ID，客戶端IP，瀏覽器IP，該次運行失敗嘗試次數的電子郵件
• 觀看日誌並連續執行此操作。

作爲業餘shell腳本開發人員，我無法想到使用shell腳本實現這一目標。請求想法/解決方案。

Answer 1

在shell中的傻瓜方法將只是你的日誌tail -f，管它到awk切出結果代碼和用戶數據，並且如果一行代表失敗的登錄嘗試增加存儲在由用戶登錄（例如，名爲jdoe@example.com的文件包含5）。但是這會給您留下一個問題，即如何僅在所需的時間段內（例如在最後一分鐘內）維持該計數。

除非你真的喜歡那樣的痛苦，否則看看一些常見的工具，如logwatch這些工具是專門設計用來做你想做的。

下面是關於如何設置您的自定義日誌看和其他定製服務實例與logwatch報告一些偉大的文章：

• http://alphahydrae.com/2012/08/logwatch-how-to-add-a-service/
• http://blog.bidiuk.com/2010/05/centos-custom-logwatch-script/
• http://perceptionistruth.com/2010/08/custom-logwatch-script-for-ngircd/
• https://serverfault.com/questions/571243/monitor-rsnapshots-log-file-with-logwatch

Answer 2

什麼是y OU正在尋找可能可以通過插件叫做logdog來完成：

$ cpanm Sparrow # install sparrow manager 
$ yum install curl # you need a curl to upload sparrow index file 
$ sparrow index update # get latest sparrow index 
$ sparrow plg install logdog # install logdog plugin 
$ sparrow project create myhost # project is just container for runnable plugins 
$ sparrow check add myhost login-check # or whatever you name it; check just a entry point to run a plugin 
$ sparrow check set myhost login-check logdog # you bind a logdog plugin to your check 
$ export EDITOR=nano && sparrow check ini myhost login-check 

# here comes configuration part, the hardest one 
# as you have to set it precisely 

[logdog] 


# set path to log file 

file = login.log 

# this is examples of log entries 
# sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 


# define how to extract time chunks 
# from your log entries: 

# this should perl regexp: 
time_pattern = ,(\d\d\d\d-\d\d-\d\d)\s(\d\d:\d\d:\d\d) 

# this should be posix strftime format 
# see `man strftime` 
time_format = %Y-%m-%d %T 

# check logs for last 5 minutes, 10 hours, 2 days , etc ... 
history = 1 months 

# to proper time calculation 
# need to know a timezone 
timezone = UTC 

# I need these lines 
filter = result_code=2 

# group found entries by user logins: 
key_field = user=(\S+?), 

# density - is optional parameter 
# show only groups with entries number 
# more or equal $density 
density = 1 

給出一個日誌文件：

$ cat login.log 

sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 

我們將有：

$ sparrow check run myhost login-check 

/tmp/.outthentic/22011/home/vagrant/my/logdog/story.t .. 
ok 1 - stdout is already set 
ok 2 - stdout saved to /tmp/.outthentic/22011/MSUYnYelwg 
# history: 1 months 
# filter: result_code=2 
# density: 1 
# group jdoe@example.com count: 2 
# sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
# sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
# group jdoe2@example.com count: 3 
# sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
# sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
# sequence_number=12345,remote_client=sapserver,2016-03-18 03:29:44:782 EDT,messageID=1002,user=jdoe2@example.com,client_ip_address=10.129.220.45,client_port=10250,browser_ip_address=x.x.x.x,result_code=2,result_action=Login Failure,result_reason=Invalid Password 
ok 3 - output match /lines count: (\d+)/ 
ok 4 - output match /result_code=2/ 
1..4 
ok 
All tests successful. 
Files=1, Tests=4, 0 wallclock secs (0.02 usr 0.00 sys + 0.10 cusr 0.00 csys = 0.12 CPU) 
Result: PASS 

對於你的目的ini文件應適應：

• 歷史= 5分鐘
• 時區=美國/紐約 （參考本list正確的價值觀，或許這是可以等於EST時區）
• 密度= 50

現在運行這個插件通過cron每5分鐘，你可能會得到你想要的...

PS> DISCLOSURE - 我是麻雀和logdog插件的作者。