[syslog] syslog를 이용한 로그 데이터 수집 및 파싱

여기에서는 /var/log/secure 에 대한 로그파일만 대상으로 함.

(첨부파일에 syslog에 대해 자세히 나와 있음)

 

1. syslog에서 떨어지는 secure 파일 위치 : /var/log/secure

 

2. logrotate 사용하여 떨어지는 secure 파일 제어

$> vi /etc/logrotate.d/syslog

    /var/log/secure {

         sharedscripts

         postrotate

             /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

             /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true

         endscript

         rotate 31                      # 한달분량 저장

         daily                              # 매일 파일 분리

         create 600 root root

      }

$> cat /etc/cron.daily/logrotate    # 매일 실행

/usr/bin/logroate /etc/logratate.conf

3. 서버내 이중저장

$> vi /etc/syslog.conf

    authpriv.*                  /var/log/secure

    authpriv.*                  /root/logBackup/secure

$> /etc/init.d/syslog restart

4. 서버 외부 저장

<로그보낼서버>

$> vi /etc/syslog.conf

   authpriv.*                   @XXX.XXX.XXX.XXX

$> /etc/init.d/syslog restart

<로그받을서버>

$> vi /etc/sysconfig/syslog 파일내에 설정된

    SYSLOGD_OPTIONS=“-r –m 0” 로 변경

$> /etc/init.d/syslog restart

* 두 서버 모두의 hosts 파일 설정으로 hostname으로 기록 가능

5. /var/log/secure 파일 파싱

$> vi montVarLogSecure.py

#!/usr/bin/env python

import sys, re, os, time

def getWho():

    whosys = os.popen( 'who' ).read()

    return whosys

def getScreen():

    screensys = os.popen( "screen -wls | awk -F 'in' '{print $1}'" ).read()

    return screensys

def sucLogin( logfile ):

    loginsys = os.popen( "cat "+logfile+" | grep 'Accepted' | awk '{print $1 \" \" $2 \" \" $3 \" User: \" $9 \" \" }'" ).read()

#   print "cat "+logfile+" | grep 'Accepted' | awk '{print $1 \" \" $2 \" \" $3 \" User: \" $9 \" \" }'"

    return loginsys

def sudoSucLogin( logfile ):

    sudologin = os.popen( "cat "+logfile+" | grep 'session opened for user root' | awk '{print $1 \" \" $2 \" \" $3 \" Sudo User: \" $13 \" \" }' " ).read()

    return sudologin

def invalidUser( logfile ):

    invalid = os.popen( "cat "+logfile+" | grep 'Invalid user' " ).read()

    return invalid

def failedPassword( logfile ):

    failed = os.popen( "cat "+logfile+" | grep -v invaild | grep 'Failed password' ").read()

    return failed

def refusedUser( logfile ):

    refused = os.popen( "cat "+logfile+" | grep 'refused' " ).read()

    return refused

def deniedUser( logfile ):

    denided = os.popen( "cat "+logfile+" | grep -v cron | grep 'access denied\}Permission denied'" ).read()

    return denided

def fatalNotices( logfile ):

    fatal = os.popen( "cat "+logfile+" | grep ssh | grep 'Permission denied\|fatal\|error' " ).read()

    return fatal

def expireDate( logfile ):

    expire = os.popen( "cat "+logfile+" | grep 'changed password expiry\|expiration from' " ).read()

    return expire

def top5ip( logfile ):

    top5 = os.popen( "awk 'gsub(\".*sshd.*Failed password for (invalid user )?\", \"\") {print $3}' "+logfile+" | sort | uniq -c | sort -rn | head -5" ).read()

    return top5

 try:

        if sys.argv[1:]:

                logfile = sys.argv[1]

        else:

                logfile = raw_input( "Please enter a log file to parse, e.g. /var/log/secure " )

        if sys.argv[2:]:

                outpath = sys.argv[2]

        else:

                outpath = raw_input( "Please enter a out path, 2.g. ~/logOut/ " )

        os.system( 'mkdir -p '+outpath )

        outfile = outpath + time.strftime( '%Y%m%d%H%M%S' )

        ofh = open( outfile,'w' )

        print >> ofh, "# Who is online: "

        print >> ofh, getWho()

        print >> ofh, "# Active Screen Sessions: "

        print >> ofh, getScreen()

        print >> ofh, "# List out successful ssh login attempts: "

        print >> ofh, sucLogin( logfile )

        print >> ofh, "# List out successful ssh login attempts from sudo users: "

        print >> ofh, sudoSucLogin( logfile )

        print >> ofh, "# List out ssh login attempts from non-existing and unauthorized user accounts: "

        print >> ofh, invalidUser( logfile )

        print >> ofh, "# List out ssh login attempts by authorized ssh accounts with failed password: "

        print >> ofh, failedPassword( logfile )

        print >> ofh, "# List out refused ssh login attempts: "

        print >> ofh, refusedUser( logfile )

        print >> ofh, "# List out denied ssh login attempts: "

        print >> ofh, deniedUser( logfile )

        print >> ofh, "# List out fatal and miscellaneous ssh session/restart notices: "

        print >> ofh, fatalNotices( logfile )

        print >> ofh, "# List out all successful system account expireation date changes: "

        print >> ofh, expireDate( logfile )

        print >> ofh, "# Top 5 attacker IP adresses: "

        print >> ofh, top5ip( logfile )

        ofh.close()

except IOError, (errno, strerror):

        print "I/O Error (%s) : %s" % (errno,strerror)

 

$> vi /etc/cron.daily/exe.cron

python /usr/local/bin/montVarLogSecure.py /var/log/secure ~/logOut/