2
0
Fork 0
mirror of https://github.com/munin-monitoring/contrib.git synced 2018-11-08 00:59:34 +01:00
contrib-munin/plugins/ssh/sshd_log
Thomas Riccardi 8f68d6e697 sshd_log: allow both types GAUGE and DERIVE, default to GAUGE
In fact for journald mode internally it really is type ABSOLUTE, because
we use journald cursor to get only new logs on each collect. It results
in the same value as with a plain log file and type DERIVE: it's the
rate of events.

type=DERIVE is best for servers with lots of ssh traffic.
2018-04-29 01:49:43 +02:00

180 lines
5.1 KiB
Bash
Executable file

#!/bin/sh
: <<=cut
=head1 NAME
sshd_log - Munin plugin to monitor auth.log or journald for sshd
server events.
=head1 CONFIGURATION
This plugin requires read permission for the logfile or journald.
On busy servers you can change value type to COUNTER and set min to 0
to avoid minus peaks at logrotate.
The following environment variables are used by this plugin:
logfile - path to the auth log file, or "journald" to use journald.
default: /var/log/secure
journalctlargs - space separated list of arguments to pass to
journalctl to get the sshd logs.
default: _COMM=sshd
type - "GAUGE" or "DERIVE"
default: GAUGE
If the "logfile" environment variable is set to "journald" the sshd
logs are read from journald, filtering on program "sshd". The filtering
may be changed using "journalctlargs".
Config examples for /etc/munin/plugin-conf.d/munin-node:
[sshd_log]
user root
group root
env.logfile /var/log/messages
Config example with journald:
[sshd_log]
group systemd-journal
env.logfile journald
Config example with journald on the sshd.service unit only:
[sshd_log]
group systemd-journal
env.logfile journald
env.journalctlargs --unit=sshd.service
Config example with journald and type DERIVE:
[sshd_log]
group systemd-journal
env.logfile journald
env.type DERIVE
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=head1 AUTHOR
Revision 2.0 2016/11/11 15:42:00 Thomas Riccardi
Revision 1.2 2010/03/19 15:03:00 pmoranga
Revision 1.1 2009/04/26 23:28:00 ckujau
Revision 1.0 2009/04/22 22:00:00 zlati
=cut
# Script parameters:
#
# config (required)
# autoconf (optional - used by munin-config)
LOG=${logfile:-/var/log/secure}
JOURNALCTL_ARGS=${journalctlargs:-_COMM=sshd}
TYPE=${type:-GAUGE}
if [ "$LOG" = "journald" -a "$TYPE" = "DERIVE" ]; then
TYPE=ABSOLUTE
fi
if [ "$1" = "autoconf" ]; then
if [ "$LOG" = "journald" ]; then
# shellcheck disable=SC2086,SC2034
if journalctl --no-pager --quiet --lines=1 $JOURNALCTL_ARGS | read -r DUMMY; then
echo "yes"
else
echo "no (journald empty log for '$JOURNALCTL_ARGS' not found)"
fi
else
if [ -r "$LOG" ]; then
echo "yes"
else
echo "no (logfile '$LOG' not readable)"
fi
fi
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title SSHD login stats from' "$LOG"
echo 'graph_args --base 1000 -l 0'
echo 'graph_vlabel logins'
echo 'graph_category' security
echo 'LogPass.label Successful password logins'
echo 'LogPass.min 0'
echo 'LogPass.type' "$TYPE"
echo 'LogPassPAM.label Successful login via PAM'
echo 'LogPassPAM.min 0'
echo 'LogPassPAM.type' "$TYPE"
echo 'LogKey.label Successful PublicKey logins'
echo 'LogKey.min 0'
echo 'LogKey.type' "$TYPE"
echo 'NoID.label No identification from user'
echo 'NoID.min 0'
echo 'NoID.type' "$TYPE"
echo 'rootAttempt.label Root login attempts'
echo 'rootAttempt.min 0'
echo 'rootAttempt.type' "$TYPE"
echo 'InvUsr.label Invalid user login attempts'
echo 'InvUsr.min 0'
echo 'InvUsr.type' "$TYPE"
echo 'NoRDNS.label No reverse DNS for peer'
echo 'NoRDNS.min 0'
echo 'NoRDNS.type' "$TYPE"
echo 'Breakin.label Potential Breakin Attempts'
echo 'Breakin.min 0'
echo 'Breakin.type' "$TYPE"
exit 0
fi
if [ "$LOG" = "journald" -a "$TYPE" = "ABSOLUTE" ]; then
CURSOR_FILE="$MUNIN_STATEFILE"
# read cursor
# format: "journald-cursor <cursor>"
CURSOR=
if [ -f "$CURSOR_FILE" ]; then
CURSOR=$(awk '/^journald-cursor / {print $2}' "$CURSOR_FILE")
fi
else
CURSOR_FILE=
fi
if [ "$LOG" = "journald" ]; then
# shellcheck disable=SC2086
if [ "$TYPE" = "ABSOLUTE" ]; then
journalctl --no-pager --quiet --show-cursor ${CURSOR:+"--after-cursor=$CURSOR"} $JOURNALCTL_ARGS
else
journalctl --no-pager --quiet --since=$(date -dlast-sunday +%Y-%m-%d) $JOURNALCTL_ARGS
fi
else
cat "$LOG"
fi | \
awk -v cursor_file="$CURSOR_FILE" 'BEGIN{c["LogPass"]=0;c["LogKey"]=0;c["NoID"]=0;c["rootAttempt"]=0;c["InvUsr"]=0;c["LogPassPAM"]=0;c["Breakin"]=0;c["NoRDNS"]=0; }
/sshd\[.*Accepted password for/{c["LogPass"]++}
/sshd\[.*Accepted publickey for/{c["LogKey"]++}
/sshd\[.*Did not receive identification string/{c["NoID"]++}
/sshd\[.*Failed password for root/{c["rootAttempt"]++}
/sshd\[.*Invalid user/{c["InvUsr"]++}
/sshd\[.*POSSIBLE BREAK-IN ATTEMPT!/{c["Breakin"]++}
/sshd\[.*keyboard-interactive\/pam/{c["LogPassPAM"]++}
/sshd\[.*reverse mapping checking getaddrinfo/{c["NoRDNS"]++}a
END{if (cursor_file != "") { print "journald-cursor " $3 > cursor_file };for(i in c){print i".value " c[i]} }'