一. 准备
1. 下载和解压缩最新的Swatch软件包.建议从Swatch的官方网站获得可靠的Swatch软件包.
下载网址:
1) 创建Swatch软件包存放的目录.
mkdir -p /usr/local/src/log
2) 解压缩源代码包
tar zpxf swatch-***.tar.gz
二. 安装
cd swatch-***
perl Makefile.PL
可能出现:
Checking if your kit is complete...
Looks good
Warning: prerequisite Date::Calc 0 not found.
Warning: prerequisite Date::Format 0 not found.
Warning: prerequisite File::Tail 0 not found.
Warning: prerequisite Time::HiRes 1.12 not found.
解决方法1:
perl -MCPAN -e shell
>install Date::Calc
然后就一直点Yes,依次安装剩下的三个。
解决方法2:
直接用wget下载下列文件
然后,
$ tar zxvf $SOURCE/Date-calc-5.3.tar.gz
$ cd $SOURCE/Date-Calc-5.2
$ perl Makefile.PL
$ make
$ make test
$ su
# make install
make
make test
make install
make realclean
Swatch程序安装成功后, Perl模块将会用于Swatch程序的运行.
三 使用
1、使用之前,需要创建一个.conf文件
例如:创建一个/root/abc.conf文件,内容为:
watchfor /[Ff]ail/
echo red
bell 1
exec "echo 000000"
2、简单使用
swatch --config-file=/root/abc.conf
--examine=/var/log/secure.1
得到结果:
*** swatch version 3.2.3 (pid:11950) started at 三 9月 17 09:06:06 CST 2008
Sep 4 22:33:18 localhost sshd[16376]: Failed password for root from 172.17.199.15 port 2883 ssh2
000000
3、其他
3.1一个conf脚本示例
I. More detailed swatch.conf example script
# Swatch configuration file for constant monitoring
ignore /news/
# Server problems -- we consider this to be relatively low-priority, so we just get email.
watchfor /restart|panic|halt/
bell
mail=admin@foo.bar,subject=Log_Data_Server_Info
# SSH stuff -- also low-priority, but we still want to know when users are ssh'd in.
watchfor /SSH|sshd2/
mail=admin@foo.bar,subject=Log_Data_SSH
# We want to know if someone tries to SU root -- does everything (emails multiple people,
# emails cell phone, pages Admin with pager code 911)
watchfor /root/
bell
mail=admin@foo.bar:other_admin@bar.foo:5551212@cell_messaging.com,subject=Log_Data_ROOT
throttle 0:2:0,use=regex # so it doesn't confuse the modem and interrupt paging
exec chat -f /etc/chatscript.txt -v -s -T 911 < /dev/modem > /dev/modem
# router problems - does everything (emails multiple people, emails cell phone, pages Admin
# with pager code 444)
watchfor /router/
bell
mail=admin@foo.bar:other_admin@bar.foo:5551212@cell_messaging.com,subject=Log_Data_Router
throttle 0:2:0,use=regex
exec chat -f /etc/chatscript.txt -v -s -T 444 < /dev/modem > /dev/modem
# If adduser is run, could be critical -- does everything (emails multiple people, emails cell
# phone, pages Admin with pager code 666)
watchfor /addgrp|adduser/
bell
mail=admin@foo.bar:other_admin@bar.foo:5551212@cell_messaging.com,subject=Log_Data_Adduser
throttle 0:2:0,use=regex
exec chat -f /etc/chatscript.txt -v -s -T 666 < /dev/modem > /dev/modem
# Bad login attempts -- mails us and pages Admin with pager code 888
watchfor /authentication failure/
bell
mail=admin@foo.bar:other_admin@bar.foo:5551212@cell_messaging.com,subject=Log_Data_Bad_Login
throttle 0:2:0,use=regex
exec chat -f /etc/chatscript.txt -v -s -T 888 < /dev/modem > /dev/modem
# end of swatch.conf
3.2 Swatch可以设置成开机后自动后台运行,只需要在rc.local加入一行:
/usr/bin/swatch -c /etc/swatch.conf - t /var/log/messages &
3.3如果希望Swatch监控多个日志文件,需要多次执行Swatch,如果每类文件的设置不同,相应的conf文件也不同。
3.3.1使用Swatch来自东禁止非法连接。(下面是参考,还没研究过)
http://cubic9.com/Linux/Swatch/
%C9%D4%C0%B5%A5%A2%A5%AF%A5%BB%A5%B9%B4%C6%BB%EB
%2Fswatch
3.4 Swatch时时监视新增加的内容,使用 -t
The -t flag tells Swatch which file it should tail (monitor).
3.5 另一个conf例子:
Some important Swatch switches, listed alphabetically. See the sample config files for specific usage examples:
bell
Make the console beep. You can change the number of beeps; default is 1.
continue
If multiple watchfor sections contain a pattern which could occur in
the same single log entry, then "continue" will tell Swatch to continue
comparing its key patterns to the log entry even after it finds the
first match. Take for example a watchfor section that contains both
/root/ and /login/, and the log line "root: login successful" is
generated. Swatch would normally just execute actions when it saw the
first match -- "root" -- and then stop parsing that line of the log,
thus effectively ignoring the occurrence of "login" in this case.
