LLystrblu Posted January 7, 2015 · Report post Здравствуйте. У меня такая проблема.мне была поставлена следующая задача: Рассмотреть Syslog (найдите фриварное решение и разверните его на своей машине). То есть в данном разделе надо рассмотреть архитектуру решения и само решение (тот Sislog который найдете), настройка источника, настройка сервера и т.д. Все это со скриншотами. На все про все у меня день, максимум 2, а я абсолютно не знаком с этой системой, можете подсказать где можно прочитать буквально по шагам как и что нажимать (глубоки знания данной системы мне сейчас не нужны, просто нужно выполнить задачу, поверхостно ознакомиться с данной программой. Может что посоветуете. Заранее спасибо. желательно, чтобы реализация было на Windows, но Unix тоже меня устроит. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
SergeiK Posted January 7, 2015 · Report post Интернетом пользоваться обучены? :). Первая ссылка в поиске дает вики, где кратко все есть. Из простого приложения для windows - tftpd32 умеет и сислог. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
vlad11 Posted January 7, 2015 · Report post Не подсказывайте. Это студент-дипломник. Не освоил интернет и не имеет базовых понятий о работе системы. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
SergeiK Posted January 7, 2015 · Report post Какой дипломник?! Это второй курс, лабораторная работа для отстающих. :) Пусть сдает, на собеседовании такие отсеиваются после второго вопроса. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Saab95 Posted January 7, 2015 · Report post Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
s.lobanov Posted January 7, 2015 · Report post приёмник - tcpdump, источник - netcat srchost $ echo ‘<14>SRC_HOST text’ | nc -v -u -w 0 DST_HOST 514 dsthost $ sudo tcpdump -i any -n -nn -v -vv -s 0 "port 514" Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
vlad11 Posted January 7, 2015 · Report post Вот его ответ: как бы не зная ситуацию не стоит бросаться такими словами? у меня специальность не связана с этой тематикой, а это просто один подпункт моей дипломной работы Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
SergeiK Posted January 14, 2015 · Report post Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого. Splunk - могучая штука для подобных задач. Не только сислог, но любые структурированные данные можно разбирать, фильтровать, анализировать и строить разные отчетности. Но это большой продукт, и требует серьезного подхода. Есть пачка готовых плагинов, и большие возможности собственных разработок. Использовать до 500М данных в день, с ограниченным функционалом, можно без денег. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
zi_rus Posted January 14, 2015 · Report post Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого. NOC делает это из коробки Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
neperpbl3 Posted March 20, 2023 (edited) · Report post Концепция syslog-ng Сбор UDP пакетов syslog настраивается на клиенте, а не на сервере. Сервер 192.168.0.5 принимает и записывает абсолютно все syslog сообщения. Сортировка производится по следующим критериям и в нижеперечисленном порядке: 1. Сортировка по типу оборудования согласно категории «Facility» 2. Сортировка по заданным IP адресам 3. Запись всех остальных IP адресов Для сортировки по типу оборудования используется категория «Facility». Массовое и важное оборудование (коммутаторы, Cisco VoIP и т.п.) сортируется по категориям «Facility localХ» . Таким образом логи коммутаторов, Cisco VoIP и других устройств сортируются по нужным папкам вне зависимости от IP адреса устройства. Отсортированные по категориям логи ежедневно анализируются, а отчеты «Syslog analysis» отправляются на почту . Если неверно настроить “Facility”, то логи будут собираться в другую папку и перестанут анализироваться и отправляется в виде отчета на почту. Цитата @syslog:/home/syslog-server$ ls -la total 645464 drwxr-xr-x 15 root adm 4096 Dec 2 00:00 . drwxr-xr-x 6 root root 4096 Nov 2 17:01 .. drwx------ 3 root root 4096 Nov 2 16:38 192.168.X.X drwx------ 3 root root 4096 Dec 1 00:00 192.169.0.X drwx------ 3 root root 4096 Dec 2 00:00 192.167.X.X drwx------ 3 root root 4096 Nov 17 14:31 192.165.X.X drwx------ 3 root root 4096 Dec 1 00:01 cisco-voip-fl5 -rwxr-xr-x 1 root root 210 Oct 27 15:39 find-IP-addess drwx------ 3 root root 4096 Dec 2 00:00 gpons drwx------ 3 root root 4096 Dec 2 00:00 mikrotiks-fl4 drwx------ 2 root root 4096 Nov 17 14:35 other drwxr-xr-x 2 root root 4096 Nov 24 17:26 real_time_analysis -rwxr-xr-x 1 root root 43 Oct 25 16:42 restart-syslog-ng drwx------ 3 root root 4096 Nov 16 22:14 routers-fl6 drwxr-xr-x 2 root root 4096 Dec 2 01:00 scripts -rw-r--r-- 1 root adm 82739495 Dec 2 18:17 summary.log -rw-r--r-- 1 root adm 102031166 Dec 2 00:01 summary.log.1 -rw-r--r-- 1 root adm 104623796 Dec 1 00:01 summary.log.2 -rw-r--r-- 1 root adm 105040571 Nov 30 00:02 summary.log.3 -rw-r--r-- 1 root adm 81861391 Nov 29 00:00 summary.log.4 -rw-r--r-- 1 root adm 83915504 Nov 28 00:00 summary.log.5 -rw-r--r-- 1 root adm 100623935 Nov 27 00:01 summary.log.6 drwx------ 3 root root 12288 Dec 2 16:29 switches-fl7 lrwxrwxrwx 1 root root 41 Oct 25 16:41 syslog.conf -> /etc/syslog-ng/conf.d/syslog-.conf Если ваше устройство не подходит под вышеперечисленное оборудование, то просто укажите IP адрес сервера « 192.168.0.5». Больше ничего делать не нужно, однако если на оборудовании необходимо принудительно установить значение Facility Local «Х», то установите по-умолчанию «Facility Local0». Настройка на комм. Элтекс MES Цитата enable conf t no logging host 172.0.0.99 no logging host 172.0.0.97 logging host 172.0.0.111 exit write y exit * facility local7 используется по-умолчанию и явно указывать не нужно Настройка на комм. Cisco 2960 Цитата enable conf t login on-failure log no logging facility local3 no logging 