Jump to content
Калькуляторы

Syslog Начальная работа с Syslog

Здравствуйте. У меня такая проблема.мне была поставлена следующая задача: Рассмотреть Syslog (найдите фриварное решение и разверните его на своей машине). То есть в данном разделе надо рассмотреть архитектуру решения и само решение (тот Sislog который найдете), настройка источника, настройка сервера и т.д. Все это со скриншотами. На все про все у меня день, максимум 2, а я абсолютно не знаком с этой системой, можете подсказать где можно прочитать буквально по шагам как и что нажимать (глубоки знания данной системы мне сейчас не нужны, просто нужно выполнить задачу, поверхостно ознакомиться с данной программой. Может что посоветуете. Заранее спасибо. желательно, чтобы реализация было на Windows, но Unix тоже меня устроит.

Share this post


Link to post
Share on other sites

Интернетом пользоваться обучены? :).

Первая ссылка в поиске дает вики, где кратко все есть.

Из простого приложения для windows - tftpd32 умеет и сислог.

Share this post


Link to post
Share on other sites

Не подсказывайте.

Это студент-дипломник.

Не освоил интернет и не имеет базовых понятий о работе системы.

Share this post


Link to post
Share on other sites

Какой дипломник?!

Это второй курс, лабораторная работа для отстающих. :)

Пусть сдает, на собеседовании такие отсеиваются после второго вопроса.

Share this post


Link to post
Share on other sites

Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого.

Share this post


Link to post
Share on other sites

Вот его ответ:

как бы не зная ситуацию не стоит бросаться такими словами? у меня специальность не связана с этой тематикой, а это просто один подпункт моей дипломной работы

Share this post


Link to post
Share on other sites

Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого.

Splunk - могучая штука для подобных задач.

Не только сислог, но любые структурированные данные можно разбирать, фильтровать, анализировать и строить разные отчетности.

Но это большой продукт, и требует серьезного подхода.

Есть пачка готовых плагинов, и большие возможности собственных разработок.

 

Использовать до 500М данных в день, с ограниченным функционалом, можно без денег.

Share this post


Link to post
Share on other sites

Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого.

NOC делает это из коробки

Share this post


Link to post
Share on other sites

 

Концепция syslog-ng

 

Сбор UDP пакетов syslog настраивается на клиенте, а не на сервере. Сервер 192.168.0.5 принимает и записывает абсолютно все syslog сообщения. Сортировка производится  по следующим критериям и в нижеперечисленном порядке:
1.    Сортировка по типу оборудования согласно категории «Facility»
2.    Сортировка  по заданным IP адресам
3.    Запись всех остальных IP адресов

Для сортировки по типу оборудования используется категория «Facility». Массовое и важное оборудование (коммутаторы, Cisco VoIP и т.п.) сортируется по категориям  «Facility localХ» . Таким образом  логи коммутаторов, Cisco VoIP и других устройств сортируются по нужным папкам вне зависимости от IP адреса устройства. Отсортированные по категориям логи ежедневно анализируются, а отчеты «Syslog analysis» отправляются на почту . Если неверно настроить “Facility”, то логи будут собираться в другую папку и перестанут анализироваться и отправляется в виде отчета на почту. 

 

 

 

 

Цитата

@syslog:/home/syslog-server$ ls -la
total 645464
drwxr-xr-x 15 root adm       4096 Dec  2 00:00 .
drwxr-xr-x  6 root root      4096 Nov  2 17:01 ..
drwx------  3 root root      4096 Nov  2 16:38 192.168.X.X
drwx------  3 root root      4096 Dec  1 00:00 192.169.0.X
drwx------  3 root root      4096 Dec  2 00:00 192.167.X.X
drwx------  3 root root      4096 Nov 17 14:31 192.165.X.X
drwx------  3 root root      4096 Dec  1 00:01 cisco-voip-fl5
-rwxr-xr-x  1 root root       210 Oct 27 15:39 find-IP-addess
drwx------  3 root root      4096 Dec  2 00:00 gpons
drwx------  3 root root      4096 Dec  2 00:00 mikrotiks-fl4
drwx------  2 root root      4096 Nov 17 14:35 other
drwxr-xr-x  2 root root      4096 Nov 24 17:26 real_time_analysis
-rwxr-xr-x  1 root root        43 Oct 25 16:42 restart-syslog-ng
drwx------  3 root root      4096 Nov 16 22:14 routers-fl6
drwxr-xr-x  2 root root      4096 Dec  2 01:00 scripts
-rw-r--r--  1 root adm   82739495 Dec  2 18:17 summary.log
-rw-r--r--  1 root adm  102031166 Dec  2 00:01 summary.log.1
-rw-r--r--  1 root adm  104623796 Dec  1 00:01 summary.log.2
-rw-r--r--  1 root adm  105040571 Nov 30 00:02 summary.log.3
-rw-r--r--  1 root adm   81861391 Nov 29 00:00 summary.log.4
-rw-r--r--  1 root adm   83915504 Nov 28 00:00 summary.log.5
-rw-r--r--  1 root adm  100623935 Nov 27 00:01 summary.log.6
drwx------  3 root root     12288 Dec  2 16:29 switches-fl7
lrwxrwxrwx  1 root root        41 Oct 25 16:41 syslog.conf -> /etc/syslog-ng/conf.d/syslog-.conf
 

 

 

Если ваше устройство не подходит под вышеперечисленное оборудование, то просто укажите IP адрес сервера « 192.168.0.5». Больше ничего делать не нужно, однако если на оборудовании необходимо принудительно установить значение Facility Local «Х», то установите по-умолчанию «Facility Local0».

 

 

Настройка на комм. Элтекс MES

Цитата

enable
conf t
no logging host 172.0.0.99
no logging host 172.0.0.97
logging host 172.0.0.111
exit
write
y

exit

* facility local7 используется по-умолчанию и явно указывать не нужно

 

 

Настройка на комм. Cisco 2960

Цитата

enable
conf t
login on-failure log
no logging facility local3
no logging 172.0.0.99
no logging 172.0.0.97
logging trap debugging
logging 172.0.0.111

exit

* facility local7 используется по-умолчанию и явно указывать не нужно

 

 

 

Настройка на комм. D-link

Цитата

create syslog host 1 ipaddress 192.168.0.5facility local7 severity debug state enable 
create syslog host 1 ipaddress 192.168.0.5facility local7 severity all state enable

enable syslog   

*Для разных серий D-link используются разный формат команд. Одна из команд будет успешно выполнена.

 

 

Настройка на оборуд. Mikrotik

Цитата

/system logging
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning


/system logging action
set 3 bsd-syslog=yes remote=192.168.0.5syslog-facility=local4

https://wiki.mikrotik.com/wiki/Manual:System/Log

 

 

 

Настройка на GPON Элтекс

Цитата

configure terminal
logging remote 192.168.0.5
exit
commit
save
exit

Также указать IP адрес в конфиге /home/syslog-server/syslog-.conf
*Facility не поддерживается

 

 

Настройка на Cisco router 

Цитата

en
password

conf t

login on-failure log
no logging 172.0.0.99
no logging 172.0.0.97
logging 172.0.0.111
logging facility local5
login on-failure log
exit
wr
exit

sh run | i loggi

Полезная инфа в статье https://serverfault.com

 

 

Настройка на маршрутизаторах 

Цитата

*Настройка производится аналогичным образом. Выбирается facility local6.

