LLystrblu Posted January 7, 2015 Posted January 7, 2015 Здравствуйте. У меня такая проблема.мне была поставлена следующая задача: Рассмотреть Syslog (найдите фриварное решение и разверните его на своей машине). То есть в данном разделе надо рассмотреть архитектуру решения и само решение (тот Sislog который найдете), настройка источника, настройка сервера и т.д. Все это со скриншотами. На все про все у меня день, максимум 2, а я абсолютно не знаком с этой системой, можете подсказать где можно прочитать буквально по шагам как и что нажимать (глубоки знания данной системы мне сейчас не нужны, просто нужно выполнить задачу, поверхостно ознакомиться с данной программой. Может что посоветуете. Заранее спасибо. желательно, чтобы реализация было на Windows, но Unix тоже меня устроит. Вставить ник Quote
SergeiK Posted January 7, 2015 Posted January 7, 2015 Интернетом пользоваться обучены? :). Первая ссылка в поиске дает вики, где кратко все есть. Из простого приложения для windows - tftpd32 умеет и сислог. Вставить ник Quote
vlad11 Posted January 7, 2015 Posted January 7, 2015 Не подсказывайте. Это студент-дипломник. Не освоил интернет и не имеет базовых понятий о работе системы. Вставить ник Quote
SergeiK Posted January 7, 2015 Posted January 7, 2015 Какой дипломник?! Это второй курс, лабораторная работа для отстающих. :) Пусть сдает, на собеседовании такие отсеиваются после второго вопроса. Вставить ник Quote
Saab95 Posted January 7, 2015 Posted January 7, 2015 Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого. Вставить ник Quote
s.lobanov Posted January 7, 2015 Posted January 7, 2015 приёмник - tcpdump, источник - netcat srchost $ echo ‘<14>SRC_HOST text’ | nc -v -u -w 0 DST_HOST 514 dsthost $ sudo tcpdump -i any -n -nn -v -vv -s 0 "port 514" Вставить ник Quote
vlad11 Posted January 7, 2015 Posted January 7, 2015 Вот его ответ: как бы не зная ситуацию не стоит бросаться такими словами? у меня специальность не связана с этой тематикой, а это просто один подпункт моей дипломной работы Вставить ник Quote
SergeiK Posted January 14, 2015 Posted January 14, 2015 Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого. Splunk - могучая штука для подобных задач. Не только сислог, но любые структурированные данные можно разбирать, фильтровать, анализировать и строить разные отчетности. Но это большой продукт, и требует серьезного подхода. Есть пачка готовых плагинов, и большие возможности собственных разработок. Использовать до 500М данных в день, с ограниченным функционалом, можно без денег. Вставить ник Quote
zi_rus Posted January 14, 2015 Posted January 14, 2015 Сколько не сталкивался с решениями для обработки данных через syslog, все сторонние подходили только для складирования данных, анализа и т.п. Если требуется что-то большее, например выполнение каких-то действий по определенным событиям с большим количеством условий, проще написать свой софт для этого. NOC делает это из коробки Вставить ник Quote
neperpbl3 Posted March 20, 2023 Posted March 20, 2023 (edited) Концепция syslog-ng Сбор UDP пакетов syslog настраивается на клиенте, а не на сервере. Сервер 192.168.0.5 принимает и записывает абсолютно все syslog сообщения. Сортировка производится по следующим критериям и в нижеперечисленном порядке: 1. Сортировка по типу оборудования согласно категории «Facility» 2. Сортировка по заданным IP адресам 3. Запись всех остальных IP адресов Для сортировки по типу оборудования используется категория «Facility». Массовое и важное оборудование (коммутаторы, Cisco VoIP и т.п.) сортируется по категориям «Facility localХ» . Таким образом логи коммутаторов, Cisco VoIP и других устройств сортируются по нужным папкам вне зависимости от IP адреса устройства. Отсортированные по категориям логи ежедневно анализируются, а отчеты «Syslog analysis» отправляются на почту . Если неверно настроить “Facility”, то логи будут собираться в другую папку и перестанут анализироваться и отправляется в виде отчета на почту. Цитата @syslog:/home/syslog-server$ ls -la total 645464 drwxr-xr-x 15 root adm 4096 Dec 2 00:00 . drwxr-xr-x 6 root root 4096 Nov 2 17:01 .. drwx------ 3 root root 4096 Nov 2 16:38 192.168.X.X drwx------ 3 root root 4096 Dec 1 00:00 192.169.0.X drwx------ 3 root root 4096 Dec 2 00:00 192.167.X.X drwx------ 3 root root 4096 Nov 17 14:31 192.165.X.X drwx------ 3 root root 4096 Dec 1 00:01 cisco-voip-fl5 -rwxr-xr-x 1 root root 210 Oct 27 15:39 find-IP-addess drwx------ 3 root root 4096 Dec 2 00:00 gpons drwx------ 3 root root 4096 Dec 2 00:00 mikrotiks-fl4 drwx------ 2 root root 4096 Nov 17 14:35 other drwxr-xr-x 2 root root 4096 Nov 24 17:26 real_time_analysis -rwxr-xr-x 1 root root 43 Oct 25 16:42 restart-syslog-ng drwx------ 3 root root 4096 Nov 16 22:14 routers-fl6 drwxr-xr-x 2 root root 4096 Dec 2 01:00 scripts -rw-r--r-- 1 root adm 82739495 Dec 2 18:17 summary.log -rw-r--r-- 1 root adm 102031166 Dec 2 00:01 summary.log.1 -rw-r--r-- 1 root adm 104623796 Dec 1 00:01 summary.log.2 -rw-r--r-- 1 root adm 105040571 Nov 30 00:02 summary.log.3 -rw-r--r-- 1 root adm 81861391 Nov 29 00:00 summary.log.4 -rw-r--r-- 1 root adm 83915504 Nov 28 00:00 summary.log.5 -rw-r--r-- 1 root adm 100623935 Nov 27 00:01 summary.log.6 drwx------ 3 root root 12288 Dec 2 16:29 switches-fl7 lrwxrwxrwx 1 root root 41 Oct 25 16:41 syslog.conf -> /etc/syslog-ng/conf.d/syslog-.conf Если ваше устройство не подходит под вышеперечисленное оборудование, то просто укажите IP адрес сервера « 192.168.0.5». Больше ничего делать не нужно, однако если на оборудовании необходимо принудительно установить значение Facility Local «Х», то установите по-умолчанию «Facility Local0». Настройка на комм. Элтекс MES Цитата enable conf t no logging host 172.0.0.99 no logging host 172.0.0.97 logging host 172.0.0.111 exit write y exit * facility local7 используется по-умолчанию и явно указывать не нужно Настройка на комм. Cisco 2960 Цитата enable conf t login on-failure log no logging facility local3 no logging 172.0.0.99 no logging 172.0.0.97 logging trap debugging logging 172.0.0.111 exit * facility local7 используется по-умолчанию и явно указывать не нужно Настройка на комм. D-link Цитата create syslog host 1 