172.0.0.99 no logging 172.0.0.97 logging trap debugging logging 172.0.0.111 exit * facility local7 используется по-умолчанию и явно указывать не нужно Настройка на комм. D-link Цитата create syslog host 1 ipaddress 192.168.0.5facility local7 severity debug state enable create syslog host 1 ipaddress 192.168.0.5facility local7 severity all state enable enable syslog *Для разных серий D-link используются разный формат команд. Одна из команд будет успешно выполнена. Настройка на оборуд. Mikrotik Цитата /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning /system logging action set 3 bsd-syslog=yes remote=192.168.0.5syslog-facility=local4 https://wiki.mikrotik.com/wiki/Manual:System/Log Настройка на GPON Элтекс Цитата configure terminal logging remote 192.168.0.5 exit commit save exit Также указать IP адрес в конфиге /home/syslog-server/syslog-.conf *Facility не поддерживается Настройка на Cisco router Цитата en password conf t login on-failure log no logging 172.0.0.99 no logging 172.0.0.97 logging 172.0.0.111 logging facility local5 login on-failure log exit wr exit sh run | i loggi Полезная инфа в статье https://serverfault.com Настройка на маршрутизаторах Цитата *Настройка производится аналогичным образом. Выбирается facility local6. Facility (категория) Описание Cистемное протоколирование в Linux Тип устройства Facility Папка назначения Коммутаторы (любой модели) local7 (23) switches-fl7 Маршрутизаторы (кроме Микротик) Local6 (22) routers-fl6 Cisco VoIP Local5 (21) cisco-voip-fl5 Оборудование Mikrotik Local4 (20) mikrotiks-fl4 резерв Local3 (19) резерв резерв Local2 (18) резерв Резерв (используется Натексом) Local1 (18) резерв По-умолчанию (используется Натексом) Local0 (16) Не обрабатывается Если нужно установить какое-то Facility, то установите по-умолчанию Facility Local0 Значения по-умолчанию на некотором оборудовании: Оборудование По-умолчанию Изменено на Eltex local7 (23) D-link local3 (19) Local6 (22) Маршрутизаторы Cisco local3 (19) Коммутаторы Cisco local7 (23) VoIP шлюзы Натекс одновременно используют Facility local0 и local1 Описание Cистемное протоколирование в Linux Настройки syslog-ng /etc/syslog-ng/syslog-ng.conf Цитата @version: 3.19 @include "scl.conf" # Syslog-ng configuration file, compatible with default Debian syslogd # installation. # First, set some global options. options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); dns_cache(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); keep_timestamp(no); }; ######################## # Sources ######################## # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source s_src { system(); internal(); }; # If you wish to get logs from remote machine you should uncomment # this and comment the above source line. # #source s_net { tcp(ip(127.0.0.1) port(1000)); }; ######################## # Destinations ######################## # First some standard logfile # destination d_auth { file("/var/log/auth.log"); }; destination d_cron { file("/var/log/cron.log"); }; destination d_daemon { file("/var/log/daemon.log"); }; destination d_kern { file("/var/log/kern.log"); }; destination d_lpr { file("/var/log/lpr.log"); }; destination d_mail { file("/var/log/mail.log"); }; destination d_syslog { file("/var/log/syslog"); }; destination d_user { file("/var/log/user.log"); }; destination d_uucp { file("/var/log/uucp.log"); }; # This files are the log come from the mail subsystem. # destination d_mailinfo { file("/var/log/mail.info"); }; destination d_mailwarn { file("/var/log/mail.warn"); }; destination d_mailerr { file("/var/log/mail.err"); }; # Logging for INN news system # destination d_newscrit { file("/var/log/news/news.crit"); }; destination d_newserr { file("/var/log/news/news.err"); }; destination d_newsnotice { file("/var/log/news/news.notice"); }; # Some 'catch-all' logfiles. # destination d_debug { file("/var/log/debug"); }; destination d_error { file("/var/log/error"); }; destination d_messages { file("/var/log/messages"); }; # The root's console. # destination d_console { usertty("root"); }; # Virtual console. # destination d_console_all { file(`tty10`); }; # The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # destination d_xconsole { pipe("/dev/xconsole"); }; # Send the messages to an other host # #destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); }; # Debian only destination d_ppp { file("/var/log/ppp.log"); }; ######################## # Filters ######################## # Here's come the filter options. With this rules, we can set which # message go where. filter f_dbg { level(debug); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_err { level(err); }; filter f_crit { level(crit .. emerg); }; filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; filter f_error { level(err .. emerg) ; }; filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; filter f_cron { facility(cron) and not filter(f_debug); }; filter f_daemon { facility(daemon) and not filter(f_debug); }; filter f_kern { facility(kern) and not filter(f_debug); }; filter f_lpr { facility(lpr) and not filter(f_debug); }; filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); }; filter f_mail { facility(mail) and not filter(f_debug); }; filter f_news { facility(news) and not filter(f_debug); }; filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); }; filter f_user { facility(user) and not filter(f_debug); }; filter f_uucp { facility(uucp) and not filter(f_debug); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; filter f_ppp { facility(local2) and not filter(f_debug); }; filter f_console { level(warn .. emerg); }; ######################## # Log paths ######################## log { source(s_src); filter(f_auth); destination(d_auth); }; log { source(s_src); filter(f_cron); destination(d_cron); }; log { source(s_src); filter(f_daemon); destination(d_daemon); }; log { source(s_src); filter(f_kern); destination(d_kern); }; log { source(s_src); filter(f_lpr); destination(d_lpr); }; log { source(s_src); filter(f_syslog3); destination(d_syslog); }; log { source(s_src); filter(f_user); destination(d_user); }; log { source(s_src); filter(f_uucp); destination(d_uucp); }; log { source(s_src); filter(f_mail); destination(d_mail); }; #log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); }; #log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); }; #log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); }; log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); }; log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); }; #log { source(s_src); filter(f_cnews); destination(d_console_all); }; #log { source(s_src); filter(f_cother); destination(d_console_all); }; #log { source(s_src); filter(f_ppp); destination(d_ppp); }; log { source(s_src); filter(f_debug); destination(d_debug); }; log { source(s_src); filter(f_error); destination(d_error); }; log { source(s_src); filter(f_messages); destination(d_messages); }; log { source(s_src); filter(f_console); destination(d_console_all); destination(d_xconsole); }; log { source(s_src); filter(f_crit); destination(d_console); }; # All messages send to a remote site # #log { source(s_src); destination(d_net); }; ### # Include all config files in /etc/syslog-ng/conf.d/ ### @include "/etc/syslog-ng/conf.d/*.conf" #destination d_pvec { file("/var/log/!remote/pvec.log"); }; #filter f_pvec { netmask("10.248.0.219/255.255.255.255"); }; #log { source(s_udp); filter(f_pvec); destination(d_pvec); }; /etc/syslog-ng/conf.d/syslog-unic.conf Цитата #keep_timestamp(no) v konfige /etc/syslog-ng/syslog-ng.conf ispolzuet datu sistemy, a ne ustoystva. Eto pomogaet izbejat problem c nekorektoy datoy source s_network_udp { syslog(ip(0.0.0.0) transport("udp") keep-hostname(yes)); }; source s_network_tcp { tcp(ip(0.0.0.0) port(514) keep-hostname(yes)); }; #keep-hostname pri nalichii v soobsheni▒ polya hostname ispolzuet vmesto IP znachenit hostname. Eto uproshaet nastroyku ustoystv mikrotik, u kotorih mnogo IP adresov. Odnako ne vo vseh sluchayah eto udobno. Dlya sohraneniya IP ispolzuyte $SOURCEIP filter f_gpon { host("192.168.0.212") or host("192.168.0.214") or host("192.168.0.215") or host("192.168.0.216") or host("192.168.0.217") or host("192.168.0.218") or host("192.168.0.219") or host("192.168.0.220") or host("192.168.0.221") or host("192.168.0.222") or host("10.240.0.99");}; filter f_local4 { facility (local4); }; filter f_local5 { facility (local5); }; filter f_local6 { facility (local6); }; filter f_local7 { facility (local7); }; filter f_net172_16 { netmask( "172.16.0.0/255.255.0.0" ); }; filter f_net192.168.{ netmask( "192.168.0.0/255.255.252.0" ); }; filter f_net10_10 { netmask( "10.10.0.0/255.255.255.0" ); }; filter f_net10.0{ netmask( "10.00.0/255.255.255.0" ); }; destination d_gpon { file("/home/syslog-server/gpons/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_mikrotik { file("/home/syslog-server/mikrotiks-fl4/${HOST}-${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_cisco_voip { file("/home/syslog-server/cisco-voip-fl5/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_routers { file("/home/syslog-server/routers-fl6/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_switches { file("/home/syslog-server/switches-fl7/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net172_16 { file("/home/syslog-server/172.16.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net192.168.{ file("/home/syslog-server/192.168.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net10_10 { file("/home/syslog-server/10.10.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net10.0{ file("/home/syslog-server/10.00.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net_other { file("/home/syslog-server/other/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_summary { file("/home/syslog-server/summary.log" perm(0644)); }; ###===LOGIROVANIE===### ##Poryadok zapicey imeet znachenie!!!## ##flags(final) oznachaet ostanovitsya i ne idti dalshe po spisku. #Vse logi v dublirovat odnom file. Nachalnoe pravilo! log { source(s_network_udp); destination(d_summary);}; #Mikrotiks by facility (local4) to folder "mikrotiks-fl4" log { source(s_network_udp); filter(f_local4); destination(d_mikrotik); flags(final); }; #Cisco VoIP by facility (local5) to folder "cisco-voip-fl5" log { source(s_network_udp); filter(f_local5); destination(d_cisco_voip); flags(final); }; #Routers by facility (local6) to folder "routers-fl6" log { source(s_network_udp); filter(f_local6); destination(d_routers); flags(final); }; #Switches by facility (local7) to folder "switches-fl7" log { source(s_network_udp); filter(f_local7); destination(d_switches); flags(final); }; #All GPON devices to folder "gpon" log { source(s_network_udp); filter(f_gpon); destination(d_gpon); flags(final); }; #Other devices from 172.16.0.0/16 to folder "172.16.X.X" log { source(s_network_udp); filter(f_net172_16); destination(d_net172_16); flags(final); }; #Other devices from 192.168.0.0/23 to folder "192.168.X.X" log { source(s_network_udp); filter(f_net192.168.; destination(d_net192.168.; flags(final); }; #Other devices from 10.10.0.0/24 to folder "10.10.0.X" log { source(s_network_udp); filter(f_net10_10); destination(d_net10_10); flags(final); }; #Other devices from 10.00.0/24 to folder "10.00.X" log { source(s_network_udp); filter(f_net10.0; destination(d_net10.0; flags(final); }; #All another unknowed IP address #Pravilo doljno bit poslednim! log { source(s_network_udp); destination(d_net_other);}; Работа скриптов Ежедневные отчеты на почту Анализ флаппинга Уведомление в реальном времени Анализ и отправка отчетов о критичных событиях в реальном времени. Отправка проводится в канал telegram и на почту При загрузке ОС стартует real_time_analysis.pl, который