 

 

Facility (категория)

Описание Cистемное протоколирование в Linux

 

Тип устройства

Facility

Папка назначения

Коммутаторы (любой модели)

local7 (23)

switches-fl7

Маршрутизаторы (кроме Микротик)

Local6 (22)

routers-fl6

Cisco VoIP

Local5 (21)

cisco-voip-fl5

Оборудование Mikrotik

Local4 (20)

mikrotiks-fl4

резерв

Local3 (19)

резерв

резерв

Local2 (18)

резерв

Резерв (используется Натексом)

Local1 (18)

резерв

По-умолчанию (используется Натексом)

Local0 (16)

Не обрабатывается

 

Если нужно установить какое-то Facility, то установите по-умолчанию Facility Local0

 

 

Значения по-умолчанию на некотором оборудовании:

Оборудование

По-умолчанию

Изменено на

Eltex

local7 (23)

 

D-link

local3 (19)

Local6 (22)

Маршрутизаторы Cisco

local3 (19)

 

Коммутаторы Cisco

local7 (23)

 

 

 

 

VoIP шлюзы Натекс одновременно используют Facility local0 и local1

Описание Cистемное протоколирование в Linux

 

 

 

 

 

Настройки syslog-ng

 

/etc/syslog-ng/syslog-ng.conf

Цитата

@version: 3.19
@include "scl.conf"

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
          dns_cache(no); owner("root"); group("adm"); perm(0640);
          stats_freq(0); bad_hostname("^gconfd$");
          keep_timestamp(no);
};

########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source s_src {
       system();
       internal();
};

# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
#source s_net { tcp(ip(127.0.0.1) port(1000)); };

########################
# Destinations
########################
# First some standard logfile
#
destination d_auth { file("/var/log/auth.log"); };
destination d_cron { file("/var/log/cron.log"); };
destination d_daemon { file("/var/log/daemon.log"); };
destination d_kern { file("/var/log/kern.log"); };
destination d_lpr { file("/var/log/lpr.log"); };
destination d_mail { file("/var/log/mail.log"); };
destination d_syslog { file("/var/log/syslog"); };
destination d_user { file("/var/log/user.log"); };
destination d_uucp { file("/var/log/uucp.log"); };

# This files are the log come from the mail subsystem.
#
destination d_mailinfo { file("/var/log/mail.info"); };
destination d_mailwarn { file("/var/log/mail.warn"); };
destination d_mailerr { file("/var/log/mail.err"); };

# Logging for INN news system
#
destination d_newscrit { file("/var/log/news/news.crit"); };
destination d_newserr { file("/var/log/news/news.err"); };
destination d_newsnotice { file("/var/log/news/news.notice"); };

# Some 'catch-all' logfiles.
#
destination d_debug { file("/var/log/debug"); };
destination d_error { file("/var/log/error"); };
destination d_messages { file("/var/log/messages"); };

# The root's console.
#
destination d_console { usertty("root"); };

# Virtual console.
#
destination d_console_all { file(`tty10`); };

# The named pipe /dev/xconsole is for the nsole' utility.  To use it,
# you must invoke nsole' with the -file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
destination d_xconsole { pipe("/dev/xconsole"); };

# Send the messages to an other host
#
#destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); };

# Debian only
destination d_ppp { file("/var/log/ppp.log"); };

########################
# Filters
########################
# Here's come the filter options. With this rules, we can set which
# message go where.

filter f_dbg { level(debug); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_err { level(err); };
filter f_crit { level(crit .. emerg); };

filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
filter f_error { level(err .. emerg) ; };
filter f_messages { level(info,notice,warn) and
                    not facility(auth,authpriv,cron,daemon,mail,news); };

filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
filter f_cron { facility(cron) and not filter(f_debug); };
filter f_daemon { facility(daemon) and not filter(f_debug); };
filter f_kern { facility(kern) and not filter(f_debug); };
filter f_lpr { facility(lpr) and not filter(f_debug); };
filter f_local { facility(local0, local1, local3, local4, local5,
                        local6, local7) and not filter(f_debug); };
filter f_mail { facility(mail) and not filter(f_debug); };
filter f_news { facility(news) and not filter(f_debug); };
filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
filter f_user { facility(user) and not filter(f_debug); };
filter f_uucp { facility(uucp) and not filter(f_debug); };

filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

filter f_ppp { facility(local2) and not filter(f_debug); };
filter f_console { level(warn .. emerg); };

########################
# Log paths
########################
log { source(s_src); filter(f_auth); destination(d_auth); };
log { source(s_src); filter(f_cron); destination(d_cron); };
log { source(s_src); filter(f_daemon); destination(d_daemon); };
log { source(s_src); filter(f_kern); destination(d_kern); };
log { source(s_src); filter(f_lpr); destination(d_lpr); };
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
log { source(s_src); filter(f_user); destination(d_user); };
log { source(s_src); filter(f_uucp); destination(d_uucp); };

log { source(s_src); filter(f_mail); destination(d_mail); };
#log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
#log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
#log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };

log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
#log { source(s_src); filter(f_cnews); destination(d_console_all); };
#log { source(s_src); filter(f_cother); destination(d_console_all); };

#log { source(s_src); filter(f_ppp); destination(d_ppp); };

log { source(s_src); filter(f_debug); destination(d_debug); };
log { source(s_src); filter(f_error); destination(d_error); };
log { source(s_src); filter(f_messages); destination(d_messages); };

log { source(s_src); filter(f_console); destination(d_console_all);
                                    destination(d_xconsole); };
log { source(s_src); filter(f_crit); destination(d_console); };

# All messages send to a remote site
#
#log { source(s_src); destination(d_net); };

###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/*.conf"


#destination d_pvec { file("/var/log/!remote/pvec.log"); };
#filter f_pvec { netmask("10.248.0.219/255.255.255.255"); };
#log { source(s_udp); filter(f_pvec); destination(d_pvec); };

 

 

 

/etc/syslog-ng/conf.d/syslog-unic.conf

Цитата

#keep_timestamp(no) v konfige /etc/syslog-ng/syslog-ng.conf ispolzuet datu sistemy, a ne ustoystva. Eto pomogaet izbejat problem c nekorektoy datoy


source s_network_udp { syslog(ip(0.0.0.0) transport("udp") keep-hostname(yes)); };
source s_network_tcp { tcp(ip(0.0.0.0) port(514) keep-hostname(yes)); };
#keep-hostname pri nalichii v soobsheni▒ polya hostname ispolzuet vmesto IP znachenit hostname. Eto uproshaet nastroyku ustoystv mikrotik, u kotorih mnogo IP adresov. Odnako ne vo vseh sluchayah eto udobno. Dlya sohraneniya IP ispolzuyte $SOURCEIP

filter f_gpon {
host("192.168.0.212") or host("192.168.0.214") or host("192.168.0.215") or host("192.168.0.216") or host("192.168.0.217") or host("192.168.0.218") or host("192.168.0.219")  or host("192.168.0.220") or host("192.168.0.221") or host("192.168.0.222") or host("10.240.0.99");};

filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };

filter f_net172_16 {
        netmask( "172.16.0.0/255.255.0.0" );
};

filter f_net192.168.{
        netmask( "192.168.0.0/255.255.252.0" );
};

filter f_net10_10 {
        netmask( "10.10.0.0/255.255.255.0" );
};

filter f_net10.0{
        netmask( "10.00.0/255.255.255.0" );
};


destination d_gpon { file("/home/syslog-server/gpons/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_mikrotik { file("/home/syslog-server/mikrotiks-fl4/${HOST}-${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_cisco_voip { file("/home/syslog-server/cisco-voip-fl5/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_routers { file("/home/syslog-server/routers-fl6/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_switches { file("/home/syslog-server/switches-fl7/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_net172_16 { file("/home/syslog-server/172.16.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_net192.168.{ file("/home/syslog-server/192.168.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_net10_10 { file("/home/syslog-server/10.10.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_net10.0{ file("/home/syslog-server/10.00.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_net_other { file("/home/syslog-server/other/${SOURCEIP}.log" perm(0644) create_dirs (yes)); };
destination d_summary { file("/home/syslog-server/summary.log" perm(0644)); };

###===LOGIROVANIE===###
##Poryadok zapicey imeet znachenie!!!##
##flags(final) oznachaet ostanovitsya i ne idti dalshe po spisku.

