我想將sshd日誌條目中的來源 IP 位址儲存到 mysql 資料庫中syslog-ng。目前,我定義了一個過濾器,它與所需日誌條目的子字串相符。
我可以將日誌條目完整地保存到資料庫中,但是係統$MSG日誌條目的一部分包含許多我不想要的額外資料。有沒有辦法「拆分」系統日誌條目的欄位以僅將 IP 位址寫入資料庫?
這是我的配置:
filter f_sshd
{
# (log entry) Sep 5 14:59:20 myhost4 sshd Starting session: shell on pts/0 for rbackup from 10.120.192.25 port 36894 id 0
match("Starting session:" value ("MESSAGE") );
};
destination d_sshd
{
sql( type(mysql)
username("xxxxx")
password("xxxxxxx")
database("syslog")
host("localhost")
table("ssh")
columns("host", "facility", "priority", "level", "pid", "tag", "timestamp", "program", "msg")
values("$HOST", "$FACILITY", "$PRIORITY", "$LEVEL", "$PID", "$TAG","$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC","$PROGRAM", "$MSG")
indexes("timestamp", "host", "program", "pid", "message"));
};
log
{
# s_stunnel is defined in syslog-ng/conf.d/stunnel.conf
source(s_stunnel);
filter(f_sshd);
destination(d_sshd);
};
答案1
您可以使用建立一個解析器syslog-ng-patterndb提取部分訊息。
建立 XML 檔案來定義您的解析器 ( /etc/syslog-ng/template_sshd.xml):
<patterndb version='4' pub_date='2010-10-17'>
<ruleset name='ssh' id='123456678'>
<pattern>ssh</pattern>
<rules>
<rule provider='me' id='182437592347598' class='system'>
<patterns>
<pattern>Starting session: shell on @ESTRING:SSH_TERMINAL: @for @ESTRING:SSH_USERNAME: @from @ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ id @NUMBER:SSH_ID@</pattern>
</patterns>
<examples>
<example>
<test_message program="ssh">Starting session: shell on pts/0 for rbackup from 10.120.192.25 port 36894 id 0</test_message>
<test_values>
<test_value name="SSH_TERMINAL">pts/0</test_value>
<test_value name="SSH_USERNAME">sampleuser</test_value>
<test_value name="SSH_CLIENT_ADDRESS">192.168.10.12</test_value>
<test_value name="SSH_PORT_NUMBER">42156</test_value>
<test_value name="SSH_ID">1</test_value>
</test_values>
</example>
</examples>
</rule>
</rules>
</ruleset>
</patterndb>
然後在你的syslog-ng.conf:
定義解析器:
parser sshd_pattern { db_parser(file("/etc/syslog-ng/template_sshd.xml")); };
在日誌指令中呼叫解析器:
log
{
# s_stunnel is defined in syslog-ng/conf.d/stunnel.conf
source(s_stunnel);
parser(sshd_pattern); <---- call parser
filter(f_sshd);
destination(d_sshd);
};
SSH_CLIENT_ADDRESS在目標中使用解析器中的變數:
destination d_sshd
{
file("/var/log/sshd.log"
template("${SSH_USERNAME}; ${SSH_CLIENT_ADDRESS}; ${HOST}; ${FACILITY}; ${PRIORITY}; ${LEVEL}; ${PID}; ${TAG}; ${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC}; ${PROGRAM}; \n")
template_escape(no)
);
};
單元測試運行:
pdbtool match -P "ssh" -M "Starting session: shell on pts/0 for rbackup from 10.120.192.25 port 36894 id 0" -p template_sshd.xml -c -D -v
應該返回:
SSH_TERMINAL=pts/0
SSH_USERNAME=rbackup
SSH_CLIENT_ADDRESS=10.120.192.25
SSH_PORT_NUMBER=36894
SSH_ID=0
改編自此連結:https://gist.github.com/linickx/8002981
編輯以下評論:
理想情況下,SSH_TERMINAL 金鑰可以吞掉從會話後的空格到裸字的所有內容
像這樣更改 XML 中的模式:
<pattern>Starting session: @ESTRING:SSH_TERMINAL:from @@ESTRING:SSH_CLIENT_ADDRESS: @port @NUMBER:SSH_PORT_NUMBER:@ id @NUMBER:SSH_ID@</pattern>
返回:
# pdbtool match -P "ssh" -M "Starting session: shell on pts/0 for rbackup from 10.120.192.25 port 36894 id 0" -p template_sshd.xml -c -D -v
SSH_TERMINAL=shell on pts/0 for rbackup <-- you got all between "session:" to "from"
SSH_CLIENT_ADDRESS=10.120.192.25
SSH_PORT_NUMBER=36894
SSH_ID=0
關於模式解析器的進一步閱讀:https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/72