ipaddress 192.168.0.5facility local7 severity debug state enable create syslog host 1 ipaddress 192.168.0.5facility local7 severity all state enable enable syslog *Для разных серий D-link используются разный формат команд. Одна из команд будет успешно выполнена. Настройка на оборуд. Mikrotik Цитата /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning /system logging action set 3 bsd-syslog=yes remote=192.168.0.5syslog-facility=local4 https://wiki.mikrotik.com/wiki/Manual:System/Log Настройка на GPON Элтекс Цитата configure terminal logging remote 192.168.0.5 exit commit save exit Также указать IP адрес в конфиге /home/syslog-server/syslog-.conf *Facility не поддерживается Настройка на Cisco router Цитата en password conf t login on-failure log no logging 172.0.0.99 no logging 172.0.0.97 logging 172.0.0.111 logging facility local5 login on-failure log exit wr exit sh run | i loggi Полезная инфа в статье https://serverfault.com Настройка на маршрутизаторах Цитата *Настройка производится аналогичным образом. Выбирается facility local6. Facility (категория) Описание Cистемное протоколирование в Linux Тип устройства Facility Папка назначения Коммутаторы (любой модели) local7 (23) switches-fl7 Маршрутизаторы (кроме Микротик) Local6 (22) routers-fl6 Cisco VoIP Local5 (21) cisco-voip-fl5 Оборудование Mikrotik Local4 (20) mikrotiks-fl4 резерв Local3 (19) резерв резерв Local2 (18) резерв Резерв (используется Натексом) Local1 (18) резерв По-умолчанию (используется Натексом) Local0 (16) Не обрабатывается Если нужно установить какое-то Facility, то установите по-умолчанию Facility Local0 Значения по-умолчанию на некотором оборудовании: Оборудование По-умолчанию Изменено на Eltex local7 (23) D-link local3 (19) Local6 (22) Маршрутизаторы Cisco local3 (19) Коммутаторы Cisco local7 (23) VoIP шлюзы Натекс одновременно используют Facility local0 и local1 Описание Cистемное протоколирование в Linux Настройки syslog-ng /etc/syslog-ng/syslog-ng.conf Цитата @version: 3.19 @include "scl.conf" # Syslog-ng configuration file, compatible with default Debian syslogd # installation. # First, set some global options. options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no); dns_cache(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); keep_timestamp(no); }; ######################## # Sources ######################## # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source s_src { system(); internal(); }; # If you wish to get logs from remote machine you should uncomment # this and comment the above source line. # #source s_net { tcp(ip(127.0.0.1) port(1000)); }; ######################## # Destinations ######################## # First some standard logfile # destination d_auth { file("/var/log/auth.log"); }; destination d_cron { file("/var/log/cron.log"); }; destination d_daemon { file("/var/log/daemon.log"); }; destination d_kern { file("/var/log/kern.log"); }; destination d_lpr { file("/var/log/lpr.log"); }; destination d_mail { file("/var/log/mail.log"); }; destination d_syslog { file("/var/log/syslog"); }; destination d_user { file("/var/log/user.log"); }; destination d_uucp { file("/var/log/uucp.log"); }; # This files are the log come from the mail subsystem. # destination d_mailinfo { file("/var/log/mail.info"); }; destination d_mailwarn { file("/var/log/mail.warn"); }; destination d_mailerr { file("/var/log/mail.err"); }; # Logging for INN news system # destination d_newscrit { file("/var/log/news/news.crit"); }; destination d_newserr { file("/var/log/news/news.err"); }; destination d_newsnotice { file("/var/log/news/news.notice"); }; # Some 'catch-all' logfiles. # destination d_debug { file("/var/log/debug"); }; destination d_error { file("/var/log/error"); }; destination d_messages { file("/var/log/messages"); }; # The root's console. # destination d_console { usertty("root"); }; # Virtual console. # destination d_console_all { file(`tty10`); }; # The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # destination d_xconsole { pipe("/dev/xconsole"); }; # Send the messages to an other host # #destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); }; # Debian only destination d_ppp { file("/var/log/ppp.log"); }; ######################## # Filters ######################## # Here's come the filter options. With this rules, we can set which # message go where. filter f_dbg { level(debug); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_err { level(err); }; filter f_crit { level(crit .. emerg); }; filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; filter f_error { level(err .. emerg) ; }; filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; filter f_auth { facility(auth, authpriv) and not filter(f_debug); }; filter f_cron { facility(cron) and not filter(f_debug); }; filter f_daemon { facility(daemon) and not filter(f_debug); }; filter f_kern { facility(kern) and not filter(f_debug); }; filter f_lpr { facility(lpr) and not filter(f_debug); }; filter f_local { facility(local0, local1, local3, local4, local5, local6, local7) and not filter(f_debug); }; filter f_mail { facility(mail) and not filter(f_debug); }; filter f_news { facility(news) and not filter(f_debug); }; filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); }; filter f_user { facility(user) and not filter(f_debug); }; filter f_uucp { facility(uucp) and not filter(f_debug); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; filter f_ppp { facility(local2) and not filter(f_debug); }; filter f_console { level(warn .. emerg); }; ######################## # Log paths ######################## log { source(s_src); filter(f_auth); destination(d_auth); }; log { source(s_src); filter(f_cron); destination(d_cron); }; log { source(s_src); filter(f_daemon); destination(d_daemon); }; log { source(s_src); filter(f_kern); destination(d_kern); }; log { source(s_src); filter(f_lpr); destination(d_lpr); }; log { source(s_src); filter(f_syslog3); destination(d_syslog); }; log { source(s_src); filter(f_user); destination(d_user); }; log { source(s_src); filter(f_uucp); destination(d_uucp); }; log { source(s_src); filter(f_mail); destination(d_mail); }; #log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); }; #log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); }; #log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); }; log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); }; log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); }; #log { source(s_src); filter(f_cnews); destination(d_console_all); }; #log { source(s_src); filter(f_cother); destination(d_console_all); }; #log { source(s_src); filter(f_ppp); destination(d_ppp); }; log { source(s_src); filter(f_debug); destination(d_debug); }; log { source(s_src); filter(f_error); destination(d_error); }; log { source(s_src); filter(f_messages); destination(d_messages); }; log { source(s_src); filter(f_console); destination(d_console_all); destination(d_xconsole); }; log { source(s_src); filter(f_crit); destination(d_console); }; # All messages send to a remote site # #log { source(s_src); destination(d_net); }; ### # Include all config files in /etc/syslog-ng/conf.d/ ### @include "/etc/syslog-ng/conf.d/*.conf" #destination d_pvec { file("/var/log/!remote/pvec.log"); }; #filter f_pvec { netmask("10.248.0.219/255.255.255.255"); }; #log { source(s_udp); filter(f_pvec); destination(d_pvec); }; /etc/syslog-ng/conf.d/syslog-unic.conf Цитата #keep_timestamp(no) v konfige /etc/syslog-ng/syslog-ng.conf ispolzuet datu sistemy, a ne ustoystva. Eto pomogaet izbejat problem c nekorektoy datoy source s_network_udp { syslog(ip(0.0.0.0) transport("udp") keep-hostname(yes)); }; source s_network_tcp { tcp(ip(0.0.0.0) port(514) keep-hostname(yes)); }; #keep-hostname pri nalichii v soobsheni▒ polya hostname ispolzuet vmesto IP znachenit hostname. Eto uproshaet nastroyku ustoystv mikrotik, u kotorih mnogo IP adresov. Odnako ne vo vseh sluchayah eto udobno. Dlya sohraneniya IP ispolzuyte $SOURCEIP filter f_gpon { host("192.168.0.212") or host("192.168.0.214") or host("192.168.0.215") or host("192.168.0.216") or host("192.168.0.217") or host("192.168.0.218") or host("192.168.0.219") or host("192.168.0.220") or host("192.168.0.221") or host("192.168.0.222") or host("10.240.0.99");}; filter f_local4 { facility (local4); }; filter f_local5 { facility (local5); }; filter f_local6 { facility (local6); }; filter f_local7 { facility (local7); }; filter f_net172_16 { netmask( "172.16.0.0/255.255.0.0" ); }; filter f_net192.168.{ netmask( "192.168.0.0/255.255.252.0" ); }; filter f_net10_10 { netmask( "10.10.0.0/255.255.255.0" ); }; filter f_net10.0{ netmask( "10.00.0/255.255.255.0" ); }; destination d_gpon { file("/home/syslog-server/gpons/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_mikrotik { file("/home/syslog-server/mikrotiks-fl4/${HOST}-${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_cisco_voip { file("/home/syslog-server/cisco-voip-fl5/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_routers { file("/home/syslog-server/routers-fl6/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_switches { file("/home/syslog-server/switches-fl7/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net172_16 { file("/home/syslog-server/172.16.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net192.168.{ file("/home/syslog-server/192.168.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net10_10 { file("/home/syslog-server/10.10.X.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net10.0{ file("/home/syslog-server/10.00.X/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_net_other { file("/home/syslog-server/other/${SOURCEIP}.log" perm(0644) create_dirs (yes)); }; destination d_summary { file("/home/syslog-server/summary.log" perm(0644)); }; ###===LOGIROVANIE===### ##Poryadok zapicey imeet znachenie!!!## ##flags(final) oznachaet ostanovitsya i ne idti dalshe po spisku. #Vse logi v dublirovat odnom file. Nachalnoe pravilo! log { source(s_network_udp); destination(d_summary);}; #Mikrotiks by facility (local4) to folder "mikrotiks-fl4" log { source(s_network_udp); filter(f_local4); destination(d_mikrotik); flags(final); }; #Cisco VoIP by facility (local5) to folder "cisco-voip-fl5" log { source(s_network_udp); filter(f_local5); destination(d_cisco_voip); flags(final); }; #Routers by facility (local6) to folder "routers-fl6" log { source(s_network_udp); filter(f_local6); destination(d_routers); flags(final); }; #Switches by facility (local7) to folder "switches-fl7" log { source(s_network_udp); filter(f_local7); destination(d_switches); flags(final); }; #All GPON devices to folder "gpon" log { source(s_network_udp); filter(f_gpon); destination(d_gpon); flags(final); }; #Other devices from 172.16.0.0/16 to folder "172.16.X.X" log { source(s_network_udp); filter(f_net172_16); destination(d_net172_16); flags(final); }; #Other devices from 192.168.0.0/23 to folder "192.168.X.X" log { source(s_network_udp); filter(f_net192.168.; destination(d_net192.168.; flags(final); }; #Other devices from 10.10.0.0/24 to folder "10.10.0.X" log { source(s_network_udp); filter(f_net10_10); destination(d_net10_10); flags(final); }; #Other devices from 10.00.0/24 to folder "10.00.X" log { source(s_network_udp); filter(f_net10.0; destination(d_net10.0; flags(final); }; #All another unknowed IP address #Pravilo doljno bit poslednim! log { source(s_network_udp); destination(d_net_other);}; Работа скриптов Ежедневные отчеты на почту Анализ флаппинга Уведомление в реальном времени Анализ и отправка отчетов о критичных событиях в реальном времени. Отправка проводится в канал telegram и на почту При загрузке ОС стартует real_time_analysis.pl, который постоянно анализирует логи. Цитата /etc/network/interfaces post-up /home/syslog-server/real_time_analysis/real_time_analysis.pl & Цитата /home/syslog-server/real_time_analysis/real_time_analysis.pl commit save Настроено два типа отправки Критичные сообщения (Critical) Примеры Цитата Jan 31 19:56:57 192.168.0.101 NT_LBD-I-VLANACTIONONPORT: VLAN 2088 on port gi1/0/21 recovered by Loopback Detection. Feb 1 08:31:11 192.168.0.4 2022 Feb 1 01:31:11 UTC: L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K: Loops detected in the network for mac 000b.ab3f.5043 among ports Eth1/47 and Eth1/48 vlan 3002 - Disabling dynamic learning notifications for a period between 120 and 240 seconds on vlan 3002 Feb 1 09:05:44 192.168.0.4 2022 Feb 1 02:05:44 UTC: %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K: Re-enabling dynamic learning on vlan 3002 Dec 3 19:16:58 172.16.0.243 LBD-2: Port 5 LBD port VID 1 loop occurred. Port blocked. Jan 18 10:19:08 192.168.0.69 CRIT: Port 10 VID 2075 LBD loop occurred. Packet discard begun. Защита STP LOOPGUARD 04-Apr-2019 17:01:47 :%STP-W-LOOPGUARD_BLOCK: Loop guard blocking port gi1/0/24 in instance 0. 