#Vse logi v dublirovat odnom file. Nachalnoe pravilo!
log { source(s_network_udp); destination(d_summary);};


#Mikrotiks by facility (local4) to folder "mikrotiks-fl4"
log {
        source(s_network_udp);
        filter(f_local4);
        destination(d_mikrotik);
        flags(final);
};

#Cisco VoIP by facility (local5) to folder "cisco-voip-fl5"
log {
        source(s_network_udp);
        filter(f_local5);
        destination(d_cisco_voip);
        flags(final);
};

#Routers by facility (local6) to folder "routers-fl6"
log {
        source(s_network_udp);
        filter(f_local6);
        destination(d_routers);
        flags(final);
};

#Switches by facility (local7) to folder "switches-fl7"
log {
        source(s_network_udp);
        filter(f_local7);
        destination(d_switches);
        flags(final);
};

#All GPON devices to folder "gpon"
log {
        source(s_network_udp);
        filter(f_gpon);
        destination(d_gpon);
        flags(final);
};

#Other devices from 172.16.0.0/16 to folder "172.16.X.X"
log {
        source(s_network_udp);
        filter(f_net172_16);
        destination(d_net172_16);
        flags(final);
};

#Other devices from 192.168.0.0/23 to folder "192.168.X.X"
log {
        source(s_network_udp);
        filter(f_net192.168.;
        destination(d_net192.168.;
        flags(final);
};

#Other devices from 10.10.0.0/24 to folder "10.10.0.X"
log {
        source(s_network_udp);
        filter(f_net10_10);
        destination(d_net10_10);
        flags(final);
};

#Other devices from 10.00.0/24 to folder "10.00.X"
log {
        source(s_network_udp);
        filter(f_net10.0;
        destination(d_net10.0;
        flags(final);
};


#All another unknowed IP address
#Pravilo doljno bit poslednim!
log { source(s_network_udp); destination(d_net_other);};

 

 

 

Работа скриптов
Ежедневные отчеты на почту

 

Анализ флаппинга

 

 

Уведомление в реальном времени
Анализ  и отправка отчетов о критичных событиях в реальном времени. Отправка проводится в канал telegram и на почту 

При загрузке ОС стартует real_time_analysis.pl, который постоянно анализирует логи.

Цитата

/etc/network/interfaces
post-up /home/syslog-server/real_time_analysis/real_time_analysis.pl &

Цитата

/home/syslog-server/real_time_analysis/real_time_analysis.pl
commit
save

 

 

Настроено два типа отправки
Критичные сообщения (Critical)
 

Примеры

Цитата

Jan 31 19:56:57 192.168.0.101 NT_LBD-I-VLANACTIONONPORT: VLAN 2088 on port gi1/0/21 recovered by Loopback Detection.
Feb  1 08:31:11 192.168.0.4 2022 Feb  1 01:31:11 UTC: L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K: Loops detected in the network for mac 000b.ab3f.5043 among ports Eth1/47 and Eth1/48 vlan 3002 - Disabling dynamic learning notifications for a period between 120 and 240 seconds on vlan 3002
Feb  1 09:05:44 192.168.0.4 2022 Feb  1 02:05:44 UTC: %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K: Re-enabling dynamic learning on vlan 3002 
Dec  3 19:16:58 172.16.0.243 LBD-2: Port 5 LBD port VID 1 loop occurred. Port blocked.
Jan 18 10:19:08 192.168.0.69 CRIT: Port 10 VID 2075 LBD loop occurred. Packet discard begun.

Защита STP LOOPGUARD
04-Apr-2019 17:01:47 :%STP-W-LOOPGUARD_BLOCK: Loop guard blocking port gi1/0/24 in instance 0.
04-Apr-2019 19:18:22 :%STP-W-LOOPGUARD_UNBLOCK: Loop guard unblocking port gi1/0/24 in instance 0.
TESSSTTT--Nexus-Kal81# 2021 Aug 12 09:21:30 TESSSTTT--Nexus-Kal81 %$ VDC-1 %$ %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port Ethernet1/48 on MST0000.
TESSSTTT--Nexus-Kal81# sh int Eth1/482021 Aug 12 09:25:32 TESSSTTT--Nexus-Kal81 %$ VDC-1 %$ %STP-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Ethernet1/48 on MST0000.
1644  2000-01-01 08:12:02 INFO(6) Loop protection blocking port 24 on instance 0
 

 

Важные сообщения (Warning)

 

Примеры

Цитата

Логин пароль
Login failed through Telnet from 192.168.99.150 authenticated by AAA server 192.168.0.99 (Username: karabas)
01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.99.150 destination 192.168.0.101, TACACS REJECTED.
01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.99.150 destination 192.168.0.101, local user table REJECTED.
Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.20.100 - dcos_sshd[24573]
Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user Karabas from 192.168.20.100 - dcos_sshd[24571]

Блуждание MAC адресов
Feb  1 12:40:29 192.168.0.102 %BRG_MACNTFY-I-MAC_FLAPPING: Host 00:78:88:40:ca:bc in vlan 2088 is flapping between port te1/0/1 and port te1/0/2  

Штормы
Feb  8 10:34:25 192.168.0.137 %STORM-W-StormOccurs: Broadcast traffic on gi1/0/24 has exceeded the set boundary 512 Kbits  
Feb  8 10:34:25 192.168.0.137 %STORM-W-StormOccurs: Multicast traffic on gi1/0/24 has exceeded the set boundary 512 Kbits  
Feb  8 10:34:25 192.168.0.39 WARN: Port 26 Broadcast storm is occurring
Feb  8 10:34:25 192.168.0.39 WARN: Port 26 Multicast storm is occurring

IP ARP inspection logging & IMPB
Feb 16 11:26:03 192.168.0.171 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/0/1 with VLAN tag 2089 and reason: packet verification failed  SRC MAC e4:8d:8c:e5:63:1c SRC IP 195.208.164.86 DST MAC 00:00

DES-3526 Feb 16 11:11:11 192.167.0.21 WARN: Unauthenticated IP-MAC address and discarded by ip mac port binding (IP: 109.195.70.111, MAC: 64-D1-54-F1-16-D9, port: 21)

DES-3200, rev C1 Feb 16 11:11:11 192.167.0.148 WARN: Unauthenticated IP-MAC address and discarded by IMPB(IP:<192.168.2.113>, MAC:<74-D4-35-F8-8F-DC>, Port<2>)

Port security
Feb  8 10:34:25 192.168.0.20 %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses for Data VLAN

Перезагрузка устройств
DES-3200
Jan  6 09:44:33 192.167.0.241 CRIT: System cold start
Dec  7 20:18:29 192.167.0.148 CRIT: System warm start


DGS-1100-06/ME
Feb  2 12:27:11 192.167.0.243 SYSTEM-2: System cold start
Nov 25 13:19:27 192.168.0.61 SYSTEM-2: System warm start

MES
Dec  6 08:56:07 192.168.0.143 %INIT-I-Startup: Warm Startup  
Feb  7 13:37:27 192.168.0.9 %INIT-I-Startup: Cold Startup  


Работа с SFP модулями

Feb 16 12:47:29 192.168.0.47 %NSFP-I-SFPGibicRemoved: te1/0/3 SFP port is not present  
Feb 16 12:47:36 192.168.0.47 %NSFP-I-SFPGibicDetected: te1/0/3 SFP port is present, module type - 10G BASE-LR  

Отключение порта по флаппингу

Jan 13 12:36:05 192.168.0.121 %LINK-W-PORT_SUSPENDED: Port te1/0/4 suspended by link-flapping

 

 

 

