内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍Linux日志的安全管理和分析方法。
Part01-日志系统配置
1.学习交流加群风哥微信: itpux-com1 Rsyslog配置
$ cat /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
# 配置日志服务器
$ sudo tee /etc/rsyslog.conf << 'EOF'
module(load="imuxsock")
module(load="imklog")
module(load="imtcp")
input(type="imtcp" port="514")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
local7.* /var/log/boot.log
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
EOF
# 重启rsyslog
$ sudo systemctl restart rsyslog
# 配置日志客户端
$ sudo tee -a /etc/rsyslog.conf << 'EOF'
*.* @@logserver.fgedu.net.cn:514
EOF
$ sudo systemctl restart rsyslog
# 配置日志轮转
$ cat /etc/logrotate.conf
weekly
rotate 4
create
dateext
compress
sharedscripts
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
include /etc/logrotate.d
# 配置服务日志轮转
$ cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
}
Part02-日志分析
2.1 日志查询和分析
$ sudo tail -f /var/log/messages
Apr 4 03:05:00 server systemd[1]: Started Session 123 of user user1.
Apr 4 03:05:05 server kernel: [12345.678901] TCP: request_sock_TCP: Possible SYN flooding on port 80.
# 查看安全日志
$ sudo tail -f /var/log/secure
Apr 4 03:05:00 server sshd[12345]: Accepted publickey for user1 from 192.168.1.更多视频教程www.fgedu.net.cn10 port 54321 ssh2
Apr 4 03:05:00 server sshd[12345]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
# 搜索特定内容
$ sudo grep “Failed password” /var/log/secure
$ sudo grep “Accepted” /var/log/secure
$ sudo grep “error” /var/log/messages
# 按时间范围查询
$ sudo journalctl –since “2026-04-04 03:00:00” –until “2026-04-04 04:00:00”
$ sudo journalctl –since today
$ sudo journalctl –since yesterday
# 按服务查询
$ sudo journalctl -u sshd
$ sudo journalctl -u nginx
$ sudo journalctl -u mysqld
# 按优先级查询
$ sudo journalctl -p err
$ sudo journalctl -p warning
# 实时查看日志
$ sudo journalctl -f
# 查看内核日志
$ sudo dmesg | tail -20
# 分析日志脚本
$ cat > /usr/local/bin/log-analyzer.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/secure"
REPORT_FILE="/tmp/log-report.txt"
echo "Log Analysis Report - $(date)" > $REPORT_FILE
echo “================================” >> $REPORT_FILE
echo -e “\nFailed Login Attempts:” >> $REPORT_FILE
grep “Failed password” $LOG_FILE | awk ‘{print $11}’ | sort | uniq -c | sort -nr >> $REPORT_FILE
echo -e “\nSuccessful Logins:” >> $REPORT_FILE
grep “Accepted” $LOG_FILE | awk ‘{print $9}’ | sort | uniq -c | sort -nr >> $REPORT_FILE
echo -e “\nSSH Connections by IP:” >> $REPORT_FILE
grep “session opened” $LOG_FILE | awk ‘{print $13}’ | sort | uniq -c | sort -nr >> $REPORT_FILE
mail -s “Daily Log Report” admin@fgedu.net.cn < $REPORT_FILE EOF chmod +x /usr/local/bin/log-analyzer.sh
Part03-日志监控告警
3.1 配置日志告警
$ sudo dnf install -y logwatch
# 配置logwatch
$ sudo tee /etc/logwatch/conf/logwatch.conf << 'EOF'
LogDir = /var/log
TmpDir = /var/cache/logwatch
Output = mail
Format = html
MailTo = admin@fgedu.net.cn
MailFrom = logwatch@fgedu.net.cn
Detail = High
Service = All
EOF
# 运行logwatch
$ sudo logwatch --output mail
# 配置实时日志监控
$ cat > /usr/local/bin/log-monitor.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/secure"
ALERT_EMAIL="admin@fgedu.net.cn"
tail -fn0 $LOG_FILE | \
while read line; do
echo "$line" | grep "Failed password"
if [ $? -eq 0 ]; then
IP=$(echo "$line" | awk '{print $11}')
COUNT=$(grep "Failed password.*$IP" $LOG_FILE | wc -l)
if [ $COUNT -gt 5 ]; then
echo "Multiple failed login attempts from $IP" | mail -s "Security Alert" $ALERT_EMAIL
fi
fi
done
EOF
chmod +x /usr/local/bin/log-monitor.sh
# 创建systemd服务
$ cat > /etc/systemd/system/log-monitor.service << 'EOF'
[Unit]
Description=Log Monitor Service
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/log-monitor.sh
Restart=always
[Install]
WantedBy=multi-user.target
EOF
$ sudo systemctl daemon-reload
$ sudo systemctl start log-monitor
$ sudo systemctl enable log-monitor
# 配置ELK日志分析
# 安装Elasticsearch
$ sudo dnf install -y elasticsearch
# 配置Elasticsearch
$ sudo tee /etc/elasticsearch/elasticsearch.yml << 'EOF'
cluster.name: logs-cluster
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
http.port: 9200
EOF
$ sudo systemctl start elasticsearch
$ sudo systemctl enable elasticsearch
# 安装Kibana
$ sudo dnf install -y kibana
$ sudo tee /etc/kibana/kibana.yml << '更多学习教程公众号风哥教程itpux_comEOF'
server.port: 5601
server.host: "localhost"
elasticsearch.hosts: ["http://localhost:9200"]
EOF
$ sudo systemctl start kibana
$ sudo systemctl enable kibana
# 安装Logstash
$ sudo dnf install -y logstash
$ sudo tee /etc/logstash/conf.d/syslog.conf << 'EOF'
input {
file {
path => [“/var/log/secure”, “/var/log/messages”]
type => “syslog”
start_position => “beginning”
}
}
filter {
grok {
match => { “message” => “%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}” }
overwrite => [ “message” ]
}
date {
match => [ “timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ]
}
}
output {
elasticsearch {
hosts => [“localhost:9200”]
index => “syslog-%{+YYYY.MM.dd}”
}
}
EOF
$ sudo systemctl start logstash
$ sudo systemctl enable logstash
1. 集中管理日志
2. 配置日志轮转
3. 定期分析日志
4. 设置日志告警
5. 保护日志完整性
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
