1.logwatch

简介

CentOS 7.x 上面默认
的 logwatch 这个套件所提供的分析工具, 他会每天分析一次登录文件,并且将数据以
email 的格式寄送给 root 呢!
你也可以直接到 logwatch 的官方网站上面看看:
http://www.logwatch.org/

这个软件默认是没有安装的额我们要先安装
yum -y install logwatch

2.logwatch

分析的时候直接使用命令 就行 logwatch 

  1. [root@ds ~]# logwatch
  2. You have old files in your logwatch tmpdir (/var/cache/logwatch):
  3.         logwatch.izuxrYxn
  4. The directories listed above were most likely created by a
  5. logwatch run that failed to complete successfully.  If so, you
  6. may delete these directories.
  9.  ################### Logwatch 7.4.0 (03/01/11) ####################
  10.         Processing Initiated: Sun Jul 25 14:29:05 2021
  11.         Date Range Processed: yesterday
  12.                               ( 2021-Jul-24 )
  13.                               Period is day.
  14.         Detail Level of Output: 0
  15.         Type of Output/Format: stdout / text
  16.         Logfiles for Host: ds
  17.  ##################################################################
  19.  --------------------- Cron Begin ------------------------
  21.  **Unmatched Entries**
  22.  INFO (RANDOM_DELAY will be scaled with factor 5% if used.)
  24.  ---------------------- Cron End -------------------------
  27.  --------------------- httpd Begin ------------------------
  30.  Connection attempts using mod_proxy:
  31.     45.137.20.150 -> icanhazip.com:443: 4 Time(s)
  33.  A total of 4 sites probed the server
  34.     125.64.94.138
  35.     39.107.86.51
  36.     78.128.112.14
  37.     87.251.67.40
  39.  Requests with error response codes
  40.     400 Bad Request
  41.        /: 15 Time(s)
  42.        null: 6 Time(s)
  43.        \\xbf\\x02\\x00\\x88\\x13\\x00\\x00\\x87\\ ... 0/\\x9e\\x16E\n: 1 Time(s)
  44.     403 Forbidden
  45.        /: 21 Time(s)
  46.        http://110.242.68.4/: 1 Time(s)
  47.        http://ip.8mu8.com:80/: 1 Time(s)
  48.     404 Not Found
  49.        /.well-known/security.txt: 2 Time(s)
  50.        /favicon.ico: 2 Time(s)
  51.        /robots.txt: 2 Time(s)
  52.        /GponForm/diag_Form?images/: 1 Time(s)
  53.        /boaform/admin/formLogin: 1 Time(s)
  54.        /setup.cgi?next_file=netgear.cfg&todo=sysc ... ntsetting.htm=1: 1 Time(s)
  55.     405 Method Not Allowed
  56.        icanhazip.com:443: 4 Time(s)
  58.  ---------------------- httpd End -------------------------
  61.  --------------------- pam_unix Begin ------------------------
  63.  sshd:
  64.     Authentication Failures:
  65.        root (60.180.135.108): 5 Time(s)
  67.  su-l:
  68.     Sessions Opened:
  69.        admin -> root: 5 Time(s)
  70.        admin -> user1: 2 Time(s)
  71.        admin -> sd: 1 Time(s)
  73.  sudo:
  74.     Sessions Opened:
  75.        admin -> root: 5 Time(s)
  78.  ---------------------- pam_unix End -------------------------
  81.  --------------------- Postfix Begin ------------------------
  83.         4   *Fatal:   General fatal
  86.  ---------------------- Postfix End -------------------------
  89.  --------------------- Connections (secure-log) Begin ------------------------
  91.  New Users:
  92.     sd (1003)
  94.  New Groups:
  95.     sd (1003)
  98.  **Unmatched Entries**
  99.     passwd: pam_pwquality(passwd:chauthtok): pam_get_authtok_verify returned error: Failed preliminary check by password service: 1 Time(s)
  100.     polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 1 Time(s)
  101.     polkitd: Finished loading, compiling and executing 2 rules: 1 Time(s)
  102.     polkitd: Loading rules from directory /etc/polkit-1/rules.d: 1 Time(s)
  103.     polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 1 Time(s)
  104.     polkitd: Registered Authentication Agent for unix-process:1392:194784 (system bus name :1.28 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
  105.     polkitd: Registered Authentication Agent for unix-process:1414:224758 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
  106.     polkitd: Registered Authentication Agent for unix-process:1453:260139 (system bus name :1.34 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
  107.     polkitd: Registered Authentication Agent for unix-process:1459:260363 (system bus name :1.35 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
  108.     polkitd: Registered Authentication Agent for unix-process:20078:68802772 (system bus name :1.2804 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
  109.     polkitd: Registered Authentication Agent for unix-process:20087:68803118 (system bus name :1.2805 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
  110.     polkitd: Unregistered Authentication Agent for unix-process:1392:194784 (system bus name :1.28, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
  111.     polkitd: Unregistered Authentication Agent for unix-process:1414:224758 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
  112.     polkitd: Unregistered Authentication Agent for unix-process:1453:260139 (system bus name :1.34, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
  113.     polkitd: Unregistered Authentication Agent for unix-process:1459:260363 (system bus name :1.35, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
  114.     polkitd: Unregistered Authentication Agent for unix-process:20078:68802772 (system bus name :1.2804, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
  115.     polkitd: Unregistered Authentication Agent for unix-process:20087:68803118 (system bus name :1.2805, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
  117.  ---------------------- Connections (secure-log) End -------------------------
  120.  --------------------- SSHD Begin ------------------------
  123.  SSHD Killed: 4 Time(s)
  125.  SSHD Started: 5 Time(s)
  127.  Disconnecting after too many authentication failures for user:
  128.     <unknown> : 1 Time(s)
  130.  Failed logins from:
  131.     60.180.135.108: 9 times
  133.  Illegal users from:
  134.     undef: 8 times
  135.     47.100.179.154: 9 times
  137.  Users logging in through sshd:
  138.     admin:
  139.        118.31.157.60: 4 times
  140.     root:
  141.        60.180.135.108: 2 times
  144.  Received disconnect:
  145.     11: : 3 Time(s)
  146.     11: Normal Shutdown, Thank you for playing [preauth] : 10 Time(s)
  147.     14: No supported authentication methods available [preauth] : 3 Time(s)
  149.  Refused incoming connections:
  150.        106.15.52.246 (106.15.52.246): 1 Time(s)
  151.        118.31.157.2 (118.31.157.2): 2 Time(s)
  152.        118.31.157.60 (118.31.157.60): 1 Time(s)
  153.        47.100.179.154 (47.100.179.154): 12 Time(s)
  154.        5.194.2.127 (5.194.2.127): 1 Time(s)
  156.  Maximum authentication attemps exceeded:
  157.      root:
  158.       60.180.135.108: 1 Times(s)
  160.  ---------------------- SSHD End -------------------------
  163.  --------------------- Sudo (secure-log) Begin ------------------------
  166.  admin => root
  167.  -------------
  168.  /bin/su                        -   5 Time(s).
  170.  ---------------------- Sudo (secure-log) End -------------------------
  173.  --------------------- yum Begin ------------------------
  176.  Packages Installed:
  177.     perl-Date-Manip-6.41-2.el7.noarch
  178.     perl-Sys-MemInfo-0.91-7.el7.x86_64
  179.     logwatch-7.4.0-35.20130522svn140.el7_5.noarch
  180.     perl-Sys-CPU-0.54-4.el7.x86_64
  182.  ---------------------- yum End -------------------------
  185.  --------------------- Disk Space Begin ------------------------
  187.  Filesystem      Size  Used Avail Use% Mounted on
  188.  /dev/vda1        40G  2.4G   36G   7% /
  189.  devtmpfs        909M     0  909M   0% /dev
  192.  ---------------------- Disk Space End -------------------------
  195.  ###################### Logwatch End #########################