Оперативная работа

Цитата

Login failed through Telnet from 192.168.3.150 authenticated by AAA server 192.168.0.99 (Username: karabas)
01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.3.150 destination 192.168.0.101, TACACS REJECTED.
01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.3.150 destination 192.168.0.101, local user table REJECTED.
Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.20.100 - dcos_sshd[24573]
Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user Karabas from 192.168.20.100 - dcos_sshd[24571]
Feb  1 12:40:29 192.168.0.102 %BRG_MACNTFY-I-MAC_FLAPPING: Host 00:78:88:40:ca:bc in vlan 2088 is flapping between port te1/0/1 and port te1/0/2  
Jan 31 19:56:57 192.168.0.101 NT_LBD-I-VLANACTIONONPORT: VLAN 2088 on port gi1/0/21 recovered by Loopback Detection.
Feb  1 08:31:11 192.168.0.4 2022 Feb  1 01:31:11 UTC: L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K: Loops detected in the network for mac 000b.ab3f.5043 among ports Eth1/47 and Eth1/48 vlan 3002 - Disabling dynamic learning notifications for a period between 120 and 240 seconds on vlan 3002
Feb  1 09:05:44 192.168.0.4 2022 Feb  1 02:05:44 UTC: %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K: Re-enabling dynamic learning on vlan 3002 
Dec  3 19:16:58 172.16.0.243 LBD-2: Port 5 LBD port VID 1 loop occurred. Port blocked.
Jan 18 10:19:08 192.168.0.69 CRIT: Port 10 VID 2075 LBD loop occurred. Packet discard begun.
Feb 16 11:11:11 192.168.0.39 WARN: Port 22 Multicast storm is occurring.
Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup.
Feb 16 11:11:11 172.16.0.243 SYSTEM-2: System cold start
Feb 16 11:11:11 172.16.0.241 CRIT: System cold start
Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup..
Feb 16 11:11:11 172.16.0.38 WARN: Port 7 Broadcast storm is occurring
Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup.
Feb 16 11:11:11 172.16.0.243 SYSTEM-2: System cold start
Feb 16 11:11:11 172.16.0.241 CRIT: System cold start
Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup..
Feb 16 11:11:11 172.16.0.38 WARN: Port 7 Broadcast storm is occurring
Feb 16 11:11:11 192.168.0.13 %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses for Data VLAN on an interface gi1/0/1 is exceeded (3), 2096  
Feb 16 11:11:11 172.16.0.21 WARN: Unauthenticated IP-MAC address and discarded by ip mac port binding (IP: 109.195.70.111, MAC: 64-D1-54-F1-16-D9, port: 21)
Feb 16 11:11:11 172.16.0.148 WARN: Unauthenticated IP-MAC address and discarded by IMPB(IP:<192.168.2.113>, MAC:<74-D4-35-F8-8F-DC>, Port<2>)
Feb 16 11:26:03 192.168.0.171 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/0/1 with VLAN tag 2089 and reason: packet verification failed  SRC MAC e4:8d:8c:e5:63:1c SRC IP 195.208.164.86 DST MAC 00:00
Feb 16 12:47:29 192.168.0.47 %NSFP-I-SFPGibicRemoved: te1/0/3 SFP port is not present  
Feb 16 12:47:36 192.168.0.47 %NSFP-I-SFPGibicDetected: te1/0/3 SFP port is present, module type - 10G BASE-LR  
 

 

 

СКРИПТЫ

 

find-IP-addess

Цитата

#!/bin/bash

ip=$1
if [ "x$1" = "x" ];
    then
    read -p "Enter the device IP address: " ip
fi
if [ "x$ip" = "x" ]; then echo "Sorry, unknown IP address..."; exit; fi
find /home/syslog-server -name *$ip.log

 

 

 

restart-syslog-ng

Цитата

#!/bin/bash

/etc/init.d/syslog-ng restart
 

 

 

 

show-log

Цитата

#!/bin/bash

ip=$1
if [ "x$1" = "x" ];
    then
    read -p "Enter the device IP address: " ip
fi
if [ "x$ip" = "x" ]; then echo "Sorry, unknown IP address..."; exit; fi
path=`find /home/syslog-server -name *$ip.log`

 

 

 

 

 


start-analysis.sh
  analysis-cisco-router
  analysis-gpons
  analysis-mikrotiks
  analysis-switches

 

 

============================

flapping_int
  analysis-switches_flapping
  start-analysis_flapping_int.sh

 

 

 

 

scripts start-analysis.sh

Цитата

scripts start-analysis.sh
#!/bin/bash
IFS=""
starttime=$(date +%s)

result="/dir/scripts/result.txt"
#tmp="/usr/lib/nagios_actuality/tmp_scan.txt"
date=`date -d yesterday '+%b %_d' | tr -d '\n'`

mail=pochta@domain.ru
if [ "x$1" != "x" ];
    then
mail=$1
fi
echo -e "Subject: Syslog analysis for $date \nFrom: root \nTo: $mail\n" > $result


echo ======================== >> $result
echo Analysis Cisco Router >> $result
echo ======================== >> $result
echo >> $result
dir="/dir/cisco-voip-fl5/"
list=`ls -1 $dir`
echo $list|while read host
do
    echo == Analysis device $host == >> $result
    cat $dir$host | perl /dir/scripts/analysis-cisco-router >> $result
done


echo ======================== >> $result
echo Analysis GPON >> $result
echo ======================== >> $result
echo >> $result
dir="/dir/gpons/"
list=`ls -1 $dir`
echo $list|while read host
do
    echo == Analysis device $host == >> $result
    cat $dir$host | perl /dir/scripts/analysis-gpons >> $result
    tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i  '$d' $result;fi #Ne pokazyvat ustoystva bez logov
done


echo ======================== >> $result
echo Analysis Switches >> $result
echo ======================== >> $result
echo >> $result
dir="/dir/switches-fl7/"
list=`ls -1 $dir`
echo $list|while read host
do
    echo == Analysis device $host == >> $result
    cat $dir$host | perl /dir/scripts/analysis-switches >> $result
    tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i  '$d' $result;fi #Ne pokazyvat ustoystva bez logov
done

echo ======================== >> $result
echo Analysis Routers >> $result
echo ======================== >> $result
echo >> $result
dir="/dir/routers-fl6/"
list=`ls -1 $dir`
echo $list|while read host
do
    echo == Analysis device $host == >> $result
    cat $dir$host | perl /dir/scripts/analysis-switches >> $result
done


echo ======================== >> $result
echo Analysis Mikrotiks >> $result
echo ======================== >> $result
echo >> $result
dir="/dir/mikrotiks-fl4/"
list=`ls -1 $dir`
echo $list|while read host
do
    echo == Analysis device $host == >> $result
    cat $dir$host | perl /dir/scripts/analysis-mikrotiks >> $result
    tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i  '$d' $result;fi #Ne pokazyvat ustoystva bez logov
done

end=$(($(date +%s)-$starttime)); let summary_min=$end/60
echo; echo Time execution of the script \"$0\" is $summary_min min. >> $result

cat $result | /usr/sbin/sendmail -v $mail

 

 

 

 

 

analysis-cisco-router

Цитата


analysis-cisco-router
#!/usr/bin/perl

use strict;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Isdn6_c_d;
my %Warning;
my %Started;
my %Successful;
my %OtherList;
my %Commands;
##################
my %ThisLine;
my %ThisLine_date;
my %ThisLine_test;
my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`;
#my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if ($Debug) {
      print "$ThisLine\n";
   }
$ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/;
#$ThisLine =~ s/^$yesterday(.*)$/$1/;
my $ThisLine_date = $1;
#print "111 $ThisLine_date\n";
if( $ThisLine_date ) {
# print "Init failed\n";

   if ($ThisLine_date =~ /%ISDN-6-CONNECT: Interface Serial.* is now connected to|%ISDN-6-DISCONNECT: Interface Serial.* disconnected from/) {
      $Isdn6_c_d{$1}++;
   } elsif ($ThisLine_date =~ /WARNING: (\N+)/) {
      $Warning{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): started/) {
      $Started{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): completed successfully/) {
      $Successful{$1}++;
   } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) {
      $Commands{$ThisLine_date}++;
   } else {
      $OtherList{$ThisLine_date}++;
   }
 }
}


if (keys %Isdn6_c_d) {
   print "ISDN-6-CONNECT-DISCONNECT:\n";
   foreach my $line (sort {$a cmp $b} keys %Isdn6_c_d) {
      print "    $line: $Isdn6_c_d{$line} Time(s)\n";
   }
   print "\n";
}

if (keys %Warning) {
   print "Warnings:\n";
   foreach my $line (sort {$a cmp $b} keys %Warning) {
      print "    $line: $Warning{$line} Time(s)\n";
   }
   print "\n";
}

if (($Detail > 5) and keys %Started) {
   print "Started:\n";
   foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) {
      print "    $retain: $Started{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail and keys %Successful) {
   print "Completed Successfully:\n";
   foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) {
      print "    $retain: $Successful{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail > 5 and keys %Commands) {
   print "Commands:\n";
   foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) {
      printf "    %3d Time(s): %s\n", $Commands{$cmd}, $cmd;
   }
   print "\n";
}

if (keys %OtherList) {
   print "\n**Unmatched Entries** for $yesterday\n";
   foreach my $line (sort {$a cmp $b} keys %OtherList) {
      print "    $line: $OtherList{$line} Time(s)\n";
   }
   print "\n";
}

exit(0);


 

 

 

 

