linux swatch 日志监控使用笔记
一. 准备
1. 下载和解压缩最新的Swatch软件包.建议从Swatch的官方网站获得可靠的Swatch软件包.
下载网址:http://sourceforge.net/projects/swatch/
1) 创建Swatch软件包存放的目录.
mkdir -p /usr/local/src/log
2) 解压缩源代码包
tar zpxf swatch-***.tar.gz
二. 安装
cd swatch-***
perl Makefile.PL
可能出现:
Checking if your kit is complete...
Looks good
Warning: prerequisite Date::Calc 0 not found.
Warning: prerequisite Date::Format 0 not found.
Warning: prerequisite File::Tail 0 not found.
Warning: prerequisite Time::HiRes 1.12 not found.
解决方法1:
perl -MCPAN -e shell
>install Date::Calc
然后就一直点Yes,依次安装剩下的三个。
解决方法2:
直接用wget下载下列文件
make
make test
make install
make realclean
Swatch程序安装成功后, Perl模块将会用于Swatch程序的运行.
三 使用
1、使用之前,需要创建一个.conf文件
例如:创建一个/root/abc.conf文件,内容为:
watchfor /[Ff]ail/
echo red
bell 1
exec "echo 000000"
2、简单使用
swatch --config-file=/root/abc.conf
--examine=/var/log/secure.1
得到结果:
*** swatch version 3.2.3 (pid:11950) started at 三 9月 17 09:06:06 CST 2008
Sep 4 22:33:18 localhost sshd[16376]: Failed password for root from 172.17.199.15 port 2883 ssh2
000000
3、其他
3.1一个conf脚本示例
I. More detailed swatch.conf example script
/usr/bin/swatch -c /etc/swatch.conf - t /var/log/messages &
3.3如果希望Swatch监控多个日志文件,需要多次执行Swatch,如果每类文件的设置不同,相应的conf文件也不同。
3.3.1使用Swatch来自东禁止非法连接。(下面是参考,还没研究过)
http://cubic9.com/Linux/Swatch/
http://raijin.ddo.jp/pukiwiki/pukiwiki.php?%C9%D4%C0%B5%A5%A2%A5%AF%A5%BB%A5%B9%B4%C6%BB%EB
http://tobysoft.net/wiki/index.php?Ubuntu%2Fswatch
3.4 Swatch时时监视新增加的内容,使用 -t
The -t flag tells Swatch which file it should tail (monitor).
3.5 另一个conf例子:
Some important Swatch switches, listed alphabetically. See the sample config files for specific usage examples:
bell
Make the console beep. You can change the number of beeps; default is 1.
continue
If multiple watchfor sections contain a pattern which could occur in the same single log entry, then "continue" will tell Swatch to continue comparing its key patterns to the log entry even after it finds the first match. Take for example a watchfor section that contains both /root/ and /login/, and the log line "root: login successful" is generated. Swatch would normally just execute actions when it saw the first match -- "root" -- and then stop parsing that line of the log, thus effectively ignoring the occurrence of "login" in this case. "Continue" prevents this.
echo
Dump flagged log entries to the console.
exec
Execute whatever shell command follows. See section on chat for examples.
ignore
We can tell Swatch to ignore the things we don't care about. The syntax for this is ignore /whatever/ where "whatever" is the pattern in question. The command and the pattern should be separated by spaces or tabs. Separate each item with the pipe character |.
mail
Send email message to any number of addresses, separated by colons. For our convenience, we can make the subject line reflect the items flagged (see sample config file for syntax). The email message body will, by default, contain the full line of the log entry that triggered Swatch.
throttle
The throttle command keeps the action (whatever follows on the next line) from being executed too many times at once, which might happen if the event in question generates multiple lines in the log, which each contain the string we're watching for. So, we use throttle to suppress subsequent reportings of the same event for a specified period of time after the first instance of the event. The format is throttle HH:MM:SS (hours, minutes, and seconds) and the use=regex option tells Swatch to use the pattern specified in the watchfor line, as opposed to using the message body itself, which is the default. For example, the log messages: "sshd2[PID]: Local disconnected: Connection closed." and "sshd2[PID]: connection lost: 'Connection closed.'" use slightly different wording, so the default throttle settings would not work here. But if we include use=regex, then sshd2 is the determining string, and thus throttle will work correctly.
watchfor
This is what we use to specify which log entries to watch for, and subsequently what to do in the instance of such an entry. Separate each item with the pipe character |.