04-Apr-2019 19:18:22 :%STP-W-LOOPGUARD_UNBLOCK: Loop guard unblocking port gi1/0/24 in instance 0. TESSSTTT--Nexus-Kal81# 2021 Aug 12 09:21:30 TESSSTTT--Nexus-Kal81 %$ VDC-1 %$ %STP-2-LOOPGUARD_BLOCK: Loop guard blocking port Ethernet1/48 on MST0000. TESSSTTT--Nexus-Kal81# sh int Eth1/482021 Aug 12 09:25:32 TESSSTTT--Nexus-Kal81 %$ VDC-1 %$ %STP-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port Ethernet1/48 on MST0000. 1644 2000-01-01 08:12:02 INFO(6) Loop protection blocking port 24 on instance 0 Важные сообщения (Warning) Примеры Цитата Логин пароль Login failed through Telnet from 192.168.99.150 authenticated by AAA server 192.168.0.99 (Username: karabas) 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.99.150 destination 192.168.0.101, TACACS REJECTED. 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.99.150 destination 192.168.0.101, local user table REJECTED. Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.20.100 - dcos_sshd[24573] Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user Karabas from 192.168.20.100 - dcos_sshd[24571] Блуждание MAC адресов Feb 1 12:40:29 192.168.0.102 %BRG_MACNTFY-I-MAC_FLAPPING: Host 00:78:88:40:ca:bc in vlan 2088 is flapping between port te1/0/1 and port te1/0/2 Штормы Feb 8 10:34:25 192.168.0.137 %STORM-W-StormOccurs: Broadcast traffic on gi1/0/24 has exceeded the set boundary 512 Kbits Feb 8 10:34:25 192.168.0.137 %STORM-W-StormOccurs: Multicast traffic on gi1/0/24 has exceeded the set boundary 512 Kbits Feb 8 10:34:25 192.168.0.39 WARN: Port 26 Broadcast storm is occurring Feb 8 10:34:25 192.168.0.39 WARN: Port 26 Multicast storm is occurring IP ARP inspection logging & IMPB Feb 16 11:26:03 192.168.0.171 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/0/1 with VLAN tag 2089 and reason: packet verification failed SRC MAC e4:8d:8c:e5:63:1c SRC IP 195.208.164.86 DST MAC 00:00 DES-3526 Feb 16 11:11:11 192.167.0.21 WARN: Unauthenticated IP-MAC address and discarded by ip mac port binding (IP: 109.195.70.111, MAC: 64-D1-54-F1-16-D9, port: 21) DES-3200, rev C1 Feb 16 11:11:11 192.167.0.148 WARN: Unauthenticated IP-MAC address and discarded by IMPB(IP:<192.168.2.113>, MAC:<74-D4-35-F8-8F-DC>, Port<2>) Port security Feb 8 10:34:25 192.168.0.20 %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses for Data VLAN Перезагрузка устройств DES-3200 Jan 6 09:44:33 192.167.0.241 CRIT: System cold start Dec 7 20:18:29 192.167.0.148 CRIT: System warm start DGS-1100-06/ME Feb 2 12:27:11 192.167.0.243 SYSTEM-2: System cold start Nov 25 13:19:27 192.168.0.61 SYSTEM-2: System warm start MES Dec 6 08:56:07 192.168.0.143 %INIT-I-Startup: Warm Startup Feb 7 13:37:27 192.168.0.9 %INIT-I-Startup: Cold Startup Работа с SFP модулями Feb 16 12:47:29 192.168.0.47 %NSFP-I-SFPGibicRemoved: te1/0/3 SFP port is not present Feb 16 12:47:36 192.168.0.47 %NSFP-I-SFPGibicDetected: te1/0/3 SFP port is present, module type - 10G BASE-LR Отключение порта по флаппингу Jan 13 12:36:05 192.168.0.121 %LINK-W-PORT_SUSPENDED: Port te1/0/4 suspended by link-flapping Оперативная работа Цитата Login failed through Telnet from 192.168.3.150 authenticated by AAA server 192.168.0.99 (Username: karabas) 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.3.150 destination 192.168.0.101, TACACS REJECTED. 01-Feb-2022 13:48:56 %AAA-W-REJECT: New telnet connection for user karabas, source 192.168.3.150 destination 192.168.0.101, local user table REJECTED. Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from 192.168.20.100 - dcos_sshd[24573] Jan 31 19:56:26 192.168.0.5 2022 Jan 31 12:56:26 UTC: DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user Karabas from 192.168.20.100 - dcos_sshd[24571] Feb 1 12:40:29 192.168.0.102 %BRG_MACNTFY-I-MAC_FLAPPING: Host 00:78:88:40:ca:bc in vlan 2088 is flapping between port te1/0/1 and port te1/0/2 Jan 31 19:56:57 192.168.0.101 NT_LBD-I-VLANACTIONONPORT: VLAN 2088 on port gi1/0/21 recovered by Loopback Detection. Feb 1 08:31:11 192.168.0.4 2022 Feb 1 01:31:11 UTC: L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K: Loops detected in the network for mac 000b.ab3f.5043 among ports Eth1/47 and Eth1/48 vlan 3002 - Disabling dynamic learning notifications for a period between 120 and 240 seconds on vlan 3002 Feb 1 09:05:44 192.168.0.4 2022 Feb 1 02:05:44 UTC: %L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K: Re-enabling dynamic learning on vlan 3002 Dec 3 19:16:58 172.16.0.243 LBD-2: Port 5 LBD port VID 1 loop occurred. Port blocked. Jan 18 10:19:08 192.168.0.69 CRIT: Port 10 VID 2075 LBD loop occurred. Packet discard begun. Feb 16 11:11:11 192.168.0.39 WARN: Port 22 Multicast storm is occurring. Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup. Feb 16 11:11:11 172.16.0.243 SYSTEM-2: System cold start Feb 16 11:11:11 172.16.0.241 CRIT: System cold start Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup.. Feb 16 11:11:11 172.16.0.38 WARN: Port 7 Broadcast storm is occurring Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup. Feb 16 11:11:11 172.16.0.243 SYSTEM-2: System cold start Feb 16 11:11:11 172.16.0.241 CRIT: System cold start Feb 16 11:11:11 192.168.0.143 %INIT-I-Startup: Warm Startup.. Feb 16 11:11:11 172.16.0.38 WARN: Port 7 Broadcast storm is occurring Feb 16 11:11:11 192.168.0.13 %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses for Data VLAN on an interface gi1/0/1 is exceeded (3), 2096 Feb 16 11:11:11 172.16.0.21 WARN: Unauthenticated IP-MAC address and discarded by ip mac port binding (IP: 109.195.70.111, MAC: 64-D1-54-F1-16-D9, port: 21) Feb 16 11:11:11 172.16.0.148 WARN: Unauthenticated IP-MAC address and discarded by IMPB(IP:<192.168.2.113>, MAC:<74-D4-35-F8-8F-DC>, Port<2>) Feb 16 11:26:03 192.168.0.171 %ARPINSP-I-PCKTLOG: ARP packet dropped from port gi1/0/1 with VLAN tag 2089 and reason: packet verification failed SRC MAC e4:8d:8c:e5:63:1c SRC IP 195.208.164.86 DST MAC 00:00 Feb 16 12:47:29 192.168.0.47 %NSFP-I-SFPGibicRemoved: te1/0/3 SFP port is not present Feb 16 12:47:36 192.168.0.47 %NSFP-I-SFPGibicDetected: te1/0/3 SFP port is present, module type - 10G BASE-LR СКРИПТЫ find-IP-addess Цитата #!