 

analysis-gpons

Цитата


analysis-gpons
#!/usr/bin/perl

use strict;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Error;
my %Warning;
my %Started;
my %Successful;
my %OtherList;
my %Commands;
##################
my %ThisLine;
my %ThisLine_date;
my %ThisLine_test;
my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`;
#my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if ($Debug) {
      print "$ThisLine\n";
   }
$ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/;
my $ThisLine_date = $1;
      # Isklucheniya. Soobsheniya ignoriruutsya.
if( $ThisLine_date ) {
   if ( ( $ThisLine_date =~ /CLI-6: |MSR-6: Configuration successfully backup|LinkStatus-6: [Pp]ort / ) or #DGS-1100-06/ME
        ( $ThisLine_date =~ /%COPY-I-FILECPY|%COPY-N-TRAP|%LINK-I-Up|%LINK-W-Down|%AAA-I-CONNECT:|%AAA-I-DISCONNECT:/ ) or #Eltex MES
        ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link
     ) {
      # We don't care about these
   } elsif ($ThisLine_date =~ /WARNING: (\N+)/) {
      $Warning{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): started/) {
      $Started{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): completed successfully/) {
      $Successful{$1}++;
   } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) {
      $Commands{$ThisLine_date}++;
   } else {
      $OtherList{$ThisLine_date}++;
   }
 }
}


if (keys %Error) {
   print "ERRORS:\n";
   foreach my $line (sort {$a cmp $b} keys %Error) {
      print "    $line: $Error{$line} Time(s)\n";
   }
   print "\n";
}

if (keys %Warning) {
   print "Warnings:\n";
   foreach my $line (sort {$a cmp $b} keys %Warning) {
      print "    $line: $Warning{$line} Time(s)\n";
   }
   print "\n";
}

if (($Detail > 5) and keys %Started) {
   print "Started:\n";
   foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) {
      print "    $retain: $Started{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail and keys %Successful) {
   print "Completed Successfully:\n";
   foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) {
      print "    $retain: $Successful{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail > 5 and keys %Commands) {
   print "Commands:\n";
   foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) {
      printf "    %3d Time(s): %s\n", $Commands{$cmd}, $cmd;
   }
   print "\n";
}

if (keys %OtherList) {
   print "\n**Unmatched Entries** for $yesterday\n";
   foreach my $line (sort {$a cmp $b} keys %OtherList) {
      print "    $line: $OtherList{$line} Time(s)\n";
   }
   print "\n";
}

exit(0);


 

 

 

 

 

analysis-mikrotiks

Цитата


analysis-mikrotiks
#!/usr/bin/perl

use strict;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Error;
my %l2tp_out;
my %ipip_tun;
my %Successful;
my %OtherList;
my %Commands;
##################
my %ThisLine;
my %ThisLine_date;
my %ThisLine_test;
my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`;
#my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if ($Debug) {
      print "$ThisLine\n";
   }
$ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/;
my $ThisLine_date = $1;
      # Isklucheniya. Soobsheniya ignoriruutsya.
if( $ThisLine_date ) {
   if ( ( $ThisLine_date =~ /Config export finished|Configuration backup finished|System backup finished|Uploading config export|Uploading system backup|fetch: file / ) or #for Mikrotik backup
        ( $ThisLine_date =~ /OTHERRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR/ ) or #for Mikrotik other
        ( $ThisLine_date =~ /dhcp1 |default assigned |default deassigned |..-..-..-..-..-.. \(.+\)/ ) or #for Mikrotik E4:8D:8C:D9:9A:17-172.16.34.67.log na Smolenskoy
        ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link
     ) {
      # We don't care about these
   } elsif ($ThisLine_date =~ /l2tp-out/) {
      $l2tp_out{$1}++;
   } elsif ($ThisLine_date =~ /ipip-tun/) {
      $ipip_tun{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): completed successfully/) {
      $Successful{$1}++;
   } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) {
      $Commands{$ThisLine_date}++;
   } else {
      $OtherList{$ThisLine_date}++;
   }
 }
}


if (keys %Error) {
   print "ERRORS:\n";
   foreach my $line (sort {$a cmp $b} keys %Error) {
      print "    $line: $Error{$line} Time(s)\n";
   }
   print "\n";
}

if (keys %l2tp_out) {
   print "VPN L2TP Messages:\n";
   foreach my $line (sort {$a cmp $b} keys %l2tp_out) {
      print "    $line: $l2tp_out{$line} Time(s)\n";
   }
   print "\n";
}

if (keys %ipip_tun) {
   print "VPN IPIP Messages:\n";
   foreach my $line (sort {$a cmp $b} keys %ipip_tun) {
      print "    $line: $ipip_tun{$line} Time(s)\n";
   }
   print "\n";
}

if ($Detail and keys %Successful) {
   print "Completed Successfully:\n";
   foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) {
      print "    $retain: $Successful{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail > 5 and keys %Commands) {
   print "Commands:\n";
   foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) {
      printf "    %3d Time(s): %s\n", $Commands{$cmd}, $cmd;
   }
   print "\n";
}

if (keys %OtherList) {
   print "\n**Unmatched Entries** for $yesterday\n";
   foreach my $line (sort {$a cmp $b} keys %OtherList) {
      print "    $line: $OtherList{$line} Time(s)\n";
   }
   print "\n";
}

exit(0);

 

 

 

 

 

 

analysis-switches

Цитата


analysis-switches
#!/usr/bin/perl

use strict;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Error;
my %Warning;
my %Started;
my %Successful;
my %OtherList;
my %Commands;
##################
my %ThisLine;
my %ThisLine_date;
my %ThisLine_test;
my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`;
#my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if ($Debug) {
      print "$ThisLine\n";
   }
$ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/;
my $ThisLine_date = $1;
      # Isklucheniya. Soobsheniya ignoriruutsya.
if( $ThisLine_date ) {
   if ( ( $ThisLine_date =~ /CLI-6: |MSR-6: Configuration successfully backup|LinkStatus-6: [Pp]ort / ) or #DGS-1100-06/ME
        ( $ThisLine_date =~ /%COPY-I-FILECPY|%COPY-N-TRAP|%LINK-I-Up|%LINK-W-Down|%AAA-I-CONNECT:|%AAA-I-DISCONNECT:/ ) or #Eltex MES
        ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link
     ) {
      # We don't care about these
   } elsif ($ThisLine_date =~ /WARNING: (\N+)/) {
      $Warning{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): started/) {
      $Started{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): completed successfully/) {
      $Successful{$1}++;
   } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) {
      $Commands{$ThisLine_date}++;
   } else {
      $OtherList{$ThisLine_date}++;
   }
 }
}


if (keys %Error) {
   print "ERRORS:\n";
   foreach my $line (sort {$a cmp $b} keys %Error) {
      print "    $line: $Error{$line} Time(s)\n";
   }
   print "\n";
}

if (keys %Warning) {
   print "Warnings:\n";
   foreach my $line (sort {$a cmp $b} keys %Warning) {
      print "    $line: $Warning{$line} Time(s)\n";
   }
   print "\n";
}

if (($Detail > 5) and keys %Started) {
   print "Started:\n";
   foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) {
      print "    $retain: $Started{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail and keys %Successful) {
   print "Completed Successfully:\n";
   foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) {
      print "    $retain: $Successful{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail > 5 and keys %Commands) {
   print "Commands:\n";
   foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) {
      printf "    %3d Time(s): %s\n", $Commands{$cmd}, $cmd;
   }
   print "\n";
}

if (keys %OtherList) {
   print "\n**Unmatched Entries** for $yesterday\n";
   foreach my $line (sort {$a cmp $b} keys %OtherList) {
      print "    $line: $OtherList{$line} Time(s)\n";
   }
   print "\n";
}

exit(0);

 

 

 

 

 

 

 