постоянно анализирует логи. Цитата /etc/network/interfaces post-up /home/syslog-server/real_time_analysis/real_time_analysis.pl & Цитата /home/syslog-server/real_time_analysis/real_time_analysis.pl commit save Настроено два типа отправки Критичные сообщения (Critical) Примеры Цитата Jan 31 19:56:57 192.168.0.101 NT_LBD-I-VLANACTIONONPORT: VLAN 2088 on port gi1/0/21 recovered by Loopback Detection. Feb 1 08:31:11 192.168.0.4 2022 Feb 1 01:31:11 UTC: L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K: Loops detected in the network for mac 000b.ab3f.5043 among ports Eth1/47 and Eth1/48 vlan 3002 - Disabling dynamic learning notifications for a period between 120 and 240 seconds on vlan 3002 Feb 1 09:05:44 192.168.0.4 2022 Feb 1 02:05:44 UTC: %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K: Re-enabling dynamic learning on vlan 3002 Dec 3 19:16:58 172.16.0.243 LBD-2: Port 5 LBD port VID 1 loop occurred. Port blocked. Jan 18 10:19:08 192.168.0.69 CRIT: Port 10 VID 2075 LBD loop occurred. Packet discard begun. Защита STP LOOPGUARD 04-Apr-2019 17:01:47 :%STP-W-LOOPGUARD_BLOCK: Loop guard blocking port gi1/0/24 in instance 0. 04-Apr-2019 19:18:22 :%STP-W-LOOPGUARD_UNBLOCK: Loop guard unblocking port gi1/0/24 in instance 0. TESSSTTT--Nexus-Kal81# 2021 Aug 12 09:21:30 TESSSTTT--Nexus-Kal81 %$ VDC-1 %$ %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port Ethernet1/48 on MST0000. TESSSTTT--Nexus-Kal81# sh int Eth1/482021 Aug 12 09:25:32 TESSSTTT--Nexus-Kal81 %$ VDC-1 %$ %STP-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Ethernet1/48 on MST0000. 1644 2000-01-01 08:12:02 INFO(6) Loop protection blocking port 24 on instance 0 Важные сообщения (Warning) Примеры Цитата Логин пароль Login failed through Telnet from 192.168.99.150 authenticated by AAA server 192.168.0.99 (Username: karabas) 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.99.150 destination 192.168.0.101, TACACS REJECTED. 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.99.150 destination 192.168.0.101, local user table REJECTED. Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.20.100 - dcos_sshd[24573] Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user Karabas from 192.168.20.100 - dcos_sshd[24571] Блуждание MAC адресов Feb 1 12:40:29 192.168.0.102 %BRG_MACNTFY-I-MAC_FLAPPING: Host 00:78:88:40:ca:bc in vlan 2088 is flapping between port te1/0/1 and port te1/0/2 Штормы Feb 8 10:34:25 192.168.0.137 %STORM-W-StormOccurs: Broadcast traffic on gi1/0/24 has exceeded the set boundary 512 Kbits Feb 8 10:34:25 192.168.0.137 %STORM-W-StormOccurs: Multicast traffic on gi1/0/24 has exceeded the set boundary 512 Kbits Feb 8 10:34:25 192.168.0.39 WARN: Port 26 Broadcast storm is occurring Feb 8 10:34:25 192.168.0.39 WARN: Port 26 Multicast storm is occurring IP ARP inspection logging & IMPB Feb 16 11:26:03 192.168.0.171 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/0/1 with VLAN tag 2089 and reason: packet verification failed SRC MAC e4:8d:8c:e5:63:1c SRC IP 195.208.164.86 DST MAC 00:00 DES-3526 Feb 16 11:11:11 192.167.0.21 WARN: Unauthenticated IP-MAC address and discarded by ip mac port binding (IP: 109.195.70.111, MAC: 64-D1-54-F1-16-D9, port: 21) DES-3200, rev C1 Feb 16 11:11:11 192.167.0.148 WARN: Unauthenticated IP-MAC address and discarded by IMPB(IP:<192.168.2.113>, MAC:<74-D4-35-F8-8F-DC>, Port<2>) Port security Feb 8 10:34:25 192.168.0.20 %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses for Data VLAN Перезагрузка устройств DES-3200 Jan 6 09:44:33 192.167.0.241 CRIT: System cold start Dec 7 20:18:29 192.167.0.148 CRIT: System warm start DGS-1100-06/ME Feb 2 12:27:11 192.167.0.243 SYSTEM-2: System cold start Nov 25 13:19:27 192.168.0.61 SYSTEM-2: System warm start MES Dec 6 08:56:07 192.168.0.143 %INIT-I-Startup: Warm Startup Feb 7 13:37:27 192.168.0.9 %INIT-I-Startup: Cold Startup Работа с SFP модулями Feb 16 12:47:29 192.168.0.47 %NSFP-I-SFPGibicRemoved: te1/0/3 SFP port is not present Feb 16 12:47:36 192.168.0.47 %NSFP-I-SFPGibicDetected: te1/0/3 SFP port is present, module type - 10G BASE-LR Отключение порта по флаппингу Jan 13 12:36:05 192.168.0.121 %LINK-W-PORT_SUSPENDED: Port te1/0/4 suspended by link-flapping Оперативная работа Цитата Login failed through Telnet from 192.168.3.150 authenticated by AAA server 192.168.0.99 (Username: karabas) 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.3.150 destination 192.168.0.101, TACACS REJECTED. 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.3.150 destination 192.168.0.101, local user table REJECTED. Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.20.100 - dcos_sshd[24573] Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user Karabas from 192.168.20.100 - dcos_sshd[24571] Feb 1 12:40:29 192.168.0.102 %BRG_MACNTFY-I-MAC_FLAPPING: Host 00:78:88:40:ca:bc in vlan 2088 is flapping between port te1/0/1 and port te1/0/2 Jan 31 19:56:57 192.168.0.101 NT_LBD-I-VLANACTIONONPORT: VLAN 2088 on port gi1/0/21 recovered by Loopback Detection. Feb 1 08:31:11 192.168.0.4 2022 Feb 1 01:31:11 UTC: L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K: Loops detected in the network for mac 000b.ab3f.5043 among ports Eth1/47 and Eth1/48 vlan 3002 - Disabling dynamic learning notifications for a period between 120 and 240 seconds on vlan 3002 Feb 1 09:05:44 192.168.0.4 2022 Feb 1 02:05:44 UTC: %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K: Re-enabling dynamic learning on vlan 3002 Dec 3 19:16:58 172.16.0.243 LBD-2: Port 5 LBD port VID 1 loop occurred. Port blocked. Jan 18 10:19:08 192.168.0.69 CRIT: Port 10 VID 2075 LBD loop occurred. Packet discard begun. Feb 16 11:11:11 192.168.0.39 WARN: Port 22 Multicast storm is occurring. Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup. Feb 16 11:11:11 172.16.0.243 SYSTEM-2: System cold start Feb 16 11:11:11 172.16.0.241 CRIT: System cold start Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup.. Feb 16 11:11:11 172.16.0.38 WARN: Port 7 Broadcast storm is occurring Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup. Feb 16 11:11:11 172.16.0.243 SYSTEM-2: System cold start Feb 16 11:11:11 172.16.0.241 CRIT: System cold start Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup.. Feb 16 11:11:11 172.16.0.38 WARN: Port 7 Broadcast storm is occurring Feb 16 11:11:11 192.168.0.13 %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses for Data VLAN on an interface gi1/0/1 is exceeded (3), 2096 Feb 16 11:11:11 172.16.0.21 WARN: Unauthenticated IP-MAC address and discarded by ip mac port binding (IP: 109.195.70.111, MAC: 64-D1-54-F1-16-D9, port: 21) Feb 16 11:11:11 172.16.0.148 WARN: Unauthenticated IP-MAC address and discarded by IMPB(IP:<192.168.2.113>, MAC:<74-D4-35-F8-8F-DC>, Port<2>) Feb 16 11:26:03 192.168.0.171 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/0/1 with VLAN tag 2089 and reason: packet verification failed SRC MAC e4:8d:8c:e5:63:1c SRC IP 195.208.164.86 DST MAC 00:00 Feb 16 12:47:29 192.168.0.47 %NSFP-I-SFPGibicRemoved: te1/0/3 SFP port is not present Feb 16 12:47:36 192.168.0.47 %NSFP-I-SFPGibicDetected: te1/0/3 SFP port is present, module type - 10G BASE-LR СКРИПТЫ find-IP-addess Цитата #!/bin/bash ip=$1 if [ "x$1" = "x" ]; then read -p "Enter the device IP address: " ip fi if [ "x$ip" = "x" ]; then echo "Sorry, unknown IP address..."; exit; fi find /home/syslog-server -name *$ip.log restart-syslog-ng Цитата #!/bin/bash /etc/init.d/syslog-ng restart show-log Цитата #!/bin/bash ip=$1 if [ "x$1" = "x" ]; then read -p "Enter the device IP address: " ip fi if [ "x$ip" = "x" ]; then echo "Sorry, unknown IP address..."; exit; fi path=`find /home/syslog-server -name *$ip.log` start-analysis.sh analysis-cisco-router analysis-gpons analysis-mikrotiks analysis-switches ============================ flapping_int analysis-switches_flapping start-analysis_flapping_int.sh scripts start-analysis.sh Цитата scripts start-analysis.sh #!/bin/bash IFS="" starttime=$(date +%s) result="/dir/scripts/result.txt" #tmp="/usr/lib/nagios_actuality/tmp_scan.txt" date=`date -d yesterday '+%b %_d' | tr -d '\n'` mail=pochta@domain.ru if [ "x$1" != "x" ]; then mail=$1 fi echo -e "Subject: Syslog analysis for $date \nFrom: root \nTo: $mail\n" > $result echo ======================== >> $result echo Analysis Cisco Router >> $result echo ======================== >> $result echo >> $result dir="/dir/cisco-voip-fl5/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-cisco-router >> $result done echo ======================== >> $result echo Analysis GPON >> $result echo ======================== >> $result echo >> $result dir="/dir/gpons/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-gpons >> $result tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i '$d' $result;fi #Ne pokazyvat ustoystva bez logov done echo ======================== >> $result echo Analysis Switches >> $result echo ======================== >> $result echo >> $result dir="/dir/switches-fl7/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-switches >> $result tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i '$d' $result;fi #Ne pokazyvat ustoystva bez logov done echo ======================== >> $result echo Analysis Routers >> $result echo ======================== >> $result echo >> $result dir="/dir/routers-fl6/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-switches >> $result done echo ======================== >> $result echo Analysis Mikrotiks >> $result echo ======================== >> $result echo >> $result dir="/dir/mikrotiks-fl4/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-mikrotiks >> $result tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i '$d' $result;fi #Ne pokazyvat ustoystva bez logov done end=$(($(date +%s)-$starttime)); let summary_min=$end/60 echo; echo Time execution of the script \"$0\" is $summary_min min. >> $result cat $result | /usr/sbin/sendmail -v $mail analysis-cisco-router Цитата analysis-cisco-router #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Isdn6_c_d; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; #$ThisLine =~ s/^$yesterday(.*)$/$1/; my $ThisLine_date = $1; #print "111 $ThisLine_date\n"; if( $ThisLine_date ) { # print "Init failed\n"; if ($ThisLine_date =~ /%ISDN-6-CONNECT: Interface Serial.* is now connected to|%ISDN-6-DISCONNECT: Interface Serial.* disconnected from/) { $Isdn6_c_d{$1}++; } elsif ($ThisLine_date =~ /WARNING: (\N+)/) { $Warning{$1}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Isdn6_c_d) { print "ISDN-6-CONNECT-DISCONNECT:\n"; foreach my $line (sort {$a cmp $b} keys %Isdn6_c_d) { print " $line: $Isdn6_c_d{$line} Time(s)\n"; } print "\n"; } if (keys %Warning) { print "Warnings:\n"; foreach my $line (sort {$a cmp $b} keys %Warning) { print " $line: $Warning{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); analysis-gpons Цитата analysis-gpons #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /CLI-6: |MSR-6: Configuration successfully backup|LinkStatus-6: [Pp]ort / ) or #DGS-1100-06/ME ( $ThisLine_date =~ /%COPY-I-FILECPY|%COPY-N-TRAP|%LINK-I-Up|%LINK-W-Down|%AAA-I-CONNECT:|%AAA-I-DISCONNECT:/ ) or #Eltex MES ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link ) { # We don't care about these } elsif ($ThisLine_date =~ /WARNING: (\N+)/) { $Warning{$1}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (keys %Warning) { print "Warnings:\n"; foreach my $line (sort {$a cmp $b} keys %Warning) { print " $line: $Warning{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); analysis-mikrotiks Цитата analysis-mikrotiks #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %l2tp_out; my %ipip_tun; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /Config export finished|Configuration backup finished|System backup finished|Uploading config export|Uploading system backup|fetch: file / ) or #for Mikrotik backup ( $ThisLine_date =~ /OTHERRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR/ ) or #for Mikrotik other ( $ThisLine_date =~ /dhcp1 |default assigned |default deassigned |..