A sample Swatch configuration file:
Expect to go back and tweak the config file a few times when you first begin using Swatch. You'll find that some patterns you specify in the watchfor sections will appear elsewhere in subtle ways, resulting in unintended flagging by Swatch. For example, if you specify "watchfor /su/" intending to flag the su command (someone trying to switch to another user) then Swatch will flag that, but will also trigger on any log line that contains the word "succeeded" (which appears in the event of a successful, legitimate login!) Try using "watchfor /root/" instead. Remember that you can test to see if Swatch is listening and behaving properly by using the "logger x" command.
You can separate different events and have Swatch perform different alerting routines, based on severity, type, etc.. For example, server problems like reboots, kernel panics, etc. could be set up to result in an email with subject line "LogData-Server" while suspicious login attempts could have subject line "LogData-AuthFail," etc. See the complete configuration example at the end of this document for more examples. Breaking things down like this makes it easier for you to sort the emails generated by Swatch, and you can tell from one glance at your inbox what kinds of things have been happening on your network.
A good idea is to have redundant alert methods available to Swatch, especially for the more critical events. For example, specify multiple email addresses (preferably belonging to multiple people who can find you) in the more important watchfor sections.
1. 下载和解压缩最新的Swatch软件包.建议从Swatch的官方网站获得可靠的Swatch软件包.
下载网址:http://sourceforge.net/projects/swatch/
1) 创建Swatch软件包存放的目录.
mkdir -p /usr/local/src/log
2) 解压缩源代码包
tar zpxf swatch-***.tar.gz
二. 安装
cd swatch-***
perl Makefile.PL
可能出现:
Checking if your kit is complete...
Looks good
Warning: prerequisite Date::Calc 0 not found.
Warning: prerequisite Date::Format 0 not found.
Warning: prerequisite File::Tail 0 not found.
Warning: prerequisite Time::HiRes 1.12 not found.
解决方法1:
perl -MCPAN -e shell
>install Date::Calc
然后就一直点Yes,依次安装剩下的三个。
解决方法2:
直接用wget下载下列文件
http://search.cpan.org/CPAN/authors/id/S/ST/STBEY/Date-Calc-5.3.tar.gz然后,
http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/TimeDate-1.1301.tar.gz
http://search.cpan.org/CPAN/authors/id/M/MG/MGRABNAR/File-Tail-0.98.tar.gz
http://search.cpan.org/CPAN/authors/id/J/JH/JHI/Time-HiRes-1.37.tar.gz
$ tar zxvf $SOURCE/Date-calc-5.3.tar.gz
$ cd $SOURCE/Date-Calc-5.2
$ perl Makefile.PL
$ make
$ make test
$ su
# make installmake
make test
make install
make realclean
Swatch程序安装成功后, Perl模块将会用于Swatch程序的运行.
三 使用
1、使用之前,需要创建一个.conf文件
例如:创建一个/root/abc.conf文件,内容为:
watchfor /[Ff]ail/
echo red
bell 1
exec "echo 000000"
2、简单使用
swatch --config-file=/root/abc.conf
--examine=/var/log/secure.1
得到结果:
*** swatch version 3.2.3 (pid:11950) started at 三 9月 17 09:06:06 CST 2008
Sep 4 22:33:18 localhost sshd[16376]: Failed password for root from 172.17.199.15 port 2883 ssh2
000000
3、其他
3.1一个conf脚本示例
I. More detailed swatch.conf example script
# Swatch configuration file for constant monitoring ignore /news/ # Server problems -- we consider this to be relatively low-priority, so we just get email. watchfor /restart|panic|halt/ bell [email protected],subject=Log_Data_Server_Info # SSH stuff -- also low-priority, but we still want to know when users are ssh'd in. watchfor /SSH|sshd2/ [email protected],subject=Log_Data_SSH # We want to know if someone tries to SU root -- does everything (emails multiple people, # emails cell phone, pages Admin with pager code 911) watchfor /root/ bell [email protected]:[email protected]:5551212@cell_messaging.com,subject=Log_Data_ROOT throttle 0:2:0,use=regex # so it doesn't confuse the modem and interrupt paging exec chat -f /etc/chatscript.txt -v -s -T 911 < /dev/modem > /dev/modem # router problems - does everything (emails multiple people, emails cell phone, pages Admin # with pager code 444) watchfor /router/ bell [email protected]:[email protected]:5551212@cell_messaging.com,subject=Log_Data_Router throttle 0:2:0,use=regex exec chat -f /etc/chatscript.txt -v -s -T 444 < /dev/modem > /dev/modem # If adduser is run, could be critical -- does everything (emails multiple people, emails cell # phone, pages Admin with pager code 666) watchfor /addgrp|adduser/ bell [email protected]:[email protected]:5551212@cell_messaging.com,subject=Log_Data_Adduser throttle 0:2:0,use=regex exec chat -f /etc/chatscript.txt -v -s -T 666 < /dev/modem > /dev/modem # Bad login attempts -- mails us and pages Admin with pager code 888 watchfor /authentication failure/ bell [email protected]:[email protected]:5551212@cell_messaging.com,subject=Log_Data_Bad_Login throttle 0:2:0,use=regex exec chat -f /etc/chatscript.txt -v -s -T 888 < /dev/modem > /dev/modem # end of swatch.conf3.2 Swatch可以设置成开机后自动后台运行,只需要在rc.local加入一行:
/usr/bin/swatch -c /etc/swatch.conf - t /var/log/messages &
3.3如果希望Swatch监控多个日志文件,需要多次执行Swatch,如果每类文件的设置不同,相应的conf文件也不同。
3.3.1使用Swatch来自东禁止非法连接。(下面是参考,还没研究过)
http://cubic9.com/Linux/Swatch/
http://raijin.ddo.jp/pukiwiki/pukiwiki.php?%C9%D4%C0%B5%A5%A2%A5%AF%A5%BB%A5%B9%B4%C6%BB%EB
http://tobysoft.net/wiki/index.php?Ubuntu%2Fswatch
3.4 Swatch时时监视新增加的内容,使用 -t
The -t flag tells Swatch which file it should tail (monitor).
3.5 另一个conf例子:
Some important Swatch switches, listed alphabetically. See the sample config files for specific usage examples:
bell
Make the console beep. You can change the number of beeps; default is 1.
continue
If multiple watchfor sections contain a pattern which could occur in the same single log entry, then "continue" will tell Swatch to continue comparing its key patterns to the log entry even after it finds the first match. Take for example a watchfor section that contains both /root/ and /login/, and the log line "root: login successful" is generated. Swatch would normally just execute actions when it saw the first match -- "root" -- and then stop parsing that line of the log, thus effectively ignoring the occurrence of "login" in this case. "Continue" prevents this.
echo
Dump flagged log entries to the console.
exec
Execute whatever shell command follows. See section on chat for examples.
ignore
We can tell Swatch to ignore the things we don't care about. The syntax for this is ignore /whatever/ where "whatever" is the pattern in question. The command and the pattern should be separated by spaces or tabs. Separate each item with the pipe character |.
Send email message to any number of addresses, separated by colons. For our convenience, we can make the subject line reflect the items flagged (see sample config file for syntax). The email message body will, by default, contain the full line of the log entry that triggered Swatch.
throttle
The throttle command keeps the action (whatever follows on the next line) from being executed too many times at once, which might happen if the event in question generates multiple lines in the log, which each contain the string we're watching for. So, we use throttle to suppress subsequent reportings of the same event for a specified period of time after the first instance of the event. The format is throttle HH:MM:SS (hours, minutes, and seconds) and the use=regex option tells Swatch to use the pattern specified in the watchfor line, as opposed to using the message body itself, which is the default. For example, the log messages: "sshd2[PID]: Local disconnected: Connection closed." and "sshd2[PID]: connection lost: 'Connection closed.'" use slightly different wording, so the default throttle settings would not work here. But if we include use=regex, then sshd2 is the determining string, and thus throttle will work correctly.
watchfor
This is what we use to specify which log entries to watch for, and subsequently what to do in the instance of such an entry. Separate each item with the pipe character |.