/scripts/flapping_int

 

analysis-switches_flapping

Цитата


analysis-switches_flapping
#!/usr/bin/perl

use strict;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %Error;
my %Flapping;
my %Started;
my %Successful;
my %OtherList;
my %Commands;
##################
my %ThisLine;
my %ThisLine_date;
my %ThisLine_test;
my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`;
#my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if ($Debug) {
      print "$ThisLine\n";
   }
$ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/;
my $ThisLine_date = $1;
      # Isklucheniya. Soobsheniya ignoriruutsya.
if( $ThisLine_date ) {
   if ( ( $ThisLine_date =~ /xxxxxxxxxxxxxxxxx_xxxxxxxxxxxxx / ) or #OFF
        ( $ThisLine_date =~ /yyyyyyyy_yyyyyyyyyyyyyyyyyyyyyy/ ) #OFF
     ) {
      # We don't care about these
   } elsif ($ThisLine_date =~ /%LINK-I-Up|%LINK-W-Down|INFO: Port .*link|LinkStatus-6: [Pp]ort/) {
      $Flapping{$ThisLine_date}++;
   } else {
      $OtherList{$ThisLine_date}++;
   }
 }
}

if (keys %Flapping) {
 #_#  print "\n**Flappings for $yesterday\n\n";
   foreach my $line (sort {$a cmp $b} keys %Flapping) {
      print "$Flapping{$line} Time(s): $line\n";
   }
 #_#  print "\n";
}

#if (keys %OtherList) {
#   print "\n**Unmat_ched Ent_ries** for $yesterday\n";
#   foreach my $line (sort {$a cmp $b} keys %OtherList) {
#      print "  _-_  $line: $OtherList{$line} Time(s)\n";
#   }
#   print "\n";
#}


if (keys %Error) {
   print "ERRORS:\n";
   foreach my $line (sort {$a cmp $b} keys %Error) {
      print "    $line: $Error{$line} Time(s)\n";
   }
   print "\n";
}

if (($Detail > 5) and keys %Started) {
   print "Started:\n";
   foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) {
      print "    $retain: $Started{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail and keys %Successful) {
   print "Completed Successfully:\n";
   foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) {
      print "    $retain: $Successful{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail > 5 and keys %Commands) {
   print "Commands:\n";
   foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) {
      printf "    %3d Time(s): %s\n", $Commands{$cmd}, $cmd;
   }
   print "\n";
}


exit(0);


 

 

 

 

 

 

 

 

 

start-analysis_flapping_int.sh

Цитата

start-analysis_flapping_int.sh
#!/bin/bash

#Example ./start-analysis_flapping_int.sh name@domain.ru debug

IFS=""
starttime=$(date +%s)


#  rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs
#  rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs
#  rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs
#  rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs

#porogovoe znachenie kol-va dnej. Esli prevyshaet, to uvedomlyaetsya po pochte
kolichestvo_dney_threshold=7
#kolichestvo dnej dlya analiza
kolichestvo_dney_all=21

mail=sd@domain.ru
mail=name@domain.ru
mail_copy=name@domain.ru
  if [ "x$1" != "x" ];
     then
   mail=$1
  fi

#peremennye
dir_data="/dir/scripts/flapping_int/data"
dir_sw="/dir/switches-fl7/"
result="/dir/scripts/flapping_int/result_flapping.txt"
analys_tmp1="/tmp/analys_flapping_1.txt"
analys_tmp2="/tmp/analys_flapping_2.txt"
tmp_ports="/tmp/analys_flapping_tmp_ports.txt"
tmp_logs="/tmp/analys_flapping_tmp_logs.txt"
date=`date -d yesterday '+%b %_d' | tr -d '\n'`
cur_day=`date +"%d"`

if [ "x$2" = "xdebug" ];
  then debug=1
  else debug=0
fi


#udalenie staryh dannih i ochistka faylov
find "$dir_data"/history_* -type f -mtime +"$kolichestvo_dney_all" -delete
echo -n > $tmp_ports
echo -n > $tmp_logs
echo -n > $dir_data/LAST
echo -n > $analys_tmp1
echo -n > $analys_tmp2


#sozdanie fajla-otcheta (mail zagolovok)
echo -e "Subject: Analysis ports flapping for $date \nFrom: root@syslog.domain.ru \nTo: $mail\ncc: $mail_copy\n" > $result

#analiz statistiki
list=`ls -1 $dir_sw`
#echo $list
##################list="192.168.7.166.log"
echo $list|while read host
do
    cat $dir_sw$host | perl /dir/scripts/flapping_int/analysis-switches_flapping >> $analys_tmp1
done

sort -hr $analys_tmp1 > $analys_tmp2
grep -ve '^[[:digit:]] Time(s)' $analys_tmp2 >> $dir_data/LAST
cp $dir_data/LAST $dir_data/history_`date -d yesterday '+%b_%d'`

#poluchaem spisok IP adresov
list_ip=`awk '{print $3}' $dir_data/LAST | sort -u | sed '/^$/d'`

while read ip || [ -n "$ip" ]
 do
   kol_vo_dney_real=`grep -l -w $ip $dir_data/history_* | wc -l`
   #echo debug $ip kol_vo_dney_real $kol_vo_dney_real
    #esli avariya sistematichnaya, to dobavlyaem v fajl-otchet
    if [[ "$kol_vo_dney_real" > "$kolichestvo_dney_threshold" ]]; then
     if [ $debug == "1" ]; then echo "DEBUG Naydena sistematichnaya avariya $ip"; fi
     stroka=`grep $ip $dir_data/LAST`; echo $stroka >> $tmp_logs
     #doljno poluchitsya chetnoe kol-vo strok t.k. budet vkluchenie i vyklushenie
     list_port=`echo $stroka | grep -oP -i -e 'gi1/0/[0-9]+|te1/0/[0-9]+|port [0-9]+'`
        while read port
         do
          config_file=`find /dir/configs/ -name $ip*`
          vendor=`echo $config_file | cut -d '/' -f 5`
            case $vendor in
               Eltex)
                 if [ $debug == "1" ]; then echo "You choose Eltex device"; fi
                 sw_name=`grep hostname $config_file | sed -e 's/hostname //' -e 's/"//g'`;
                 full_port=`echo $port | sed -e 's/^gi/gigabitethernet/g' -e 's/^te/tengigabitethernet/g'`
                 description=`grep -a -A4 -w "$full_port" $config_file | grep description`
                 if [ $debug == "1" ]; then echo "DEBUG Switch $ip Eltex $sw_name port $port full_port $full_port description $description"; fi
                 echo "Switch $ip Eltex $sw_name port $port $description" >> $tmp_ports

                   ;;
               DES)
                 if [ $debug == "1" ]; then echo "You choose D-link device"; fi
                 sw_name=`grep -a command_prompt $config_file | sed -e 's/config command_prompt //' -e 's/"//g' -e 's/\r//g'`;
                 short_port=`echo $port | awk '{print $2}'`
                 description=`grep -a -w "config ports $short_port" $config_file | awk -F 'description ' '{print $2}'`
                 if [ $debug == "1" ]; then echo "DEBUG Switch $ip D-link $sw_name port $port short_port $short_port description $description"; fi
                 echo "Switch $ip D-link $sw_name $port description $description" >> $tmp_ports

                   ;;
               cisco)
                 if [ $debug == "1" ]; then echo "You choose Cisco device"; fi
                 sw_name=`grep hostname $config_file | sed -e 's/hostname //' -e 's/"//g'`;
                   ;;
               GPON) echo You choose GPON device;

                   ;;
                 *) echo "Error...Device $ip not found..." >> $result;
                   ;;
           esac
          unset vendor; unset sw_name; unset config_file; unset short_port; unset full_port; unset description
        done <<< $list_port
    fi
 done <<< $list_ip


#echo  >> $result
echo Обнаружен систематический флаппинг портов за  $kolichestvo_dney_threshold дней из $kolichestvo_dney_all: >> $result
sort -u $tmp_ports >> $result
echo  >> $result
echo Просим вас устранить, либо минимизировать дергание линка. >> $result
echo  >> $result
echo Выводы сделаны на основании нижеперечисленных логов: >> $result
cat $tmp_logs >> $result
echo  >> $result
echo Отчет высылается раз в неделю. Подробности в документе >> $result
echo  >> $result

end=$(($(date +%s)-$starttime)); let summary_min=$end/60
echo Time execution of the script \"$0\" is $end sec. >> $result


#otchet po pochte otpravlyaetsya raz v nedelyu
#if [[ "$cur_day" = 14 || "$cur_day" = 15 || "$cur_day" = 16 || "$cur_day" = 17 ]]; then
if [[ "$cur_day" = 01 || "$cur_day" = 08 || "$cur_day" = 15 || "$cur_day" = 22 ]]; then
   cat $result | /usr/sbin/sendmail -v $mail
fi
 

