1.logwatch
简介
CentOS 7.x 上面默认
的 logwatch 这个套件所提供的分析工具, 他会每天分析一次登录文件,并且将数据以
email 的格式寄送给 root 呢!
你也可以直接到 logwatch 的官方网站上面看看:
http://www.logwatch.org/
这个软件默认是没有安装的额我们要先安装yum -y install logwatch
2.logwatch
分析的时候直接使用命令 就行 logwatch
[root@ds ~]# logwatch
You have old files in your logwatch tmpdir (/var/cache/logwatch):
logwatch.izuxrYxn
The directories listed above were most likely created by a
logwatch run that failed to complete successfully. If so, you
may delete these directories.
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Sun Jul 25 14:29:05 2021
Date Range Processed: yesterday
( 2021-Jul-24 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: ds
##################################################################
--------------------- Cron Begin ------------------------
**Unmatched Entries**
INFO (RANDOM_DELAY will be scaled with factor 5% if used.)
---------------------- Cron End -------------------------
--------------------- httpd Begin ------------------------
Connection attempts using mod_proxy:
45.137.20.150 -> icanhazip.com:443: 4 Time(s)
A total of 4 sites probed the server
125.64.94.138
39.107.86.51
78.128.112.14
87.251.67.40
Requests with error response codes
400 Bad Request
/: 15 Time(s)
null: 6 Time(s)
\\xbf\\x02\\x00\\x88\\x13\\x00\\x00\\x87\\ ... 0/\\x9e\\x16E\n: 1 Time(s)
403 Forbidden
/: 21 Time(s)
http://110.242.68.4/: 1 Time(s)
http://ip.8mu8.com:80/: 1 Time(s)
404 Not Found
/.well-known/security.txt: 2 Time(s)
/favicon.ico: 2 Time(s)
/robots.txt: 2 Time(s)
/GponForm/diag_Form?images/: 1 Time(s)
/boaform/admin/formLogin: 1 Time(s)
/setup.cgi?next_file=netgear.cfg&todo=sysc ... ntsetting.htm=1: 1 Time(s)
405 Method Not Allowed
icanhazip.com:443: 4 Time(s)
---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (60.180.135.108): 5 Time(s)
su-l:
Sessions Opened:
admin -> root: 5 Time(s)
admin -> user1: 2 Time(s)
admin -> sd: 1 Time(s)
sudo:
Sessions Opened:
admin -> root: 5 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Postfix Begin ------------------------
4 *Fatal: General fatal
---------------------- Postfix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
New Users:
sd (1003)
New Groups:
sd (1003)
**Unmatched Entries**
passwd: pam_pwquality(passwd:chauthtok): pam_get_authtok_verify returned error: Failed preliminary check by password service: 1 Time(s)
polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 1 Time(s)
polkitd: Finished loading, compiling and executing 2 rules: 1 Time(s)
polkitd: Loading rules from directory /etc/polkit-1/rules.d: 1 Time(s)
polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 1 Time(s)
polkitd: Registered Authentication Agent for unix-process:1392:194784 (system bus name :1.28 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
polkitd: Registered Authentication Agent for unix-process:1414:224758 (system bus name :1.29 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
polkitd: Registered Authentication Agent for unix-process:1453:260139 (system bus name :1.34 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
polkitd: Registered Authentication Agent for unix-process:1459:260363 (system bus name :1.35 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
polkitd: Registered Authentication Agent for unix-process:20078:68802772 (system bus name :1.2804 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
polkitd: Registered Authentication Agent for unix-process:20087:68803118 (system bus name :1.2805 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8): 1 Time(s)
polkitd: Unregistered Authentication Agent for unix-process:1392:194784 (system bus name :1.28, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
polkitd: Unregistered Authentication Agent for unix-process:1414:224758 (system bus name :1.29, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
polkitd: Unregistered Authentication Agent for unix-process:1453:260139 (system bus name :1.34, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
polkitd: Unregistered Authentication Agent for unix-process:1459:260363 (system bus name :1.35, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
