GrayLog日志平台的基本使用-ssh之Email报警

1、首先编辑并添加邮件配置到server.conf（注意：是添加）

vim /etc/graylog/server/server.conf

# Email transport
transport_email_enabled = true
transport_email_hostname = smtp.qq.com
transport_email_port = 465
transport_email_use_auth = true
transport_email_auth_username = [email protected]
transport_email_auth_password = xxxxxxxxx
transport_email_subject_prefix = [graylog]
transport_email_from_email = [email protected]
transport_email_use_tls = false
transport_email_use_ssl = true

2、创建一个新用户

3、在Alerts中，单击右侧Notifications -> Create 创建一个告警类型

收到一封测试邮件

4、在Alerts中选择Event Definitions，来进行告警事件规则的创建。Priority是告警等级，可以按照实际形况选择，完成后点击下一步Next

5、验证

     Linux服务器上进行爆破：watch -n 1 "hydra -l root -p admin@123 192.168.*.* ssh"

6、控制频率，因为ssh爆破是很频繁的

把频率改为1分钟爆破6次才报警

7、钉钉报警

准备一个钉钉群机器人

钉钉机器人安全设置中为webhook所在服务器的公网出口IP

下载webhook

https://github.com/adnanh/webhook

cd /opt
tar -zxvf webhook-linux-amd64.tar.gz -C ./
cp webhook-linux-amd64/webhook ./
chmod 755 webhook
./webhook --help

vi /opt/hooks.json
[
 {
  "id": "push2dingtalk",
  "execute-command" : "/opt/push2robot.sh",
 "pass-arguments-to-command":
  [
    {
      "source":"entire-payload",
      #"name":"parameter-name"
    }
  ]
 } 
]

启动webhook

 ./webhook -hooks /opt/hooks.json -port 8080 --verbose

firewall-cmd --add-port=8080/tcp --permanent --zone=public 
firewall-cmd --reload
并测试
curl -H "Content-Type: application/json" -X POST -d 'test' http://192.168.31.127:8080/hooks/push2dingtalk

再新建HTTP Notification

Title：钉钉机器人告警

URL http://192.168.31.127:8080/hooks/push2dingtalk

接下来配置Alert

配置推送到钉钉机器人的脚本

yum安装jq工具 

yum install -y jq

2个脚本 如下：

[root@centos ~]# cat /opt/push2robot.sh 
#!/bin/bash
PAYLOAD= $1
echo $1 >> /var/log/test.log
PAYLOAD1=`echo $1 | jq '.event_definition_title' | sed 's/"//g'`
PAYLOAD2=`echo $1 | jq '.backlog[].fields.full_message' | sed 's/"//g'`
echo $PAYLOAD1 >> /var/log/payload1.log
echo $PAYLOAD2  >> /var/log/payload2.log
sed -i "s/PAYLOAD1/$PAYLOAD1/g" /opt/alert.json
sed -i "s/PAYLOAD2/$PAYLOAD2/g" /opt/alert.json
curl -H "Content-Type: application/json" -X POST -d @/opt/alert.json https://oapi.dingtalk.com/robot/send?access_token=413d9a8435aeaXXXXXXXXX91648b73a069c7aa2e709595

cat  > /opt/alert.json << \EOF
{
 "msgtype": "markdown",
 "markdown": 
         {
         "title":"PAYLOAD1",
         "text": "#### PAYLOAD1 \n #####原始日志:PAYLOAD2 \n"
     }
}
EOF

chmod 755 /opt/push2robot.sh

触发一下SSH登录失败

watch -n 1 "hydra -l root -p admin@123 192.168.31.232 ssh"