在日常运维工作中,通常需要监控各系统的 ssh 登录情况,为便于解析相关 ssh 日志,需要将 ssh 原始日志转化为 json 格式
下面我将使用 rsyslog(一个开源的系统日志服务) 将 ssh 日志解析为 json 格式,并保存到文件 /var/log/sshd_json.log
环境介绍:
1》Rocky Linux release 8.9 (kernel 4.18.0)
2》rsyslogd 8.2102.0 , openssh-server-8.0p1(sshd 服务)
具体操作流程如下:
部署并配置 rsyslog 服务
1、安装系统日志管理程序
sudo dnf install rsyslog
2、自定义 json 模板,将相关日志解析为 json 格式
# cat /etc/rsyslog.d/sshd.conf
template(name="JsonFormat" type="list") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"hostname\":\"") property(name="hostname")
constant(value="\",\"app-name\":\"") property(name="app-name")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}\n")
}
# 过滤日志并使用自定义 JSON 格式
if $programname == 'sshd' or $programname == 'systemd-logind' then {
action(type="omfile" file="/var/log/sshd_json.log" template="JsonFormat")
}
3、确保如下配置项打开
# /etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")
4、重启 rsyslog 服务,使配置生效
systemctl restart rsyslog.service
ssh 登录日志解析
原始日志
# /var/log/secure
Jun 30 16:29:28 a3 sshd[2680]: Accepted publickey for root from 192.168.31.201 port 37680 ssh2: RSA SHA256:MO4xpAhc5wXQc022zmMhPlZKFUrFBGGoaPAP54WtaGM
Jun 30 16:29:28 a3 systemd-logind[756]: New session 13 of user root.
Jun 30 16:29:28 a3 sshd[2680]: pam_unix(sshd:session): session opened for user root by (uid=0)
解析日志为 json 格式
// /var/log/sshd_json.log
{"timestamp":"2024-06-30T16:39:31.222920+08:00","hostname":"a3","app-name":"sshd","procid":"2680","message":"Accepted publickey for root from 192.168.31.201 port 37680 ssh2: RSA SHA256:MO4xpAhc5wXQc022zmMhPlZKFUrFBGGoaPAP54WtaGM"}
{"timestamp":"2024-06-30T16:39:31.236649+08:00","hostname":"a3","app-name":"systemd-logind","procid":"756","message":"New session 13 of user root."}
{"timestamp":"2024-06-30T16:39:31.239941+08:00","hostname":"a3","app-name":"sshd","procid":"2680","message":"pam_unix(sshd:session): session opened for user root by (uid=0)"}
ssh 退出日志解析
原始日志
# /var/log/secure
Jun 30 16:29:49 a3 sshd[2683]: Received disconnect from 192.168.31.201 port 37680:11: disconnected by user
Jun 30 16:29:49 a3 sshd[2683]: Disconnected from user root 192.168.31.201 port 37680
Jun 30 16:29:49 a3 sshd[2680]: pam_unix(sshd:session): session closed for user root
Jun 30 16:29:49 a3 systemd-logind[756]: Session 13 logged out. Waiting for processes to exit.
Jun 30 16:29:49 a3 systemd-logind[756]: Removed session 13.
解析日志为 json 格式
// /var/log/sshd_json.log
{"timestamp":"2024-06-30T16:41:47.414181+08:00","hostname":"a3","app-name":"sshd","procid":"2683","message":"Received disconnect from 192.168.31.201 port 37680:11: disconnected by user"}
{"timestamp":"2024-06-30T16:41:47.415198+08:00","hostname":"a3","app-name":"sshd","procid":"2683","message":"Disconnected from user root 192.168.31.201 port 37680"}
{"timestamp":"2024-06-30T16:41:47.418306+08:00","hostname":"a3","app-name":"sshd","procid":"2680","message":"pam_unix(sshd:session): session closed for user root"}
{"timestamp":"2024-06-30T16:41:47.426184+08:00","hostname":"a3","app-name":"systemd-logind","procid":"756","message":"Session 13 logged out. Waiting for processes to exit."}
{"timestamp":"2024-06-30T16:41:47.428457+08:00","hostname":"a3","app-name":"systemd-logind","procid":"756","message":"Removed session 13."}
扩展
日志不落盘
action(type=“omfwd” protocol=“tcp” target=“192.168.31.87” port=“1514” Template=“RSYSLOG_SyslogProtocol23Format” TCP_Framing=“octet-counted” KeepAlive=“on”)
设置日志记录的详细程度
可能的日志级别: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 默认 INFO
使用 SyslogFacility 指令来指定 sshd 将日志消息通过哪个日志子系统发送。有效值包括 DAEMON, USER, AUTH(默认), LOCAL0-LOCAL7 等
# Logging
# SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
# 查看 sshd 配置文件帮助信息
man sshd_config
# 验证 sshd_config 验证配置文件的语法是否正确,修改 sshd_config 或系统日志配置后,需要重启 sshd 服务以使配置生效
shd -t
