| View previous topic :: View next topic |
| Author |
Message |
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
 Posted: Tue Nov 08, 2005 1:31 pm Post subject: Script for sshd logs |
 |
|
I'm needing some good scripts for grepping sshd messages out of /var/log/messages (I use syslog-ng). Something that I can cron and keep organized weekly, daily or whatever.
I could make my own script, but I don't know real detailed bash scripting.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
 |
Dizzutch
Guru
Joined: 09 Nov 2004
Posts: 463
Location: Worcester, MA
|
| Posted: Tue Nov 08, 2005 1:43 pm Post subject: |
|
|
don't all sshd messages in syslog start with [sshd]? in that case you could just stick
grep sshd /var/adm/messages > /home/user/sshd.log in your crontab.
-Dizz |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
| Posted: Tue Nov 08, 2005 1:44 pm Post subject: |
|
|
Exactly.... but I would like to seperate them by date and so forth, and I don't have the bash scripting skills to do so.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
Dizzutch
Guru
Joined: 09 Nov 2004
Posts: 463
Location: Worcester, MA
|
| Posted: Tue Nov 08, 2005 1:47 pm Post subject: |
|
|
ah, i don't use syslog-ng so i don't know what the output looks like, but you could just put a bunch of grep statements in a file
ex.
| Code: |
#!/bin/bash
#all sshd messages
grep sshd /var/adm/messages > /home/user/sshd.log
#all messages concerning my user
grep username /home/user/sshd.log > /home/user/sshd_me.log
#all messages concerning root trying to log in
grep root /home/user/sshd.log > /home/user/sshd_root.log
|
etc. that's the simplest i can come up with right now.
if you replace > with >> it'll append to the file, not overwrite it. |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
| Posted: Tue Nov 08, 2005 2:38 pm Post subject: |
|
|
Hmmm... perhaps this then:
| Code: |
#!/bin/bash
# Grep the SSHD messages out
grep sshd /var/log/messages >> /var/log/sshd.log
# Save the old logfile so it doesn't get overwritten
cat /var/log/messages >> /var/log/messages.processed.log
# Remove the messages file so there are no duplicate logs when it gets cronned next time
rm /var/log/messages
#renew the messages file from scratch
/etc/init.d/syslog-ng restart
|
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
Dizzutch
Guru
Joined: 09 Nov 2004
Posts: 463
Location: Worcester, MA
|
| Posted: Tue Nov 08, 2005 2:42 pm Post subject: |
|
|
| that could definitly work. |
|
| Back to top |
|
|
commandline
n00b
Joined: 20 Oct 2004
Posts: 70
|
| Posted: Tue Nov 08, 2005 2:45 pm Post subject: |
|
|
perhaps you could also edit /etc/syslog-ng/syslog-ng.conf 
_________________
gentoo stage3-2008.0 kernel 2.6.28-hardened-r9 |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
| Posted: Tue Nov 08, 2005 3:13 pm Post subject: |
|
|
What would you add to do such a thing?
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
Dizzutch
Guru
Joined: 09 Nov 2004
Posts: 463
Location: Worcester, MA
|
| Posted: Tue Nov 08, 2005 3:15 pm Post subject: |
|
|
| what does it look like now? could you post the config file? |
|
| Back to top |
|
|
commandline
n00b
Joined: 20 Oct 2004
Posts: 70
|
| Posted: Tue Nov 08, 2005 3:21 pm Post subject: |
|
|
| bigun89 wrote: | | What would you add to do such a thing? |
something like this:
filter f_ssh { match("sshd2"); };
destination ssh { file("/var/log/ssh.log"); };
log { source(src); filter(f_ssh); destination(ssh); };
_________________
gentoo stage3-2008.0 kernel 2.6.28-hardened-r9 |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2198
|
| Posted: Tue Nov 08, 2005 4:01 pm Post subject: |
|
|
| Code: | filter f_ssh { match("sshd"); };
destination ssh { file("/var/log/ssh.log"); };
log { source(src); filter(f_ssh); destination(ssh); }; |
Works Perfect... you can even customize down to the type of error... nice
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
dpc
n00b
Joined: 09 Nov 2005
Posts: 16
Location: Chicago
|
| Posted: Wed Nov 09, 2005 7:11 pm Post subject: |
|
|
I know you may be writing ssh logs out to ssh.log now, but I wanted to advise against rm'ing /var/log/messages. There's a lot more in there besides just SSH logs...
I use the following script to get a quick idea of successful/failed logins on my systems (I have ssh logs in auth.log)
| Code: | #!/bin/sh
echo "Successful Logins:"
grep "sshd.*Accepted" /var/log/auth.log | cut -d\ -f7,9-12 | sort | uniq -c
echo "Failed:"
grep "sshd.*Failed" /var/log/auth.log | cut -d\ -f9-12 | sort | uniq -c
|
You could probably modify this to seperate it out by the current date and run it from a daily cronjob like so:
| Code: | #!/bin/sh
# Retrieve today's date in the format that's used in the log file
TODAYS_DATE=`date +"%b %e"`
echo "Successful Logins:"
grep "$TODAYS_DATE.*sshd.*Accepted" /var/log/auth.log | cut -d\ -f7,9-12 | sort | uniq -c
echo "Failed:"
grep "$TODAYS_DATE.*sshd.*Failed" /var/log/auth.log | cut -d\ -f9-12 | sort | uniq -c |
This only catches people that are using valid usernames, not those that are trying to bruceforce users. I would also recommend Fail2Ban - this does a great job of keeping those ssh attacks out.
_________________
Former die-hard Debian user, now co-mingling my Debian boxes with Gentoo and posting on the Gentoo forums...what has the world come to? |
|
| Back to top |
|
|
|
Networking & Security
