2
0
mirror of https://github.com/munin-monitoring/contrib.git synced 2018-11-08 00:59:34 +01:00
contrib-munin/plugins/ssh/sshd_log

181 lines
5.1 KiB
Plaintext
Raw Normal View History

#!/bin/sh
2016-11-12 15:38:29 +01:00
: <<=cut
=head1 NAME
sshd_log - Munin plugin to monitor auth.log or journald for sshd
server events.
=head1 CONFIGURATION
This plugin requires read permission for the logfile or journald.
On busy servers you can change value type to COUNTER and set min to 0
to avoid minus peaks at logrotate.
The following environment variables are used by this plugin:
logfile - path to the auth log file, or "journald" to use journald.
default: /var/log/secure
journalctlargs - space separated list of arguments to pass to
journalctl to get the sshd logs.
default: _COMM=sshd
type - "GAUGE" or "DERIVE"
default: GAUGE
2016-11-12 15:38:29 +01:00
If the "logfile" environment variable is set to "journald" the sshd
logs are read from journald, filtering on program "sshd". The filtering
may be changed using "journalctlargs".
2016-11-12 15:38:29 +01:00
Config examples for /etc/munin/plugin-conf.d/munin-node:
[sshd_log]
user root
group root
env.logfile /var/log/messages
Config example with journald:
[sshd_log]
group systemd-journal
env.logfile journald
Config example with journald on the sshd.service unit only:
[sshd_log]
group systemd-journal
env.logfile journald
env.journalctlargs --unit=sshd.service
2016-11-12 15:38:29 +01:00
Config example with journald and type DERIVE:
[sshd_log]
group systemd-journal
env.logfile journald
env.type DERIVE
2016-11-12 15:38:29 +01:00
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=head1 AUTHOR
Revision 2.0 2016/11/11 15:42:00 Thomas Riccardi
Revision 1.2 2010/03/19 15:03:00 pmoranga
Revision 1.1 2009/04/26 23:28:00 ckujau
Revision 1.0 2009/04/22 22:00:00 zlati
=cut
# Script parameters:
#
# config (required)
# autoconf (optional - used by munin-config)
2016-11-12 15:38:29 +01:00
LOG=${logfile:-/var/log/secure}
JOURNALCTL_ARGS=${journalctlargs:-_COMM=sshd}
TYPE=${type:-GAUGE}
if [ "$LOG" = "journald" -a "$TYPE" = "DERIVE" ]; then
TYPE=ABSOLUTE
fi
if [ "$1" = "autoconf" ]; then
if [ "$LOG" = "journald" ]; then
# shellcheck disable=SC2086,SC2034
if journalctl --no-pager --quiet --lines=1 $JOURNALCTL_ARGS | read -r DUMMY; then
echo "yes"
else
echo "no (journald empty log for '$JOURNALCTL_ARGS' not found)"
fi
else
if [ -r "$LOG" ]; then
echo "yes"
else
echo "no (logfile '$LOG' not readable)"
fi
fi
exit 0
fi
if [ "$1" = "config" ]; then
2016-11-12 15:00:18 +01:00
echo 'graph_title SSHD login stats from' "$LOG"
echo 'graph_args --base 1000 -l 0'
echo 'graph_vlabel logins'
echo 'graph_category' security
echo 'LogPass.label Successful password logins'
echo 'LogPass.min 0'
echo 'LogPass.type' "$TYPE"
echo 'LogPassPAM.label Successful login via PAM'
echo 'LogPassPAM.min 0'
echo 'LogPassPAM.type' "$TYPE"
echo 'LogKey.label Successful PublicKey logins'
echo 'LogKey.min 0'
echo 'LogKey.type' "$TYPE"
echo 'NoID.label No identification from user'
echo 'NoID.min 0'
echo 'NoID.type' "$TYPE"
echo 'rootAttempt.label Root login attempts'
echo 'rootAttempt.min 0'
echo 'rootAttempt.type' "$TYPE"
2016-11-13 20:43:46 +01:00
echo 'InvUsr.label Invalid user login attempts'
echo 'InvUsr.min 0'
echo 'InvUsr.type' "$TYPE"
echo 'NoRDNS.label No reverse DNS for peer'
echo 'NoRDNS.min 0'
echo 'NoRDNS.type' "$TYPE"
echo 'Breakin.label Potential Breakin Attempts'
echo 'Breakin.min 0'
echo 'Breakin.type' "$TYPE"
exit 0
fi
if [ "$LOG" = "journald" -a "$TYPE" = "ABSOLUTE" ]; then
CURSOR_FILE="$MUNIN_STATEFILE"
# read cursor
# format: "journald-cursor <cursor>"
CURSOR=
if [ -f "$CURSOR_FILE" ]; then
CURSOR=$(awk '/^journald-cursor / {print $2}' "$CURSOR_FILE")
fi
else
CURSOR_FILE=
fi
if [ "$LOG" = "journald" ]; then
# shellcheck disable=SC2086
if [ "$TYPE" = "ABSOLUTE" ]; then
journalctl --no-pager --quiet --show-cursor ${CURSOR:+"--after-cursor=$CURSOR"} $JOURNALCTL_ARGS
else
journalctl --no-pager --quiet --since=$(date -dlast-sunday +%Y-%m-%d) $JOURNALCTL_ARGS
fi
else
2016-11-12 15:00:18 +01:00
cat "$LOG"
fi | \
awk -v cursor_file="$CURSOR_FILE" 'BEGIN{c["LogPass"]=0;c["LogKey"]=0;c["NoID"]=0;c["rootAttempt"]=0;c["InvUsr"]=0;c["LogPassPAM"]=0;c["Breakin"]=0;c["NoRDNS"]=0; }
/sshd\[.*Accepted password for/{c["LogPass"]++}
/sshd\[.*Accepted publickey for/{c["LogKey"]++}
/sshd\[.*Did not receive identification string/{c["NoID"]++}
/sshd\[.*Failed password for root/{c["rootAttempt"]++}
/sshd\[.*Invalid user/{c["InvUsr"]++}
/sshd\[.*POSSIBLE BREAK-IN ATTEMPT!/{c["Breakin"]++}
/sshd\[.*keyboard-interactive\/pam/{c["LogPassPAM"]++}
/sshd\[.*reverse mapping checking getaddrinfo/{c["NoRDNS"]++}a
END{if (cursor_file != "") { print "journald-cursor " $3 > cursor_file };for(i in c){print i".value " c[i]} }'