/bin/bash ip=$1 if [ "x$1" = "x" ]; then read -p "Enter the device IP address: " ip fi if [ "x$ip" = "x" ]; then echo "Sorry, unknown IP address..."; exit; fi find /home/syslog-server -name *$ip.log restart-syslog-ng Цитата #!/bin/bash /etc/init.d/syslog-ng restart show-log Цитата #!/bin/bash ip=$1 if [ "x$1" = "x" ]; then read -p "Enter the device IP address: " ip fi if [ "x$ip" = "x" ]; then echo "Sorry, unknown IP address..."; exit; fi path=`find /home/syslog-server -name *$ip.log` start-analysis.sh analysis-cisco-router analysis-gpons analysis-mikrotiks analysis-switches ============================ flapping_int analysis-switches_flapping start-analysis_flapping_int.sh scripts start-analysis.sh Цитата scripts start-analysis.sh #!/bin/bash IFS="" starttime=$(date +%s) result="/dir/scripts/result.txt" #tmp="/usr/lib/nagios_actuality/tmp_scan.txt" date=`date -d yesterday '+%b %_d' | tr -d '\n'` mail=pochta@domain.ru if [ "x$1" != "x" ]; then mail=$1 fi echo -e "Subject: Syslog analysis for $date \nFrom: root \nTo: $mail\n" > $result echo ======================== >> $result echo Analysis Cisco Router >> $result echo ======================== >> $result echo >> $result dir="/dir/cisco-voip-fl5/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-cisco-router >> $result done echo ======================== >> $result echo Analysis GPON >> $result echo ======================== >> $result echo >> $result dir="/dir/gpons/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-gpons >> $result tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i '$d' $result;fi #Ne pokazyvat ustoystva bez logov done echo ======================== >> $result echo Analysis Switches >> $result echo ======================== >> $result echo >> $result dir="/dir/switches-fl7/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-switches >> $result tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i '$d' $result;fi #Ne pokazyvat ustoystva bez logov done echo ======================== >> $result echo Analysis Routers >> $result echo ======================== >> $result echo >> $result dir="/dir/routers-fl6/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-switches >> $result done echo ======================== >> $result echo Analysis Mikrotiks >> $result echo ======================== >> $result echo >> $result dir="/dir/mikrotiks-fl4/" list=`ls -1 $dir` echo $list|while read host do echo == Analysis device $host == >> $result cat $dir$host | perl /dir/scripts/analysis-mikrotiks >> $result tail -n 1 $result | grep -E '^== Analysis device .*.log ==$' > /dev/null;if [ "$?" -eq 0 ];then sed -i '$d' $result;fi #Ne pokazyvat ustoystva bez logov done end=$(($(date +%s)-$starttime)); let summary_min=$end/60 echo; echo Time execution of the script \"$0\" is $summary_min min. >> $result cat $result | /usr/sbin/sendmail -v $mail analysis-cisco-router Цитата analysis-cisco-router #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Isdn6_c_d; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; #$ThisLine =~ s/^$yesterday(.*)$/$1/; my $ThisLine_date = $1; #print "111 $ThisLine_date\n"; if( $ThisLine_date ) { # print "Init failed\n"; if ($ThisLine_date =~ /%ISDN-6-CONNECT: Interface Serial.* is now connected to|%ISDN-6-DISCONNECT: Interface Serial.* disconnected from/) { $Isdn6_c_d{$1}++; } elsif ($ThisLine_date =~ /WARNING: (\N+)/) { $Warning{$1}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Isdn6_c_d) { print "ISDN-6-CONNECT-DISCONNECT:\n"; foreach my $line (sort {$a cmp $b} keys %Isdn6_c_d) { print " $line: $Isdn6_c_d{$line} Time(s)\n"; } print "\n"; } if (keys %Warning) { print "Warnings:\n"; foreach my $line (sort {$a cmp $b} keys %Warning) { print " $line: $Warning{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); analysis-gpons Цитата analysis-gpons #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /CLI-6: |MSR-6: Configuration successfully backup|LinkStatus-6: [Pp]ort / ) or #DGS-1100-06/ME ( $ThisLine_date =~ /%COPY-I-FILECPY|%COPY-N-TRAP|%LINK-I-Up|%LINK-W-Down|%AAA-I-CONNECT:|%AAA-I-DISCONNECT:/ ) or #Eltex MES ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link ) { # We don't care about these } elsif ($ThisLine_date =~ /WARNING: (\N+)/) { $Warning{$1}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (keys %Warning) { print "Warnings:\n"; foreach my $line (sort {$a cmp $b} keys %Warning) { print " $line: $Warning{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); analysis-mikrotiks Цитата analysis-mikrotiks #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %l2tp_out; my %ipip_tun; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /Config export finished|Configuration backup finished|System backup finished|Uploading config export|Uploading system backup|fetch: file / ) or #for Mikrotik backup ( $ThisLine_date =~ /OTHERRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR/ ) or #for Mikrotik other ( $ThisLine_date =~ /dhcp1 |default assigned |default deassigned |..-..-..-..-..-.. \(.