"Continue" prevents this.
echo
Dump flagged log entries to the console.
exec
Execute whatever shell command follows. See section on chat for examples.
ignore
We can tell Swatch to ignore the things we don't care about. The syntax
for this is ignore /whatever/ where "whatever" is the pattern in
question. The command and the pattern should be separated by spaces or
tabs. Separate each item with the pipe character |.
mail
Send email message to any number of addresses, separated by colons. For
our convenience, we can make the subject line reflect the items flagged
(see sample config file for syntax). The email message body will, by
default, contain the full line of the log entry that triggered Swatch.
throttle
The throttle command keeps the action (whatever follows on the next
line) from being executed too many times at once, which might happen if
the event in question generates multiple lines in the log, which each
contain the string we're watching for. So, we use throttle to suppress
subsequent reportings of the same event for a specified period of time
after the first instance of the event. The format is throttle HH:MM:SS
(hours, minutes, and seconds) and the use=regex option tells Swatch to
use the pattern specified in the watchfor line, as opposed to using the
message body itself, which is the default. For example, the log
messages: "sshd2[PID]: Local disconnected: Connection closed." and
"sshd2[PID]: connection lost: 'Connection closed.'" use slightly
different wording, so the default throttle settings would not work
here. But if we include use=regex, then sshd2 is the determining
string, and thus throttle will work correctly.
watchfor
This is what we use to specify which log entries to watch for, and
subsequently what to do in the instance of such an entry. Separate each
item with the pipe character |.
A sample Swatch configuration file:
Expect to go back and tweak the config file a few times when you first
begin using Swatch. You'll find that some patterns you specify in the
watchfor sections will appear elsewhere in subtle ways, resulting in
unintended flagging by Swatch. For example, if you specify "watchfor
/su/" intending to flag the su command (someone trying to switch to
another user) then Swatch will flag that, but will also trigger on any
log line that contains the word "succeeded" (which appears in the event
of a successful, legitimate login!) Try using "watchfor /root/"
instead. Remember that you can test to see if Swatch is listening and
behaving properly by using the "logger x" command.
# Sample Swatch configuration file for constant monitoring.
ignore /news/
watchfor /restart|panic|halt/
bell
mail=admin@foo.bar:other_admin@bar.foo,subject=Log_Data_Crash
watchfor /SSH|sshd2/ # watch for both the session and the daemon
echo
bell
throttle 0:2:0,use=regex # in case of multiple attempts in rapid succession;
# ssh also generates multiple log lines even for a
# single successful login
mail=admin@foo.bar,subject=Log_Data_SSH
watchfor /blah|blah/ etc...
# End of script (a more detailed sample config file is included at the end of this document)
You can separate different events and have Swatch perform different
alerting routines, based on severity, type, etc.. For example, server
problems like reboots, kernel panics, etc. could be set up to result in
an email with subject line "LogData-Server" while suspicious login
attempts could have subject line "LogData-AuthFail," etc. See the
complete configuration example at the end of this document for more
examples. Breaking things down like this makes it easier for you to
sort the emails generated by Swatch, and you can tell from one glance
at your inbox what kinds of things have been happening on your network.
A good idea is to have redundant alert methods available to Swatch,
especially for the more critical events. For example, specify multiple
email addresses (preferably belonging to multiple people who can find
you) in the more important watchfor sections.
3.6另一个conf例子
Swatch Rules
The main configuration file is /etc/swatch/swatch.conf. Here is a good example:
File: /etc/swatch/swatch.conf |
# Global swatch filter file
# To ignore a IP-range ignore /216\.239\.37\./
# Invalid SSH Login Attempts watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ throttle threshold=3,delay=0:1:0,key=$4 mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added" exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
# Failed SSH Login Attempts watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ throttle threshold=3,delay=0:1:0,key=$4 mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added" exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
# Invalid SSH Login Attempts. Another one - just formed differently watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/ throttle threshold=3,delay=0:1:0,key=$4 mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added" exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
|
A little explanation of whats being done:
ignore /216\.239\.37\./
This is to ignore, in this case, a IP-range. Very usefull to minimize the possibility that you lock yourself out.
watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ watchfor /(:
[fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ watchfor
/([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from
)(.*)$/
This is to search our logs for the string between //. The parens in
the first watchfor are important - they break up the log file line into
chucks that are used for $1,$2,$3, ... $n. In this case, for example,
$1 is ": Invalid User "; $2 is all the junk in the first (.*); $3 is "
from "; and $4 is all the junk in the second (.*) -- which happens to
be the IP address you want. Note: the $ at the end signifies end of
line. Also, note that the $4 works in both the first and third watchfor
code block -- this is pure coincidence and you may need to change the
$4 to a different paren set if you are working with your own custom
watchfor block.
throttle threshold=3,delay=0:1:0,key=$4
- The "key" tell swatch how to identify the log line. We
can't use the whole string here, because the same attacker (ie the same
IP) will probably try multiple user names. The key can refer to one of
the parens set in the search string (here, $4 = the IP).
- The "threshold" is the number of times swatch need to see the "key" to execute the actions below.
- The "delay" is the validity of each "key". When older that 'delay', the "key" is discarded. Use a syntax like HH:MM:SS.
Note: If this does work in 3.1.1, it may not work with loggers such
as metalog, because it says instead "Last output repeated N times" So
naturally swatch won't find multiple occurances often in those cases.
mail addresses=admin\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
Mail a user stating that a new rule has been added to iptables.
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
Add the offending ip to "swatch_rejects" and drop all future
incoming packets from that address. If you are using shorewall, you can
define in this way:
exec "/sbin/shorewall drop $4"
3.7
Another way to control swatch to a greater degree is to specify what
time of day a given action may be performed. You can do this by
sticking a “when=” option after any action. For example, below I've got
a .swatchrc entry for a medium-importance event I want to know about
via console messages during weekdays, but I'll need e-mail messages to
know about it during the weekend. To do this I set the when option:
/file system full/ echo=red mail addresses=mick\@visi.com, subject=Volume_Full,when=7-1:1-24
The syntax of the when= option is when=range_of_days:range_of_hours.
Thus, we see that any time the message “file system full” is logged,
swatch will echo the log entry to the console in red ink. It will also
send e-mail, but only if it's Saturday (“7”) or Sunday (“1”).