-..-..-..-..-.. \(.+\)/ ) or #for Mikrotik E4:8D:8C:D9:9A:17-172.16.34.67.log na Smolenskoy ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link ) { # We don't care about these } elsif ($ThisLine_date =~ /l2tp-out/) { $l2tp_out{$1}++; } elsif ($ThisLine_date =~ /ipip-tun/) { $ipip_tun{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (keys %l2tp_out) { print "VPN L2TP Messages:\n"; foreach my $line (sort {$a cmp $b} keys %l2tp_out) { print " $line: $l2tp_out{$line} Time(s)\n"; } print "\n"; } if (keys %ipip_tun) { print "VPN IPIP Messages:\n"; foreach my $line (sort {$a cmp $b} keys %ipip_tun) { print " $line: $ipip_tun{$line} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); analysis-switches Цитата analysis-switches #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /CLI-6: |MSR-6: Configuration successfully backup|LinkStatus-6: [Pp]ort / ) or #DGS-1100-06/ME ( $ThisLine_date =~ /%COPY-I-FILECPY|%COPY-N-TRAP|%LINK-I-Up|%LINK-W-Down|%AAA-I-CONNECT:|%AAA-I-DISCONNECT:/ ) or #Eltex MES ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link ) { # We don't care about these } elsif ($ThisLine_date =~ /WARNING: (\N+)/) { $Warning{$1}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (keys %Warning) { print "Warnings:\n"; foreach my $line (sort {$a cmp $b} keys %Warning) { print " $line: $Warning{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); /scripts/flapping_int analysis-switches_flapping Цитата analysis-switches_flapping #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %Flapping; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /xxxxxxxxxxxxxxxxx_xxxxxxxxxxxxx / ) or #OFF ( $ThisLine_date =~ /yyyyyyyy_yyyyyyyyyyyyyyyyyyyyyy/ ) #OFF ) { # We don't care about these } elsif ($ThisLine_date =~ /%LINK-I-Up|%LINK-W-Down|INFO: Port .*link|LinkStatus-6: [Pp]ort/) { $Flapping{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Flapping) { #_# print "\n**Flappings for $yesterday\n\n"; foreach my $line (sort {$a cmp $b} keys %Flapping) { print "$Flapping{$line} Time(s): $line\n"; } #_# print "\n"; } #if (keys %OtherList) { # print "\n**Unmat_ched Ent_ries** for $yesterday\n"; # foreach my $line (sort {$a cmp $b} keys %OtherList) { # print " _-_ $line: $OtherList{$line} Time(s)\n"; # } # print "\n"; #} if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } exit(0); start-analysis_flapping_int.sh Цитата start-analysis_flapping_int.sh #!/bin/bash #Example ./start-analysis_flapping_int.sh name@domain.ru debug IFS="" starttime=$(date +%s) # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs #porogovoe znachenie kol-va dnej. Esli prevyshaet, to uvedomlyaetsya po pochte kolichestvo_dney_threshold=7 #kolichestvo dnej dlya analiza kolichestvo_dney_all=21 mail=sd@domain.ru mail=name@domain.ru mail_copy=name@domain.ru if [ "x$1" != "x" ]; then mail=$1 fi #peremennye dir_data="/dir/scripts/flapping_int/data" dir_sw="/dir/switches-fl7/" result="/dir/scripts/flapping_int/result_flapping.txt" analys_tmp1="/tmp/analys_flapping_1.txt" analys_tmp2="/tmp/analys_flapping_2.txt" tmp_ports="/tmp/analys_flapping_tmp_ports.txt" tmp_logs="/tmp/analys_flapping_tmp_logs.txt" date=`date -d yesterday '+%b %_d' | tr -d '\n'` cur_day=`date +"%d"` if [ "x$2" = "xdebug" ]; then debug=1 else debug=0 fi #udalenie staryh dannih i ochistka faylov find "$dir_data"/history_* -type f -mtime +"$kolichestvo_dney_all" -delete echo -n > $tmp_ports echo -n > $tmp_logs echo -n > $dir_data/LAST echo -n > $analys_tmp1 echo -n > $analys_tmp2 #sozdanie fajla-otcheta (mail zagolovok) echo -e "Subject: Analysis ports flapping for $date \nFrom: root@syslog.domain.ru \nTo: $mail\ncc: $mail_copy\n" > $result #analiz statistiki list=`ls -1 $dir_sw` #echo $list ##################list="192.168.7.166.log" echo $list|while read host do cat $dir_sw$host | perl /dir/scripts/flapping_int/analysis-switches_flapping >> $analys_tmp1 done sort -hr $analys_tmp1 > $analys_tmp2 grep -ve '^[[:digit:]] Time(s)' $analys_tmp2 >> $dir_data/LAST cp $dir_data/LAST $dir_data/history_`date -d yesterday '+%b_%d'` #poluchaem spisok IP adresov list_ip=`awk '{print $3}' $dir_data/LAST | sort -u | sed '/^$/d'` while read ip || [ -n "$ip" ] do kol_vo_dney_real=`grep -l -w $ip $dir_data/history_* | wc -l` #echo debug $ip kol_vo_dney_real $kol_vo_dney_real #esli avariya sistematichnaya, to dobavlyaem v fajl-otchet if [[ "$kol_vo_dney_real" > "$kolichestvo_dney_threshold" ]]; then if [ $debug == "1" ]; then echo "DEBUG Naydena sistematichnaya avariya $ip"; fi stroka=`grep $ip $dir_data/LAST`; echo $stroka >> $tmp_logs #doljno poluchitsya chetnoe kol-vo strok t.k. budet vkluchenie i vyklushenie list_port=`echo $stroka | grep -oP -i -e 'gi1/0/[0-9]+|te1/0/[0-9]+|port [0-9]+'` while read port do config_file=`find /dir/configs/ -name $ip*` vendor=`echo $config_file | cut -d '/' -f 5` case $vendor in Eltex) if [ $debug == "1" ]; then echo "You choose Eltex device"; fi sw_name=`grep hostname $config_file | sed -e 's/hostname //' -e 's/"//g'`; full_port=`echo $port | sed -e 's/^gi/gigabitethernet/g' -e 's/^te/tengigabitethernet/g'` description=`grep -a -A4 -w "$full_port" $config_file | grep description` if [ $debug == "1" ]; then echo "DEBUG Switch $ip Eltex $sw_name port $port full_port $full_port description $description"; fi echo "Switch $ip Eltex $sw_name port $port $description" >> $tmp_ports ;; DES) if [ $debug == "1" ]; then echo "You choose D-link device"; fi sw_name=`grep -a command_prompt $config_file | sed -e 's/config command_prompt //' -e 's/"//g' -e 's/\r//g'`; short_port=`echo $port | awk '{print $2}'` description=`grep -a -w "config ports $short_port" $config_file | awk -F 'description ' '{print $2}'` if [ $debug == "1" ]; then echo "DEBUG Switch $ip D-link $sw_name port $port short_port $short_port description $description"; fi echo "Switch $ip D-link $sw_name $port description $description" >> $tmp_ports ;; cisco) if [ $debug == "1" ]; then echo "You choose Cisco device"; fi sw_name=`grep hostname $config_file | sed -e 's/hostname //' -e 's/"//g'`; ;; GPON) echo You choose GPON device; ;; *) echo "Error...Device $ip not found..." >> $result; ;; esac unset vendor; unset sw_name; unset config_file; unset short_port; unset full_port; unset description done <<< $list_port fi done <<< $list_ip #echo >> $result echo Обнаружен систематический флаппинг портов за $kolichestvo_dney_threshold дней из $kolichestvo_dney_all: >> $result sort -u $tmp_ports >> $result echo >> $result echo Просим вас устранить, либо минимизировать дергание линка. >> $result echo >> $result echo Выводы сделаны на основании нижеперечисленных логов: >> $result cat $tmp_logs >> $result echo >> $result echo Отчет высылается раз в неделю. Подробности в документе >> $result echo >> $result end=$(($(date +%s)-$starttime)); let summary_min=$end/60 echo Time execution of the script \"$0\" is $end sec. >> $result #otchet po pochte otpravlyaetsya raz v nedelyu #if [[ "$cur_day" = 14 || "$cur_day" = 15 || "$cur_day" = 16 || "$cur_day" = 17 ]]; then if [[ "$cur_day" = 01 || "$cur_day" = 08 || "$cur_day" = 15 || "$cur_day" = 22 ]]; then cat $result | /usr/sbin/sendmail -v $mail fi Оповещение в реальном времени cron.conf Цитата real_time_analysis */6 * * * * root /dir/real_time_analysis/send-alarm-Warning.sh 1>/dev/null 2>&1 */3 * * * * root /dir/real_time_analysis/send-alarm-Critical.sh 1>/dev/null 2>&1 /etc/network/interfaces Цитата auto ens18 iface ens18 inet static address 192.168.0.111 netmask 255.255.255.0 gateway 192.168.0.1 post-up /dir/real_time_analysis/real_time_analysis.pl & decrease.pl Цитата decrease.pl #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %ARPINSP; my %NT_LBD; my %L2FM_MAC_FLAP; my %BRG_MACNTFY; my %PORT_SECURITY1; my %Error; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my ($testline,$testfields,$ip_add); my $date = `date '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$date ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /XXXXXXXXXXXXXXXXXXXYYYYYYYYYYYYYYYYYYYYYYYYYZZZZZZZZZZZZZZZZZZZZZ/ ) ) { # We don't care about these } elsif ($ThisLine_date =~ /%ARPINSP-I-PCKTLOG/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $ARPINSP{$ip_add}++; } elsif ($ThisLine_date =~ /%L2FM-2-L2FM_MAC_FLAP/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $L2FM_MAC_FLAP{$ip_add}++; } elsif ($ThisLine_date =~ /%NT_LBD/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $NT_LBD{$ip_add}++; } elsif ($ThisLine_date =~ /%BRG_MACNTFY/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $BRG_MACNTFY{$ip_add}++; } elsif ($ThisLine_date =~ /%LINK-I-ExcessIfMaxMac/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $PORT_SECURITY1{$ip_add}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %NT_LBD) { foreach my $line (sort {$a cmp $b} keys %NT_LBD) { print "$line %NT_LBD-I-VLANACTIONONPORT: by Loopback Detection $NT_LBD{$line} Time(s)\n"; } } if (keys %L2FM_MAC_FLAP) { foreach my $line (sort {$a cmp $b} keys %L2FM_MAC_FLAP) { print "$line %L2FM-2-L2FM_MAC_FLAP_ACTION_LEARN_N3K: Loops detected $L2FM_MAC_FLAP{$line} Time(s)\n"; } } if (keys %BRG_MACNTFY) { foreach my $line (sort {$a cmp $b} keys %BRG_MACNTFY) { print "$line %BRG_MACNTFY-I-MAC_FLAPPING: host flapping $BRG_MACNTFY{$line} Time(s)\n"; } } if (keys %PORT_SECURITY1) { foreach my $line (sort {$a cmp $b} keys %PORT_SECURITY1) { print "$line %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses $PORT_SECURITY1{$line} Time(s)\n"; } } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { foreach my $line (sort {$a cmp $b} keys %OtherList) { print "$line: $OtherList{$line} Time(s)\n"; } # print "\n"; } if (keys %ARPINSP) { foreach my $line (sort {$a cmp $b} keys %ARPINSP) { print "$line ARPINSP-I-PCKTLOG: $ARPINSP{$line} Time(s)\n"; } # print "\n"; } exit(0); real_time_analysis.pl Цитата #!/usr/bin/perl # use warnings; #use strict; use File::Tail; $file=File::Tail->new("/dir/summary.log"); while (defined($line=$file->read)) { # print "$line"; if(($line =~ /%NT_LBD|loop occurred/) or ($line =~ /L2FM-2-L2FM|MTM-SLOT1-2/) or ($line =~ /%STP-W-LOOPGUARD|%STP-2-LOOPGUARD|Loop protection blocking/i)) { # print $line; my $file_path = "/dir/real_time_analysis/Critical_all.txt"; open(my $file_handle, '>>', $file_path) or die "Could not open file! $!"; print $file_handle "$line"; close $file_handle; } if(($line =~ /%STORM|storm is occurring|%LINK-I-ExcessIfMaxMac|%BRG_FWD-W-PORT_LOCK|%BRG_MACNTFY/) or ($line =~ /%AAA-W-REJECT|Authentication fai|Login failed|login failure/) or ($line =~ /%ARPINSP-I-PCKTLOG|WARN: Unauthenticated IP-MAC address|Startup|System.*start|%NSFP-I-SFPGibic/) or ($line =~ /%XXXXXXXXXXXXXXXXXXX/i)) { # print $line; my $file_path = "/dir/real_time_analysis/Warning_all.txt"; open(my $file_handle, '>>', $file_path) or die "Could not open file! $!"; print $file_handle "$line"; close $file_handle; } } send-alarm-Critical.sh Цитата #!