+\)/ ) or #for Mikrotik E4:8D:8C:D9:9A:17-172.16.34.67.log na Smolenskoy ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link ) { # We don't care about these } elsif ($ThisLine_date =~ /l2tp-out/) { $l2tp_out{$1}++; } elsif ($ThisLine_date =~ /ipip-tun/) { $ipip_tun{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (keys %l2tp_out) { print "VPN L2TP Messages:\n"; foreach my $line (sort {$a cmp $b} keys %l2tp_out) { print " $line: $l2tp_out{$line} Time(s)\n"; } print "\n"; } if (keys %ipip_tun) { print "VPN IPIP Messages:\n"; foreach my $line (sort {$a cmp $b} keys %ipip_tun) { print " $line: $ipip_tun{$line} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); analysis-switches Цитата analysis-switches #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /CLI-6: |MSR-6: Configuration successfully backup|LinkStatus-6: [Pp]ort / ) or #DGS-1100-06/ME ( $ThisLine_date =~ /%COPY-I-FILECPY|%COPY-N-TRAP|%LINK-I-Up|%LINK-W-Down|%AAA-I-CONNECT:|%AAA-I-DISCONNECT:/ ) or #Eltex MES ( $ThisLine_date =~ /INFO: Port |INFO: Configuration/ ) #D-link ) { # We don't care about these } elsif ($ThisLine_date =~ /WARNING: (\N+)/) { $Warning{$1}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (keys %Warning) { print "Warnings:\n"; foreach my $line (sort {$a cmp $b} keys %Warning) { print " $line: $Warning{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { print "\n**Unmatched Entries** for $yesterday\n"; foreach my $line (sort {$a cmp $b} keys %OtherList) { print " $line: $OtherList{$line} Time(s)\n"; } print "\n"; } exit(0); /scripts/flapping_int analysis-switches_flapping Цитата analysis-switches_flapping #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %Error; my %Flapping; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my $yesterday = `date -d yesterday '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$yesterday ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /xxxxxxxxxxxxxxxxx_xxxxxxxxxxxxx / ) or #OFF ( $ThisLine_date =~ /yyyyyyyy_yyyyyyyyyyyyyyyyyyyyyy/ ) #OFF ) { # We don't care about these } elsif ($ThisLine_date =~ /%LINK-I-Up|%LINK-W-Down|INFO: Port .*link|LinkStatus-6: [Pp]ort/) { $Flapping{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %Flapping) { #_# print "\n**Flappings for $yesterday\n\n"; foreach my $line (sort {$a cmp $b} keys %Flapping) { print "$Flapping{$line} Time(s): $line\n"; } #_# print "\n"; } #if (keys %OtherList) { # print "\n**Unmat_ched Ent_ries** for $yesterday\n"; # foreach my $line (sort {$a cmp $b} keys %OtherList) { # print " _-_ $line: $OtherList{$line} Time(s)\n"; # } # print "\n"; #} if (keys %Error) { print "ERRORS:\n"; foreach my $line (sort {$a cmp $b} keys %Error) { print " $line: $Error{$line} Time(s)\n"; } print "\n"; } if (($Detail > 5) and keys %Started) { print "Started:\n"; foreach my $retain (sort { $Started{$b} <=> $Started{$a} } keys %Started) { print " $retain: $Started{$retain} Time(s)\n"; } print "\n"; } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } exit(0); start-analysis_flapping_int.sh Цитата start-analysis_flapping_int.sh #!/bin/bash #Example ./start-analysis_flapping_int.sh name@domain.ru debug IFS="" starttime=$(date +%s) # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs # rsync -avz /home/uploader/daily/ name@192.168.0.111:/dir/configs #porogovoe znachenie kol-va dnej. Esli prevyshaet, to uvedomlyaetsya po pochte kolichestvo_dney_threshold=7 #kolichestvo dnej dlya analiza kolichestvo_dney_all=21 mail=sd@domain.ru mail=name@domain.ru mail_copy=name@domain.ru if [ "x$1" != "x" ]; then mail=$1 fi #peremennye dir_data="/dir/scripts/flapping_int/data" dir_sw="/dir/switches-fl7/" result="/dir/scripts/flapping_int/result_flapping.txt" analys_tmp1="/tmp/analys_flapping_1.txt" analys_tmp2="/tmp/analys_flapping_2.txt" tmp_ports="/tmp/analys_flapping_tmp_ports.txt" tmp_logs="/tmp/analys_flapping_tmp_logs.txt" date=`date -d yesterday '+%b %_d' | tr -d '\n'` cur_day=`date +"%d"` if [ "x$2" = "xdebug" ]; then debug=1 else debug=0 fi #udalenie staryh dannih i ochistka faylov find "$dir_data"/history_* -type f -mtime +"$kolichestvo_dney_all" -delete echo -n > $tmp_ports echo -n > $tmp_logs echo -n > $dir_data/LAST echo -n > $analys_tmp1 echo -n > $analys_tmp2 #sozdanie fajla-otcheta (mail zagolovok) echo -e "Subject: Analysis ports flapping for $date \nFrom: root@syslog.domain.ru \nTo: $mail\ncc: $mail_copy\n" > $result #analiz statistiki list=`ls -1 $dir_sw` #echo $list ##################list="192.168.7.166.log" echo $list|while read host do cat $dir_sw$host | perl /dir/scripts/flapping_int/analysis-switches_flapping >> $analys_tmp1 done sort -hr $analys_tmp1 > $analys_tmp2 grep -ve '^[[:digit:]] Time(s)' $analys_tmp2 >> $dir_data/LAST cp $dir_data/LAST $dir_data/history_`date -d yesterday '+%b_%d'` #poluchaem spisok IP adresov list_ip=`awk '{print $3}' $dir_data/LAST | sort -u | sed '/^$/d'` while read ip || [ -n "$ip" ] do kol_vo_dney_real=`grep -l -w $ip $dir_data/history_* | wc -l` #echo debug $ip kol_vo_dney_real $kol_vo_dney_real #esli avariya sistematichnaya, to dobavlyaem v fajl-otchet if [[ "$kol_vo_dney_real" > "$kolichestvo_dney_threshold" ]]; then if [ $debug == "1" ]; then echo "DEBUG Naydena sistematichnaya avariya $ip"; fi stroka=`grep $ip $dir_data/LAST`; echo $stroka >> $tmp_logs #doljno poluchitsya chetnoe kol-vo strok t.k. budet vkluchenie i vyklushenie list_port=`echo $stroka | grep -oP -i -e 'gi1/0/[0-9]+|te1/0/[0-9]+|port [0-9]+'` while read port do config_file=`find /dir/configs/ -name $ip*` vendor=`echo $config_file | cut -d '/' -f 5` case $vendor in Eltex) if [ $debug == "1" ]; then echo "You choose Eltex device"; fi sw_name=`grep hostname $config_file | sed -e 's/hostname //' -e 's/"//g'`; full_port=`echo $port | sed -e 's/^gi/gigabitethernet/g' -e 's/^te/tengigabitethernet/g'` description=`grep -a -A4 -w "$full_port" $config_file | grep description` if [ $debug == "1" ]; then echo "DEBUG Switch $ip Eltex $sw_name port $port full_port $full_port description $description"; fi echo "Switch $ip Eltex $sw_name port $port $description" >> $tmp_ports ;; DES) if [ $debug == "1" ]; then echo "You choose D-link device"; fi sw_name=`grep -a command_prompt $config_file | sed -e 's/config command_prompt //' -e 's/"//g' -e 's/\r//g'`; short_port=`echo $port | awk '{print $2}'` description=`grep -a -w "config ports $short_port" $config_file | awk -F 'description ' '{print $2}'` if [ $debug == "1" ]; then echo "DEBUG Switch $ip D-link $sw_name port $port short_port $short_port description $description"; fi echo "Switch $ip D-link $sw_name $port description $description" >> $tmp_ports ;; cisco) if [ $debug == "1" ]; then echo "You choose Cisco device"; fi sw_name=`grep hostname $config_file | sed -e 's/hostname //' -e 's/"//g'`; ;; GPON) echo You choose GPON device; ;; *) echo "Error...Device $ip not found..." >> $result; ;; esac