elk监控ssh登陆日志,通过脚本实现阈值告警

该博客介绍了如何利用Filebeat、Logstash和Python脚本来监控SSH登陆日志,并设定阈值触发告警。通过Filebeat收集日志,Logstash进行处理,然后使用Python脚本分析`elk_ssh_failed.log`文件,当失败登录次数超过3次时,发送邮件警告。邮件内容包含失败的用户、来源、状态和次数信息。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

filebeat配置:

filebeat.prospectors:

- input_type: log

  paths:
    - /var/log/secure

  exclude_lines: ["nagios"]

output.logstash:
  # The Logstash hosts
  hosts: ["10.0.1.1:5050"]

logstash配置:

input {
       beats {
              port => 5050
       }
}    
filter {
    grok {
        match => { "message" => "%{SYSLOGTIMESTAMP:a_time} %{USERNAME:a_hostname} sshd\[%{WORD:a_jinchen}\]: %{WORD:a_leixing}\s%{WORD:a_fangshi}\sfor\s%{WORD:a_user}\sfrom\s%{IPV4:a_ip}\sport\s%{INT:a_port}\s%{WORD:a_xieyi}"}
    }
}
output {
    elasticsearch{
          hosts => [ "10.0.1.2:9200","10.0.1.3:9200","10.0.1.4:9200" ]
          index=> "logstash-fangwen-%{+YYYY.MM}"
    }
    if [a_leixing] == "Failed" {      
       file {
          path  => "/mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log"
          codec => line { format => "custom format: %{message}"}
 }
}
}


python脚本:

import os
if os.path.exists('/mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log'):
    file_dict = {}
    input_file = open('/mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log')
    line_file = input_file.readlines()
    file_number = len(line_file)
    for i in line_file:
        file_list = i.split()
        file_key = file_list[5]+','+file_list[7]+','+file_list[8]+','+file_list[10]+','+file_list[12]
        if file_key in file_dict.keys():
            number = file_dict[file_key]
            number += 1
            file_dict[file_key] = number
        else:
            file_dict[file_key]=1
    echo_content = ''
    for k,v in file_dict.items():
        if int(v) > 2:
            k_info = k.split(',')
            echo_content += "User: %s \n From: %s\n Land: %s \n State: failed \n Failure Times: %s \n %s \n" % (k_info[3],k_info[4],k_info[0],v,'-'*50)
    if echo_content:
        os.system('echo "'+echo_content+'"| mail -s "ssh_failed:warning!" wzz@csdn.com')
    input_file.close()
    os.system('rm -rf /mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log')

cronteb:

*/5 * * * * /mapbar/app/tools/anaconda2/bin/python  /mapbar/app/elk/logstash-5.0.0/sh/elk_ssh_failed.py  2>&1


原理:

当出现Failed失败时logstash会输出这个消息给elk_ssh_failed.log文件,每五分钟通过python脚本检测文件,如果超过3次发送邮件告警


邮件格式:

User: wangzz
From: ip地址
Land: 登陆的主机名
State: failed
Failure Times: 次数
--------------------------------------------------




评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值