2.鸟哥自己写的脚本

下载地址
http://linux.vbird.org//linux_basic/0570syslog//logfile_centos7.tar.gz
脚本分析的内容如下:

[root@study ~]# tar -zxvf /logfile_centos7.tar.gz -C / 
[root@study ~]# cat /etc/cron.d/vbirdlogfile 
10 0 * * * root /bin/bash /root/bin/logfile/logfile.sh &> /dev/null 
[root@study ~]# sh /root/bin/logfile/logfile.sh 
# 开始尝试分析系统的登录文件,依据你的登录文件大小,分析的时间不固定! 
[root@study ~]# mail 
# 自己找到刚刚输出的结果,该结果的输出有点像下面这样: 
Heirloom Mail version 12.5 7/5/10. Type ? for help. 
"/var/spool/mail/root": 9 messages 4 new 7 unread 
N 8 root Thu Aug 20 19:26 60/2653 "study.centos.vbird logfile analysis results" 
>N 9 root Thu Aug 20 19:37 59/2612 "study.centos.vbird logfile analysis results" 
& 9 
# 先看看你的硬件与操作系统的相关情况,尤其是 partition 的使用量更需要随时注意! 
=============== system summary ================================= 
Linux kernel : Linux version 3.10.0-229.el7.x86_64 (builder@kbuilder.dev.centos.org) 
CPU informatin: 2 Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz 
CPU speed : 2299.996 MHz 
hostname is : study.centos.vbird 
Network IP : 192.168.1.100 
Check time : 2015/August/20 19:37:25 ( 
Thursday ) 
Summary date : Aug 20 
Up times : 3 days, 59 min, 
Filesystem summary: 
Filesystem Type Size Used Avail Use% Mounted on 
/dev/mapper/centos-root xfs 10G 3.7G 6.3G 37% /devtmpfs devtmpfs 1.4G 0 1.4G 0% /dev 
tmpfs tmpfs 1.4G 48K 1.4G 1% /dev/shm 
tmpfs tmpfs 1.4G 8.7M 1.4G 1% /run 
tmpfs tmpfs 1.4G 0 1.4G 0% /sys/fs/cgroup 
/dev/vda2 xfs 1014M 141M 874M 14% /boot 
/dev/vda4 xfs 1014M 33M 982M 4% /srv/myproject 
/dev/mapper/centos-home xfs 5.0G 642M 4.4G 13% /home 
/dev/mapper/raidvg-raidlv xfs 1.5G 33M 1.5G 3% /srv/raidlvm 
/dev/sr0 iso9660 7.1G 7.1G 0 100% /mnt 
# 这个程序会将针对 internet 与内部监听的端口分开来显示! 
================= Ports 的相关分析信息 ======================= 
主机启用的 port 与相关的 process owner: 
对外部接口开放的 ports (PID|owner|command) 
tcp 21|(root)|/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf 
tcp 22|(root)|/usr/sbin/sshd -D 
tcp 25|(root)|/usr/libexec/postfix/master -w 
tcp 222|(root)|/usr/sbin/sshd -f /etc/ssh/sshd2_config -D 
tcp 514|(root)|/usr/sbin/rsyslogd -n 
tcp 555|(root)|/usr/sbin/vsftpd /etc/vsftpd/vsftpd2.conf 
# 以下针对有启动的服务个别进行分析! 
================= SSH 的登录文件信息汇整 ======================= 
今日没有使用 SSH 的纪录 
================= Postfix 的登录文件信息汇整 =================== 
使用者信箱受信次数