A sample Swatch configuration file:
Expect to go back and tweak the config file a few times when you first begin using Swatch. You'll find that some patterns you specify in the watchfor sections will appear elsewhere in subtle ways, resulting in unintended flagging by Swatch. For example, if you specify "watchfor /su/" intending to flag the su command (someone trying to switch to another user) then Swatch will flag that, but will also trigger on any log line that contains the word "succeeded" (which appears in the event of a successful, legitimate login!) Try using "watchfor /root/" instead. Remember that you can test to see if Swatch is listening and behaving properly by using the "logger x" command.
# Sample Swatch configuration file for constant monitoring. ignore /news/ watchfor /restart|panic|halt/ bell [email protected]:[email protected],subject=Log_Data_Crash watchfor /SSH|sshd2/ # watch for both the session and the daemon echo bell throttle 0:2:0,use=regex # in case of multiple attempts in rapid succession; # ssh also generates multiple log lines even for a # single successful login [email protected],subject=Log_Data_SSH watchfor /blah|blah/ etc... # End of script (a more detailed sample config file is included at the end of this document)
You can separate different events and have Swatch perform different alerting routines, based on severity, type, etc.. For example, server problems like reboots, kernel panics, etc. could be set up to result in an email with subject line "LogData-Server" while suspicious login attempts could have subject line "LogData-AuthFail," etc. See the complete configuration example at the end of this document for more examples. Breaking things down like this makes it easier for you to sort the emails generated by Swatch, and you can tell from one glance at your inbox what kinds of things have been happening on your network.
A good idea is to have redundant alert methods available to Swatch, especially for the more critical events. For example, specify multiple email addresses (preferably belonging to multiple people who can find you) in the more important watchfor sections.
3.6另一个conf例子
Swatch Rules
The main configuration file is/etc/swatch/swatch.conf. Here is a good example:
| File:/etc/swatch/swatch.conf |
# Global swatch filter file
# To ignore a IP-range
ignore /216\.239\.37\./
# Invalid SSH Login Attempts
watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/
throttle threshold=3,delay=0:1:0,key=$4
mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
# Failed SSH Login Attempts
watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/
throttle threshold=3,delay=0:1:0,key=$4
mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
# Invalid SSH Login Attempts. Another one - just formed differently
watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/
throttle threshold=3,delay=0:1:0,key=$4
mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP" |
A little explanation of whats being done:
ignore /216\.239\.37\./This is to ignore, in this case, a IP-range. Very usefull to minimize the possibility that you lock yourself out.
watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/This is to search our logs for the string between //. The parens in the first watchfor are important - they break up the log file line into chucks that are used for $1,$2,$3, ... $n. In this case, for example, $1 is ": Invalid User "; $2 is all the junk in the first (.*); $3 is " from "; and $4 is all the junk in the second (.*) -- which happens to be the IP address you want. Note: the $ at the end signifies end of line. Also, note that the $4 works in both the first and third watchfor code block -- this is pure coincidence and you may need to change the $4 to a different paren set if you are working with your own custom watchfor block.
throttle threshold=3,delay=0:1:0,key=$4- The "key" tell swatch how to identify the log line. We can't use the whole string here, because the same attacker (ie the same IP) will probably try multiple user names. The key can refer to one of the parens set in the search string (here, $4 = the IP).
- The "threshold" is the number of times swatch need to see the "key" to execute the actions below.
- The "delay" is the validity of each "key". When older that 'delay', the "key" is discarded. Use a syntax like HH:MM:SS.
Note: If this does work in 3.1.1, it may not work with loggers such as metalog, because it says instead "Last output repeated N times" So naturally swatch won't find multiple occurances often in those cases.
mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added"Mail a user stating that a new rule has been added to iptables.
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"Add the offending ip to "swatch_rejects" and drop all future incoming packets from that address. If you are using shorewall, you can define in this way:
exec "/sbin/shorewall drop $4"3.7
Another way to control swatch to a greater degree is to specify what time of day a given action may be performed. You can do this by sticking a “when=” option after any action. For example, below I've got a .swatchrc entry for a medium-importance event I want to know about via console messages during weekdays, but I'll need e-mail messages to know about it during the weekend. To do this I set the when option:
/file system full/ echo=red mail addresses=mick\@visi.com, subject=Volume_Full,when=7-1:1-24The syntax of the when= option iswhen=range_of_days:range_of_hours. Thus, we see that any time the message “file system full” is logged, swatch will echo the log entry to the console in red ink. It will also send e-mail, but only if it's Saturday (“7”) or Sunday (“1”).