polkitd: Unregistered Authentication Agent for unix-process:20078:68802772 (system bus name :1.2804, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
polkitd: Unregistered Authentication Agent for unix-process:20087:68803118 (system bus name :1.2805, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus): 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
--------------------- SSHD Begin ------------------------
SSHD Killed: 4 Time(s)
SSHD Started: 5 Time(s)
Disconnecting after too many authentication failures for user:
<unknown> : 1 Time(s)
Failed logins from:
60.180.135.108: 9 times
Illegal users from:
undef: 8 times
47.100.179.154: 9 times
Users logging in through sshd:
admin:
118.31.157.60: 4 times
root:
60.180.135.108: 2 times
Received disconnect:
11: : 3 Time(s)
11: Normal Shutdown, Thank you for playing [preauth] : 10 Time(s)
14: No supported authentication methods available [preauth] : 3 Time(s)
Refused incoming connections:
106.15.52.246 (106.15.52.246): 1 Time(s)
118.31.157.2 (118.31.157.2): 2 Time(s)
118.31.157.60 (118.31.157.60): 1 Time(s)
47.100.179.154 (47.100.179.154): 12 Time(s)
5.194.2.127 (5.194.2.127): 1 Time(s)
Maximum authentication attemps exceeded:
root:
60.180.135.108: 1 Times(s)
---------------------- SSHD End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
admin => root
-------------
/bin/su - 5 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- yum Begin ------------------------
Packages Installed:
perl-Date-Manip-6.41-2.el7.noarch
perl-Sys-MemInfo-0.91-7.el7.x86_64
logwatch-7.4.0-35.20130522svn140.el7_5.noarch
perl-Sys-CPU-0.54-4.el7.x86_64
---------------------- yum End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 40G 2.4G 36G 7% /
devtmpfs 909M 0 909M 0% /dev
---------------------- Disk Space End -------------------------
###################### Logwatch End #########################
2.鸟哥自己写的脚本
下载地址
http://linux.vbird.org//linux_basic/0570syslog//logfile_centos7.tar.gz
脚本分析的内容如下:
[root@study ~]# tar -zxvf /logfile_centos7.tar.gz -C /
[root@study ~]# cat /etc/cron.d/vbirdlogfile
10 0 * * * root /bin/bash /root/bin/logfile/logfile.sh &> /dev/null
[root@study ~]# sh /root/bin/logfile/logfile.sh
# 开始尝试分析系统的登录文件,依据你的登录文件大小,分析的时间不固定!
[root@study ~]# mail
# 自己找到刚刚输出的结果,该结果的输出有点像下面这样:
Heirloom Mail version 12.5 7/5/10. Type ? for help.
"/var/spool/mail/root": 9 messages 4 new 7 unread
N 8 root Thu Aug 20 19:26 60/2653 "study.centos.vbird logfile analysis results"
>N 9 root Thu Aug 20 19:37 59/2612 "study.centos.vbird logfile analysis results"
& 9
# 先看看你的硬件与操作系统的相关情况,尤其是 partition 的使用量更需要随时注意!
=============== system summary =================================
Linux kernel : Linux version 3.10.0-229.el7.x86_64 (builder@kbuilder.dev.centos.org)
CPU informatin: 2 Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz
CPU speed : 2299.996 MHz
hostname is : study.centos.vbird
Network IP : 192.168.1.100
Check time : 2015/August/20 19:37:25 (
Thursday )
Summary date : Aug 20
Up times : 3 days, 59 min,
Filesystem summary:
Filesystem Type Size Used Avail Use% Mounted on
/dev/mapper/centos-root xfs 10G 3.7G 6.3G 37% /devtmpfs devtmpfs 1.4G 0 1.4G 0% /dev
tmpfs tmpfs 1.4G 48K 1.4G 1% /dev/shm
tmpfs tmpfs 1.4G 8.7M 1.4G 1% /run
tmpfs tmpfs 1.4G 0 1.4G 0% /sys/fs/cgroup
/dev/vda2 xfs 1014M 141M 874M 14% /boot
/dev/vda4 xfs 1014M 33M 982M 4% /srv/myproject
/dev/mapper/centos-home xfs 5.0G 642M 4.4G 13% /home
/dev/mapper/raidvg-raidlv xfs 1.5G 33M 1.5G 3% /srv/raidlvm
/dev/sr0 iso9660 7.1G 7.1G 0 100% /mnt
# 这个程序会将针对 internet 与内部监听的端口分开来显示!
================= Ports 的相关分析信息 =======================
主机启用的 port 与相关的 process owner:
对外部接口开放的 ports (PID|owner|command)
tcp 21|(root)|/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
tcp 22|(root)|/usr/sbin/sshd -D
tcp 25|(root)|/usr/libexec/postfix/master -w
tcp 222|(root)|/usr/sbin/sshd -f /etc/ssh/sshd2_config -D
tcp 514|(root)|/usr/sbin/rsyslogd -n
tcp 555|(root)|/usr/sbin/vsftpd /etc/vsftpd/vsftpd2.conf
# 以下针对有启动的服务个别进行分析!
================= SSH 的登录文件信息汇整 =======================
今日没有使用 SSH 的纪录
================= Postfix 的登录文件信息汇整 ===================
使用者信箱受信次数