unset vendor; unset sw_name; unset config_file; unset short_port; unset full_port; unset description done <<< $list_port fi done <<< $list_ip #echo >> $result echo Обнаружен систематический флаппинг портов за $kolichestvo_dney_threshold дней из $kolichestvo_dney_all: >> $result sort -u $tmp_ports >> $result echo >> $result echo Просим вас устранить, либо минимизировать дергание линка. >> $result echo >> $result echo Выводы сделаны на основании нижеперечисленных логов: >> $result cat $tmp_logs >> $result echo >> $result echo Отчет высылается раз в неделю. Подробности в документе >> $result echo >> $result end=$(($(date +%s)-$starttime)); let summary_min=$end/60 echo Time execution of the script \"$0\" is $end sec. >> $result #otchet po pochte otpravlyaetsya raz v nedelyu #if [[ "$cur_day" = 14 || "$cur_day" = 15 || "$cur_day" = 16 || "$cur_day" = 17 ]]; then if [[ "$cur_day" = 01 || "$cur_day" = 08 || "$cur_day" = 15 || "$cur_day" = 22 ]]; then cat $result | /usr/sbin/sendmail -v $mail fi Оповещение в реальном времени cron.conf Цитата real_time_analysis */6 * * * * root /dir/real_time_analysis/send-alarm-Warning.sh 1>/dev/null 2>&1 */3 * * * * root /dir/real_time_analysis/send-alarm-Critical.sh 1>/dev/null 2>&1 /etc/network/interfaces Цитата auto ens18 iface ens18 inet static address 192.168.0.111 netmask 255.255.255.0 gateway 192.168.0.1 post-up /dir/real_time_analysis/real_time_analysis.pl & decrease.pl Цитата decrease.pl #!/usr/bin/perl use strict; my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0; my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %ARPINSP; my %NT_LBD; my %L2FM_MAC_FLAP; my %BRG_MACNTFY; my %PORT_SECURITY1; my %Error; my %Warning; my %Started; my %Successful; my %OtherList; my %Commands; ################## my %ThisLine; my %ThisLine_date; my %ThisLine_test; my ($testline,$testfields,$ip_add); my $date = `date '+%b %_d' | tr -d '\n'`; #my $twodaysago = `date -d -2days '+%b %_d' | tr -d '\n'`; while (defined(my $ThisLine = <STDIN>)) { chomp($ThisLine); if ($Debug) { print "$ThisLine\n"; } $ThisLine =~ s/^$date ..:..:.. (.*)$/$1/; my $ThisLine_date = $1; # Isklucheniya. Soobsheniya ignoriruutsya. if( $ThisLine_date ) { if ( ( $ThisLine_date =~ /XXXXXXXXXXXXXXXXXXXYYYYYYYYYYYYYYYYYYYYYYYYYZZZZZZZZZZZZZZZZZZZZZ/ ) ) { # We don't care about these } elsif ($ThisLine_date =~ /%ARPINSP-I-PCKTLOG/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $ARPINSP{$ip_add}++; } elsif ($ThisLine_date =~ /%L2FM-2-L2FM_MAC_FLAP/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $L2FM_MAC_FLAP{$ip_add}++; } elsif ($ThisLine_date =~ /%NT_LBD/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $NT_LBD{$ip_add}++; } elsif ($ThisLine_date =~ /%BRG_MACNTFY/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $BRG_MACNTFY{$ip_add}++; } elsif ($ThisLine_date =~ /%LINK-I-ExcessIfMaxMac/) { $testline = $ThisLine_date; my @testfields = split(/ /,$testline); $ip_add = @testfields[0]; $PORT_SECURITY1{$ip_add}++; } elsif ($ThisLine_date =~ / (\S+): started/) { $Started{$1}++; } elsif ($ThisLine_date =~ / (\S+): completed successfully/) { $Successful{$1}++; } elsif ($ThisLine_date =~ /^(?:\/usr|\/bin|mv|rm|rsync|echo|mkdir|touch)(?:\/| )/) { $Commands{$ThisLine_date}++; } else { $OtherList{$ThisLine_date}++; } } } if (keys %NT_LBD) { foreach my $line (sort {$a cmp $b} keys %NT_LBD) { print "$line %NT_LBD-I-VLANACTIONONPORT: by Loopback Detection $NT_LBD{$line} Time(s)\n"; } } if (keys %L2FM_MAC_FLAP) { foreach my $line (sort {$a cmp $b} keys %L2FM_MAC_FLAP) { print "$line %L2FM-2-L2FM_MAC_FLAP_ACTION_LEARN_N3K: Loops detected $L2FM_MAC_FLAP{$line} Time(s)\n"; } } if (keys %BRG_MACNTFY) { foreach my $line (sort {$a cmp $b} keys %BRG_MACNTFY) { print "$line %BRG_MACNTFY-I-MAC_FLAPPING: host flapping $BRG_MACNTFY{$line} Time(s)\n"; } } if (keys %PORT_SECURITY1) { foreach my $line (sort {$a cmp $b} keys %PORT_SECURITY1) { print "$line %LINK-I-ExcessIfMaxMac: The maximum allowed number of MAC addresses $PORT_SECURITY1{$line} Time(s)\n"; } } if ($Detail and keys %Successful) { print "Completed Successfully:\n"; foreach my $retain (sort { $Successful{$b} <=> $Successful{$a} } keys %Successful) { print " $retain: $Successful{$retain} Time(s)\n"; } print "\n"; } if ($Detail > 5 and keys %Commands) { print "Commands:\n"; foreach my $cmd (sort { $Commands{$b} <=> $Commands{$a} } keys %Commands) { printf " %3d Time(s): %s\n", $Commands{$cmd}, $cmd; } print "\n"; } if (keys %OtherList) { foreach my $line (sort {$a cmp $b} keys %OtherList) { print "$line: $OtherList{$line} Time(s)\n"; } # print "\n"; } if (keys %ARPINSP) { foreach my $line (sort {$a cmp $b} keys %ARPINSP) { print "$line ARPINSP-I-PCKTLOG: $ARPINSP{$line} Time(s)\n"; } # print "\n"; } exit(0); real_time_analysis.pl Цитата #!/usr/bin/perl # use warnings; #use strict; use File::Tail; $file=File::Tail->new("/dir/summary.log"); while (defined($line=$file->read)) { # print "$line"; if(($line =~ /%NT_LBD|loop occurred/) or ($line =~ /L2FM-2-L2FM|MTM-SLOT1-2/) or ($line =~ /%STP-W-LOOPGUARD|%STP-2-LOOPGUARD|Loop protection blocking/i)) { # print $line; my $file_path = "/dir/real_time_analysis/Critical_all.txt"; open(my $file_handle, '>>', $file_path) or die "Could not open file! $!"; print $file_handle "$line"; close $file_handle; } if(($line =~ /%STORM|storm is occurring|%LINK-I-ExcessIfMaxMac|%BRG_FWD-W-PORT_LOCK|%BRG_MACNTFY/) or ($line =~ /%AAA-W-REJECT|Authentication fai|Login failed|login failure/) or ($line =~ /%ARPINSP-I-PCKTLOG|WARN: Unauthenticated IP-MAC address|Startup|System.*start|%NSFP-I-SFPGibic/) or ($line =~ /%XXXXXXXXXXXXXXXXXXX/i)) { # print $line; my $file_path = "/dir/real_time_analysis/Warning_all.txt"; open(my $file_handle, '>>', $file_path) or die "Could not open file! $!"; print $file_handle "$line"; close $file_handle; } } send-alarm-Critical.sh Цитата #!