 

 

 

 

 

Оповещение в реальном времени

 

 

cron.conf

Цитата

real_time_analysis
*/6 * * * * root /dir/real_time_analysis/send-alarm-Warning.sh 1>/dev/null 2>&1
*/3 * * * * root /dir/real_time_analysis/send-alarm-Critical.sh 1>/dev/null 2>&1

 

 

 

 

 

 

/etc/network/interfaces

Цитата

auto ens18
iface ens18 inet static
 address 192.168.0.111
 netmask 255.255.255.0
 gateway 192.168.0.1
 post-up /dir/real_time_analysis/real_time_analysis.pl &
 

 

 

 

 

 

 

decrease.pl

Цитата

decrease.pl
#!/usr/bin/perl

use strict;
my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my %ARPINSP;
my %NT_LBD;
my %L2FM_MAC_FLAP;
my %BRG_MACNTFY;
my %PORT_SECURITY1;
my %Error;
my %Warning;
my %Started;
my %Successful;
my %OtherList;
my %Commands;
##################
my %ThisLine;
my %ThisLine_date;
my %ThisLine_test;
my ($testline,$testfields,$ip_add);

my $date = `date '+%b %_d' | tr -d '\n'`;
#my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`;

while (defined(my $ThisLine = <STDIN>)) {
   chomp($ThisLine);
   if ($Debug) {
      print "$ThisLine\n";
   }
$ThisLine =~ s/^$date ..:..:.. (.*)$/$1/;
my $ThisLine_date = $1;
      # Isklucheniya. Soobsheniya ignoriruutsya.
if( $ThisLine_date ) {
   if ( ( $ThisLine_date =~ /XXXXXXXXXXXXXXXXXXXYYYYYYYYYYYYYYYYYYYYYYYYYZZZZZZZZZZZZZZZZZZZZZ/ )
     ) {
      # We don't care about these
   } elsif ($ThisLine_date =~ /%ARPINSP-I-PCKTLOG/) {
      $testline = $ThisLine_date;
      my @testfields = split(/ /,$testline);
      $ip_add = @testfields[0];
      $ARPINSP{$ip_add}++;

   } elsif ($ThisLine_date =~ /%L2FM-2-L2FM_MAC_FLAP/) {
      $testline = $ThisLine_date;
      my @testfields = split(/ /,$testline);
      $ip_add = @testfields[0];
      $L2FM_MAC_FLAP{$ip_add}++;

   } elsif ($ThisLine_date =~ /%NT_LBD/) {
      $testline = $ThisLine_date;
      my @testfields = split(/ /,$testline);
      $ip_add = @testfields[0];
      $NT_LBD{$ip_add}++;

   } elsif ($ThisLine_date =~ /%BRG_MACNTFY/) {
      $testline = $ThisLine_date;
      my @testfields = split(/ /,$testline);
      $ip_add = @testfields[0];
      $BRG_MACNTFY{$ip_add}++;

   } elsif ($ThisLine_date =~ /%LINK-I-ExcessIfMaxMac/) {
      $testline = $ThisLine_date;
      my @testfields = split(/ /,$testline);
      $ip_add = @testfields[0];
      $PORT_SECURITY1{$ip_add}++;

   } elsif ($ThisLine_date =~ / (\S+): started/) {
      $Started{$1}++;
   } elsif ($ThisLine_date =~ / (\S+): completed successfully/) {
      $Successful{$1}++;
   } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) {
      $Commands{$ThisLine_date}++;
   } else {
      $OtherList{$ThisLine_date}++;
   }
 }
}

if (keys %NT_LBD) {
   foreach my $line (sort {$a cmp $b} keys %NT_LBD) {
      print "$line %NT_LBD-I-VLANACTIONONPORT: by Loopback Detection $NT_LBD{$line} Time(s)\n";
   }
}

if (keys %L2FM_MAC_FLAP) {
   foreach my $line (sort {$a cmp $b} keys %L2FM_MAC_FLAP) {
      print "$line %L2FM-2-L2FM_MAC_FLAP_ACTION_LEARN_N3K: Loops detected $L2FM_MAC_FLAP{$line} Time(s)\n";
   }
}

if (keys %BRG_MACNTFY) {
   foreach my $line (sort {$a cmp $b} keys %BRG_MACNTFY) {
      print "$line %BRG_MACNTFY-I-MAC_FLAPPING: host flapping $BRG_MACNTFY{$line} Time(s)\n";
   }
}

if (keys %PORT_SECURITY1) {
   foreach my $line (sort {$a cmp $b} keys %PORT_SECURITY1) {
      print "$line %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses $PORT_SECURITY1{$line} Time(s)\n";
   }
}

if ($Detail and keys %Successful) {
   print "Completed Successfully:\n";
   foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) {
      print "    $retain: $Successful{$retain} Time(s)\n";
   }
   print "\n";
}

if ($Detail > 5 and keys %Commands) {
   print "Commands:\n";
   foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) {
      printf "    %3d Time(s): %s\n", $Commands{$cmd}, $cmd;
   }
   print "\n";
}

if (keys %OtherList) {
   foreach my $line (sort {$a cmp $b} keys %OtherList) {
      print "$line: $OtherList{$line} Time(s)\n";
   }
  # print "\n";
}

if (keys %ARPINSP) {
   foreach my $line (sort {$a cmp $b} keys %ARPINSP) {
      print "$line ARPINSP-I-PCKTLOG: $ARPINSP{$line} Time(s)\n";
   }
#   print "\n";
}


exit(0);

 

 

 

 

 

 

 

real_time_analysis.pl

Цитата

#!/usr/bin/perl
#
use warnings;
#use strict;

use File::Tail;
$file=File::Tail->new("/dir/summary.log");
while (defined($line=$file->read)) {
#    print "$line";

        if(($line =~ /%NT_LBD|loop occurred/) or
           ($line =~ /L2FM-2-L2FM|MTM-SLOT1-2/) or
           ($line =~ /%STP-W-LOOPGUARD|%STP-2-LOOPGUARD|Loop protection blocking/i))
{
#       print $line;
            my $file_path = "/dir/real_time_analysis/Critical_all.txt";
            open(my $file_handle, '>>', $file_path) or die "Could not open file! $!";
            print $file_handle "$line";
            close $file_handle;
}


        if(($line =~ /%STORM|storm is occurring|%LINK-I-ExcessIfMaxMac|%BRG_FWD-W-PORT_LOCK|%BRG_MACNTFY/) or
           ($line =~ /%AAA-W-REJECT|Authentication fai|Login failed|login failure/) or
           ($line =~ /%ARPINSP-I-PCKTLOG|WARN: Unauthenticated IP-MAC address|Startup|System.*start|%NSFP-I-SFPGibic/) or
           ($line =~ /%XXXXXXXXXXXXXXXXXXX/i))
{
#       print $line;
            my $file_path = "/dir/real_time_analysis/Warning_all.txt";
            open(my $file_handle, '>>', $file_path) or die "Could not open file! $!";
            print $file_handle "$line";
            close $file_handle;
}

}

 

 

 

 

 

 

send-alarm-Critical.sh

 

Цитата

#!/bin/bash

debug=1
tel_channel="ID_TELEGRAM"

#Telegram pozvolyaet otpravit' v odnom soobshchenii ne bolee 4096 simvolov
#Konstrukciya ${tlg_message:0:3000} otpravlyaet pervie 3000 simvolov
          #https://question-it.com/questions/115695/sokratite-imja-fajla-do-n-simvolov-sohraniv-rasshirenie-fajla
          #https://www.linuxtopia.org/online_books/advanced_bash_scripting_guide/string-manipulation.html


#=#=# CHto mozhno dodelat'? #=#=#
#Proverku na otpravku
#Nujna rasshifrovka hostov po hostname
#https://apps.timwhitlock.info/emoji/tables/unicode

