第二节 Cenos系统日志

《深度解析CentOS通过日志反查入侵》 http://www.centoscn.com/CentosSecurity/CentosSafe/2014/0304/2490.html

登录日志grok

1、secure日志,ssh登录成功日志解析

Aug 31 01:45:17 localhost sshd[9995]: Accepted password for root from 10.136.122.52 port 63715 ssh2
Sep  6 15:40:43 t0-security-tdas02 sshd[11937]: Accepted password for root from 10.135.52.138 port 37421 ssh2

%{SYSLOGTIMESTAMP:my_datatime} %{WORD:local_host} %{WORD:title}\[%{INT:pid}\]: Accepted password for %{WORD:user} from %{IP:from_ip} .* %{INT:from_port} %{WORD:ssh_num}

{"my_datatime"=>["Aug 31 01:45:17"], "MONTH"=>["Aug"], "MONTHDAY"=>["31"], "TIME"=>["01:45:17"], "HOUR"=>["01"], "MINUTE"=>["45"], "SECOND"=>["17"], "local_host"=>["localhost"], "title"=>["sshd"], "pid"=>["9995"], "user"=>["root"], "from_ip"=>["10.136.122.52"], "IPV6"=>[nil], "IPV4"=>["10.136.122.52"], "from_port"=>["63715"], "ssh_num"=>["ssh2"]}

2、secure日志,ssh登录失败日志解析

Aug 31 01:43:58 localhost sshd[9995]: Failed password for root from 10.136.122.52 port 63715 ssh2
Aug 31 02:57:49 localhost sshd[10371]: Failed password for anbc from 10.136.122.52 port 65514 ssh2


%{SYSLOGTIMESTAMP:datatime} %{WORD:host} %{WORD:title}\[%{INT:pid}\]: Failed password for %{WORD:user} from %{IP:ip} .* %{INT:port} %{WORD:ssh_num}

{"datatime"=>["Aug 31 01:43:58"], "MONTH"=>["Aug"], "MONTHDAY"=>["31"], "TIME"=>["01:43:58"], "HOUR"=>["01"], "MINUTE"=>["43"], "SECOND"=>["58"], "host"=>["localhost"], "title"=>["sshd"], "pid"=>["9995"], "user"=>["root"], "ip"=>["10.136.122.52"], "IPV6"=>[nil], "IPV4"=>["10.136.122.52"], "port"=>["63715"], "ssh_num"=>["ssh2"]}

3、secure日志,ssh登录退出日志解析

Aug 31 03:02:35 localhost sshd[10417]: Received disconnect from 10.136.122.52: 11: disconnected by user
Sep  6 15:41:09 t0-security-tdas02 sshd[11937]: Received disconnect from 10.135.52.138: 11: disconnected by user

%{SYSLOGTIMESTAMP:datatime} %{WORD:local_host} %{WORD:title}\[%{INT:pid}\]: Received disconnect from %{IP:from_ip}

{"datatime"=>["Aug 31 03:02:35"], "MONTH"=>["Aug"], "MONTHDAY"=>["31"], "TIME"=>["03:02:35"], "HOUR"=>["03"], "MINUTE"=>["02"], "SECOND"=>["35"], "local_host"=>["localhost"], "title"=>["sshd"], "pid"=>["10417"], "from_ip"=>["10.136.122.52"], "IPV6"=>[nil], "IPV4"=>["10.136.122.52"]}

results matching ""

    No results matching ""