/bin/bash debug=1 tel_channel="ID_TELEGRAM" #Telegram pozvolyaet otpravit' v odnom soobshchenii ne bolee 4096 simvolov #Konstrukciya ${tlg_message:0:3000} otpravlyaet pervie 3000 simvolov #https://question-it.com/questions/115695/sokratite-imja-fajla-do-n-simvolov-sohraniv-rasshirenie-fajla #https://www.linuxtopia.org/online_books/advanced_bash_scripting_guide/string-manipulation.html #=#=# CHto mozhno dodelat'? #=#=# #Proverku na otpravku #Nujna rasshifrovka hostov po hostname #https://apps.timwhitlock.info/emoji/tables/unicode IFS='' cd /dir/real_time_analysis real_time_analysis_lines=$(cat Critical_all.txt | wc -l) real_time_analysis_chars=$(cat Critical_all.txt | wc -m) date=`date -d yesterday '+%b %_d' | tr -d '\n'` mail=name@domain.ru email_file="mail-Critical.txt" send_telegram (){ if ( ! curl -s -X POST https://api.telegram.org/botID:ZXXXXXXXXXXXXXXXXXXXXXXX/sendMessage -d chat_id=$tel_channel\ -d text="`printf "${tlg_message:0:3000} \xF0\x9F\x93\x8A ${#tlg_message} < 4096 \xF0\x9F\x8E\xB6 $real_time_analysis_lines"`" ) then echo;echo "Sorry... Not connect to telegram server... Exit..." echo "Sorry... Not connect to telegram server... Exit..." >> Critical.txt exit fi } #Nakoplenie fayla dlya otpravki if [ "$real_time_analysis_lines" -gt 20 ]; then #If more 3 line #solving the problem {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"} #| iconv -f cp1251 -t utf-8 # decrease message cat Critical_all.txt | iconv -f cp1251 -t utf-8 | sed 's/\\/_/g'| perl decrease.pl > Critical.txt #Sending to Mail mail_message=$(cat Critical.txt) echo -e "Subject: Syslog Critical messages \nFrom: root \nTo: $mail\nX-Priority: 1\n" > $email_file cat Critical.txt >> $email_file cat $email_file | /usr/sbin/sendmail -v $mail #Sending to Telegram tlg_message=$(cat Critical.txt | sed -e 's/%//g' -e 's/^/\xF0\x9F\x92\xA5/' -e 's/LOOPGUARD/\xF0\x9F\x92\xA2 LOOPGUARD/g' \ -e 's/L2FM-2-L2FM_MAC_FLAP_ACTION_LEARN_N3K: Loops detected.* \([0-9]\+ Time(s)\)/Nexus MAC flapping \xE2\xAD\x95LBD \1/g' \ -e 's/Loopback Detection/\xE2\xAD\x95 LBD/g' -e 's/Loops detected/\xE2\xAD\x95 LBD/g' -e 's/loop occurred/\xE2\xAD\x95 loop occurred/g' \ -e 's/vlan\|VLAN/\xE2\x86\x94/g') real_time_analysis_chars=$(echo $tlg_message | wc -m) tlg_output=`send_telegram` if ( ! echo $tlg_output | grep "\"ok\":true" ) then echo;echo "Sorry... Curl bad result... Exit..." echo "Sorry... Curl bad result... Exit..." >> Critical.txt exit fi #echo;echo ttt $t #Clear Critical.txt echo -n > Critical_all.txt fi send-alarm-Warning.sh Цитата send-alarm-Warning.sh #!/bin/bash debug=1 tel_channel="ID_TELEGRAM" predel_1="150" predel_2="400" #Telegram pozvolyaet otpravit' v odnom soobshchenii ne bolee 4096 simvolov #Konstrukciya ${tlg_message:0:3000} otpravlyaet pervie 3000 simvolov #https://question-it.com/questions/115695/sokratite-imja-fajla-do-n-simvolov-sohraniv-rasshirenie-fajla #https://www.linuxtopia.org/online_books/advanced_bash_scripting_guide/string-manipulation.html #=#=# CHto mozhno dodelat'? #=#=# #Proverku na otpravku #Nujna rasshifrovka hostov po hostname #https://apps.timwhitlock.info/emoji/tables/unicode IFS='' cd /dir/real_time_analysis #Ne uchitivat ARP insp, IMPB i drugie ne ktitichnie stroki. Sdelano dlya snijeniya intensivnosti soobsheniy real_time_analysis_lines=$(cat Warning_all.txt | grep -Ev 'ARPINSP-I-PCKTLOG|Unauthenticated IP-MAC address|LI_=OFFFFFFFF=_NK-I-ExcessIfMaxMac'| wc -l) real_time_analysis_lines_all=$(cat Warning_all.txt | wc -l) date=`date -d yesterday '+%b %_d' | tr -d '\n'` mail=name@domain.ru email_file="mail-Warning.txt" send_telegram (){ if ( ! curl -s -X POST https://api.telegram.org/botID:ZXXXXXXXXXXXXXXXXXXXXXXX/sendMessage -d chat_id=$tel_channel\ -d text="`printf "${tlg_message:0:3000} \xF0\x9F\x93\x8A ${#tlg_message} < 4096 \xF0\x9F\x8E\xB5 $real_time_analysis_lines ($predel_1) \xF0\x9F\x8E\xB6 $real_time_analysis_lines_all ($predel_2)"`" ) then echo;echo "Sorry... Not connect to telegram server... Exit..." echo "Sorry... Not connect to telegram server... Exit..." >> Warning.txt exit fi } #Nakoplenie fayla dlya otpravki if [[ "$real_time_analysis_lines" -gt $predel_1 || "$real_time_analysis_lines_all" -gt $predel_2 ]]; then #If more 150 line importaint or more 400 all line #solving the problem {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"} #| iconv -f cp1251 -t utf-8 # decrease message cat Warning_all.txt | iconv -f cp1251 -t utf-8 | sed 's/\\/_/g' | perl decrease.pl > Warning.txt # | grep -ve '%STORM-W-StormOccurs.* [12] Time(s)\|storm is occurring.* [12] Time(s)\|ABCDEF.* [12] Time(s)' cat Warning.txt | grep -ve '%STORM-W-StormOccurs.* [123] Time(s)\|storm is occurring.* [123] Time(s)\|StormOccurs: Unicast traffic\|AAA-W-REJECT.* [1] Time(s)\|Login failed.* [1] Time(s)|ARPINSP-I-PCKTLOG: [12345] Time(s)' > Warning_tlg.txt #Sending to Mail mail_message=$(cat Warning.txt) echo -e "Subject: Syslog Warning messages \nFrom: root \nTo: $mail\nX-Priority: 5\n" > $email_file cat Warning.txt >> $email_file echo -e "\n\n==Sending to telegram==" >> $email_file cat Warning_tlg.txt >> $email_file cat $email_file | /usr/sbin/sendmail -v $mail #Sending to Telegram tlg_message=$(cat Warning_tlg.txt | sed -e 's/%//g' -e 's/^/\xF0\x9F\x92\xA1/' \ -e 's/Authentication/\xF0\x9F\x9A\xB7 Authentication/g' -e 's/AAA-W-REJECT/\xF0\x9F\x9A\xB7 AAA-W-REJECT/g' -e 's/Login failed/\xF0\x9F\x9A\xB7 Login failed/g' -e 's/login failure/\xF0\x9F\x9A\xB7 login failure/g' \ -e 's/[Ss]torm/\xF0\x9F\x8C\x80storm/g' -e 's/[Ss]tart/\xF0\x9F\x94\x8Cstart/g' -e 's/NSFP-I-SFPGibic/\xF0\x9F\x94\xA9SFPGibic/g' \ -e 's/L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K/L2FM/g' -e 's/L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K/L2FM/g' -e 's/BRG_MACNTFY-I-MAC_FLAPPING/MAC/g' -e 's/flapping/\xF0\x9F\x94\x83 flapping/g' \ -e 's/LINK-I-ExcessIfMaxMac:.* \([0-9]\+ Time(s)\)/\xE2\x9C\x82 MES Port security logging \1/g' \ -e 's/ARPINSP-I-PCKTLOG:.* \([0-9]\+ Time(s)\)/\xF0\x9F\x94\xAC MES IP ARP inspection logging \1/g' \ -e 's/WARN: Unauthenticated IP-MAC address.* \([0-9]\+ Time(s)\)/\xF0\x9F\x94\xAC DES IP Mac Port Binding logging \1/g') tlg_output=`send_telegram` if ( ! echo $tlg_output | grep "\"ok\":true" ) then echo;echo "Sorry... Curl bad result... Exit..." echo "Sorry... Curl bad result... Exit..." >> Warning.txt exit fi #echo;echo ttt $t #Clear Warning.txt echo -n > Warning_all.txt fi Edited March 24, 2023 by neperpbl3 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...