/bin/bash debug=1 tel_channel="ID_TELEGRAM" #Telegram pozvolyaet otpravit' v odnom soobshchenii ne bolee 4096 simvolov #Konstrukciya ${tlg_message:0:3000} otpravlyaet pervie 3000 simvolov #https://question-it.com/questions/115695/sokratite-imja-fajla-do-n-simvolov-sohraniv-rasshirenie-fajla #https://www.linuxtopia.org/online_books/advanced_bash_scripting_guide/string-manipulation.html #=#=# CHto mozhno dodelat'? #=#=# #Proverku na otpravku #Nujna rasshifrovka hostov po hostname #https://apps.timwhitlock.info/emoji/tables/unicode IFS='' cd /dir/real_time_analysis real_time_analysis_lines=$(cat Critical_all.txt | wc -l) real_time_analysis_chars=$(cat Critical_all.txt | wc -m) date=`date -d yesterday '+%b %_d' | tr -d '\n'` mail=name@domain.ru email_file="mail-Critical.txt" send_telegram (){ if ( ! curl -s -X POST https://api.telegram.org/botID:ZXXXXXXXXXXXXXXXXXXXXXXX/sendMessage -d chat_id=$tel_channel\ -d text="`printf "${tlg_message:0:3000} \xF0\x9F\x93\x8A ${#tlg_message} < 4096 \xF0\x9F\x8E\xB6 $real_time_analysis_lines"`" ) then echo;echo "Sorry... Not connect to telegram server... Exit..." echo "Sorry... Not connect to telegram server... Exit..." >> Critical.txt exit fi } #Nakoplenie fayla dlya otpravki if [ "$real_time_analysis_lines" -gt 20 ]; then #If more 3 line #solving the problem {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"} #| iconv -f cp1251 -t utf-8 # decrease message cat Critical_all.txt | iconv -f cp1251 -t utf-8 | sed 's/\\/_/g'| perl decrease.pl > Critical.txt #Sending to Mail mail_message=$(cat Critical.txt) echo -e "Subject: Syslog Critical messages \nFrom: root \nTo: $mail\nX-Priority: 1\n" > $email_file cat Critical.txt >> $email_file cat $email_file | /usr/sbin/sendmail -v $mail #Sending to Telegram tlg_message=$(cat Critical.txt | sed -e 's/%//g' -e 's/^/\xF0\x9F\x92\xA5/' -e 's/LOOPGUARD/\xF0\x9F\x92\xA2 LOOPGUARD/g' \ -e 's/L2FM-2-L2FM_MAC_FLAP_ACTION_LEARN_N3K: Loops detected.* \([0-9]\+ Time(s)\)/Nexus MAC flapping \xE2\xAD\x95LBD \1/g' \ -e 's/Loopback Detection/\xE2\xAD\x95 LBD/g' -e 's/Loops detected/\xE2\xAD\x95 LBD/g' -e 's/loop occurred/\xE2\xAD\x95 loop occurred/g' \ -e 's/vlan\|VLAN/\xE2\x86\x94/g') real_time_analysis_chars=$(echo $tlg_message | wc -m) tlg_output=`send_telegram` if ( ! echo $tlg_output | grep "\"ok\":true" ) then echo;echo "Sorry... Curl bad result... Exit..." echo "Sorry... Curl bad result... Exit..." >> Critical.txt exit fi #echo;echo ttt $t #Clear Critical.txt echo -n > Critical_all.txt fi send-alarm-Warning.sh Цитата send-alarm-Warning.sh #!/bin/bash debug=1 tel_channel="ID_TELEGRAM" predel_1="150" predel_2="400" #Telegram pozvolyaet otpravit' v odnom soobshchenii ne bolee 4096 simvolov #Konstrukciya ${tlg_message:0:3000} otpravlyaet pervie 3000 simvolov #https://question-it.com/questions/115695/sokratite-imja-fajla-do-n-simvolov-sohraniv-rasshirenie-fajla #https://www.linuxtopia.org/online_books/advanced_bash_scripting_guide/string-manipulation.html #=#=# CHto mozhno dodelat'? #=#=# #Proverku na otpravku #Nujna rasshifrovka hostov po hostname #https://apps.timwhitlock.info/emoji/tables/unicode IFS='' cd /dir/real_time_analysis #Ne uchitivat ARP insp, IMPB i drugie ne ktitichnie stroki. Sdelano dlya snijeniya intensivnosti soobsheniy real_time_analysis_lines=$(cat Warning_all.txt | grep -Ev 'ARPINSP-I-PCKTLOG|Unauthenticated IP-MAC address|LI_=OFFFFFFFF=_NK-I-ExcessIfMaxMac'| wc -l) real_time_analysis_lines_all=$(cat Warning_all.txt | wc -l) date=`date -d yesterday '+%b %_d' | tr -d '\n'` mail=name@domain.ru email_file="mail-Warning.txt" send_telegram (){ if ( ! curl -s -X POST https://api.telegram.org/botID:ZXXXXXXXXXXXXXXXXXXXXXXX/sendMessage -d chat_id=$tel_channel\ -d text="`printf "${tlg_message:0:3000} \xF0\x9F\x93\x8A ${#tlg_message} < 4096 \xF0\x9F\x8E\xB5 $real_time_analysis_lines ($predel_1) \xF0\x9F\x8E\xB6 $real_time_analysis_lines_all ($predel_2)"`" ) then echo;echo "Sorry... Not connect to telegram server... Exit..." echo "Sorry... Not connect to telegram server... Exit..." >> Warning.txt exit fi } #Nakoplenie fayla dlya otpravki if [[ "$real_time_analysis_lines" -gt $predel_1 || "$real_time_analysis_lines_all" -gt $predel_2 ]]; then #If more 150 line importaint or more 400 all line #solving the problem {"ok":false,"error_code":400,"description":"Bad Request: strings must be encoded in UTF-8"} #| iconv -f cp1251 -t utf-8 # decrease message cat Warning_all.txt | iconv -f cp1251 -t utf-8 | sed 's/\\/_/g' | perl decrease.pl > Warning.txt # | grep -ve '%STORM-W-StormOccurs.* [12] Time(s)\|storm is occurring.* [12] Time(s)\|ABCDEF.* [12] Time(s)' cat Warning.txt | grep -ve '%STORM-W-StormOccurs.* [123] Time(s)\|storm is occurring.* [123] Time(s)\|StormOccurs: Unicast traffic\|AAA-W-REJECT.* [1] Time(s)\|Login failed.* [1] Time(s)|ARPINSP-I-PCKTLOG: [12345] Time(s)' > Warning_tlg.txt #Sending to Mail mail_message=$(cat Warning.txt) echo -e "Subject: Syslog Warning messages \nFrom: root \nTo: $mail\nX-Priority: 5\n" > $email_file cat Warning.txt >> $email_file echo -e "\n\n==Sending to telegram==" >> $email_file cat Warning_tlg.txt >> $email_file cat $email_file | /usr/sbin/sendmail -v $mail #Sending to Telegram tlg_message=$(cat Warning_tlg.txt | sed -e 's/%//g' -e 's/^/\xF0\x9F\x92\xA1/' \ -e 's/Authentication/\xF0\x9F\x9A\xB7 Authentication/g' -e 's/AAA-W-REJECT/\xF0\x9F\x9A\xB7 AAA-W-REJECT/g' -e 's/Login failed/\xF0\x9F\x9A\xB7 Login failed/g' -e 's/login failure/\xF0\x9F\x9A\xB7 login failure/g' \ -e 's/[Ss]torm/\xF0\x9F\x8C\x80storm/g' -e 's/[Ss]tart/\xF0\x9F\x94\x8Cstart/g' -e 's/NSFP-I-SFPGibic/\xF0\x9F\x94\xA9SFPGibic/g' \ -e 's/L2FM-2-L2FM_MAC_FLAP_RE_ENABLE_LEARN_N3K/L2FM/g' -e 's/L2FM-2-L2FM_MAC_FLAP_DISABLE_LEARN_N3K/L2FM/g' -e 's/BRG_MACNTFY-I-MAC_FLAPPING/MAC/g' -e 's/flapping/\xF0\x9F\x94\x83 flapping/g' \ -e 's/LINK-I-ExcessIfMaxMac:.* \([0-9]\+ Time(s)\)/\xE2\x9C\x82 MES Port security logging \1/g' \ -e 's/ARPINSP-I-PCKTLOG:.* \([0-9]\+ Time(s)\)/\xF0\x9F\x94\xAC MES IP ARP inspection logging \1/g' \ -e 's/WARN: Unauthenticated IP-MAC address.* \([0-9]\+ Time(s)\)/\xF0\x9F\x94\xAC DES IP Mac Port Binding logging \1/g') tlg_output=`send_telegram` if ( ! echo $tlg_output | grep "\"ok\":true" ) then echo;echo "Sorry... Curl bad result... Exit..." echo "Sorry... Curl bad result... Exit..." >> Warning.txt exit fi #echo;echo ttt $t #Clear Warning.txt echo -n > Warning_all.txt fi Edited March 24, 2023 by neperpbl3 Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.