IFS=''

cd /dir/real_time_analysis

real_time_analysis_lines=$(cat Critical_all.txt | wc -l)
real_time_analysis_chars=$(cat Critical_all.txt | wc -m)
date=`date -d yesterday '+%b %_d' | tr -d '\n'`
mail=name@domain.ru
email_file="mail-Critical.txt"


send_telegram (){
     if ( ! curl -s -X POST https://api.telegram.org/botID:ZXXXXXXXXXXXXXXXXXXXXXXX/sendMessage -d chat_id=$tel_channel\
      -d text="`printf "${tlg_message:0:3000} \xF0\x9F\x93\x8A ${#tlg_message} < 4096 \xF0\x9F\x8E\xB6 $real_time_analysis_lines"`" )
      then echo;echo "Sorry... Not connect to telegram server... Exit..."
                echo "Sorry... Not connect to telegram server... Exit..." >> Critical.txt
           exit
     fi
}

#Nakoplenie fayla dlya otpravki
if [ "$real_time_analysis_lines" -gt 20 ]; then #If more 3 line

#solving the problem {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"}
#| iconv -f cp1251 -t utf-8

# decrease message
cat Critical_all.txt | iconv -f cp1251 -t utf-8 | sed 's/\\/_/g'| perl decrease.pl > Critical.txt

  #Sending to Mail
    mail_message=$(cat Critical.txt)
    echo -e "Subject: Syslog Critical messages \nFrom: root \nTo: $mail\nX-Priority: 1\n" > $email_file
    cat Critical.txt >> $email_file
    cat $email_file | /usr/sbin/sendmail -v $mail

  #Sending to Telegram
    tlg_message=$(cat Critical.txt | sed -e 's/%//g' -e 's/^/\xF0\x9F\x92\xA5/' -e 's/LOOPGUARD/\xF0\x9F\x92\xA2 LOOPGUARD/g' \
     -e 's/L2FM-2-L2FM_MAC_FLAP_ACTION_LEARN_N3K: Loops detected.* \([0-9]\+ Time(s)\)/Nexus MAC flapping \xE2\xAD\x95LBD \1/g' \
     -e 's/Loopback Detection/\xE2\xAD\x95 LBD/g' -e 's/Loops detected/\xE2\xAD\x95 LBD/g' -e 's/loop occurred/\xE2\xAD\x95 loop occurred/g' \
     -e 's/vlan\|VLAN/\xE2\x86\x94/g')
    real_time_analysis_chars=$(echo $tlg_message | wc -m)
    tlg_output=`send_telegram`
     if ( ! echo $tlg_output | grep "\"ok\":true" )
      then echo;echo "Sorry... Curl bad result... Exit..."
                echo "Sorry... Curl bad result... Exit..." >> Critical.txt
           exit
     fi

    #echo;echo ttt $t
    #Clear Critical.txt
    echo -n > Critical_all.txt
fi

 

 

 

 

 

send-alarm-Warning.sh

Цитата


 send-alarm-Warning.sh
#!/bin/bash

debug=1
tel_channel="ID_TELEGRAM"
predel_1="150"
predel_2="400"

#Telegram pozvolyaet otpravit' v odnom soobshchenii ne bolee 4096 simvolov
#Konstrukciya ${tlg_message:0:3000} otpravlyaet pervie 3000 simvolov
          #https://question-it.com/questions/115695/sokratite-imja-fajla-do-n-simvolov-sohraniv-rasshirenie-fajla
          #https://www.linuxtopia.org/online_books/advanced_bash_scripting_guide/string-manipulation.html


#=#=# CHto mozhno dodelat'? #=#=#
#Proverku na otpravku
#Nujna rasshifrovka hostov po hostname
#https://apps.timwhitlock.info/emoji/tables/unicode

IFS=''

cd /dir/real_time_analysis

#Ne uchitivat ARP insp, IMPB i drugie ne ktitichnie stroki. Sdelano dlya snijeniya intensivnosti soobsheniy
real_time_analysis_lines=$(cat Warning_all.txt | grep -Ev 'ARPINSP-I-PCKTLOG|Unauthenticated IP-MAC address|LI_=OFFFFFFFF=_NK-I-ExcessIfMaxMac'| wc -l)
real_time_analysis_lines_all=$(cat Warning_all.txt | wc -l)
date=`date -d yesterday '+%b %_d' | tr -d '\n'`
mail=name@domain.ru
email_file="mail-Warning.txt"

send_telegram (){
     if ( ! curl -s -X POST https://api.telegram.org/botID:ZXXXXXXXXXXXXXXXXXXXXXXX/sendMessage -d chat_id=$tel_channel\
      -d text="`printf "${tlg_message:0:3000} \xF0\x9F\x93\x8A ${#tlg_message} < 4096 \xF0\x9F\x8E\xB5 $real_time_analysis_lines ($predel_1) \xF0\x9F\x8E\xB6 $real_time_analysis_lines_all ($predel_2)"`" )
      then echo;echo "Sorry... Not connect to telegram server... Exit..."
                echo "Sorry... Not connect to telegram server... Exit..." >> Warning.txt
           exit
     fi
}

#Nakoplenie fayla dlya otpravki
if [[ "$real_time_analysis_lines" -gt $predel_1 || "$real_time_analysis_lines_all" -gt $predel_2 ]]; then #If more 150 line importaint or more 400 all line

#solving the problem {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"}
#| iconv -f cp1251 -t utf-8

# decrease message
cat Warning_all.txt | iconv -f cp1251 -t utf-8 | sed 's/\\/_/g' | perl decrease.pl > Warning.txt
# | grep -ve '%STORM-W-StormOccurs.* [12] Time(s)\|storm is occurring.* [12] Time(s)\|ABCDEF.* [12] Time(s)'
cat Warning.txt | grep -ve '%STORM-W-StormOccurs.* [123] Time(s)\|storm is occurring.* [123] Time(s)\|StormOccurs: Unicast traffic\|AAA-W-REJECT.* [1] Time(s)\|Login failed.* [1] Time(s)|ARPINSP-I-PCKTLOG: [12345] Time(s)' > Warning_tlg.txt


  #Sending to Mail
    mail_message=$(cat Warning.txt)
    echo -e "Subject: Syslog Warning messages \nFrom: root \nTo: $mail\nX-Priority: 5\n" > $email_file
    cat Warning.txt >> $email_file
    echo -e "\n\n==Sending to telegram==" >> $email_file
    cat Warning_tlg.txt >> $email_file
    cat $email_file | /usr/sbin/sendmail -v $mail

  #Sending to Telegram
    tlg_message=$(cat Warning_tlg.txt | sed -e 's/%//g' -e 's/^/\xF0\x9F\x92\xA1/' \
     -e 's/Authentication/\xF0\x9F\x9A\xB7 Authentication/g' -e 's/AAA-W-REJECT/\xF0\x9F\x9A\xB7 AAA-W-REJECT/g' -e 's/Login failed/\xF0\x9F\x9A\xB7 Login failed/g' -e 's/login failure/\xF0\x9F\x9A\xB7 login failure/g' \
     -e 's/[Ss]torm/\xF0\x9F\x8C\x80storm/g' -e 's/[Ss]tart/\xF0\x9F\x94\x8Cstart/g' -e 's/NSFP-I-SFPGibic/\xF0\x9F\x94\xA9SFPGibic/g' \
     -e 's/L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K/L2FM/g' -e 's/L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K/L2FM/g' -e 's/BRG_MACNTFY-I-MAC_FLAPPING/MAC/g' -e 's/flapping/\xF0\x9F\x94\x83 flapping/g' \
     -e 's/LINK-I-ExcessIfMaxMac:.* \([0-9]\+ Time(s)\)/\xE2\x9C\x82 MES Port security logging \1/g' \
     -e 's/ARPINSP-I-PCKTLOG:.* \([0-9]\+ Time(s)\)/\xF0\x9F\x94\xAC MES IP ARP inspection logging \1/g' \
     -e 's/WARN: Unauthenticated IP-MAC address.* \([0-9]\+ Time(s)\)/\xF0\x9F\x94\xAC DES IP Mac Port Binding logging \1/g')

    tlg_output=`send_telegram`
     if ( ! echo $tlg_output | grep "\"ok\":true" )
      then echo;echo "Sorry... Curl bad result... Exit..."
                echo "Sorry... Curl bad result... Exit..." >> Warning.txt
           exit
     fi

    #echo;echo ttt $t
    #Clear Warning.txt
    echo -n > Warning_all.txt
fi

 

 

 

 

 

 

Edited by neperpbl3

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.