在日常运维工作中,通常需要监控各系统的 ssh 登录情况,为便于解析相关 ssh 日志,需要将 ssh 原始日志转换为 json 格式
下面我将使用 rsyslog(一个开源的系统日志服务) 将 ssh 日志解析为 json 格式,并保存到文件 /var/log/sshd_json.log
环境介绍:
1》Rocky Linux release 8.9 (kernel 4.18.0)
2》rsyslogd 8.2102.0 , openssh-server-8.0p1(sshd 服务)
具体操作流程如下:
部署并配置 rsyslog 服务
1、安装系统日志管理程序
sudo dnf install rsyslog
2、自定义 json 模板,将相关日志解析为 json 格式
# cat /etc/rsyslog.d/sshd.conf
template(name="JsonFormat" type="list") {
constant(value="{")
constant(value="\"timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"hostname\":\"") property(name="hostname")
constant(value="\",\"app-name\":\"") property(name="app-name")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\"}\n")
}
# 过滤日志并使用自定义 JSON 格式
if $programname == 'sshd' or $programname == 'systemd-logind' then {
action(type="omfile" file="/var/log/sshd_json.log" template="JsonFormat")
}
3、确保如下配置项打开
# /etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")
4、重启 rsyslog 服务,使配置生效
systemctl restart rsyslog.service
ssh 登录日志解析
原始日志
# /var/log/secure
Jun 30 16:29:28 a3 sshd[2680]: Accepted publickey for root from 192.168.31.201 port 37680 ssh2: RSA SHA256:MO4xpAhc5wXQc022zmMhPlZKFUrFBGGoaPAP54WtaGM
Jun 30 16:29:28 a3 systemd-logind[756]: New session 13 of user root.
Jun 30 16:29:28 a3 sshd[2680]: pam_unix(sshd:session): session opened for user root by (uid=0)
解析日志为 json 格式
// /var/log/sshd_json.log
{
"timestamp": "2024-06-30T16:39:31.222920+08:00",
"hostname": "a3",
"app-name": "sshd",
"procid": "2680",
"message": "Accepted publickey for root from 192.168.31.201 port 37680 ssh2: RSA SHA256:MO4xpAhc5wXQc022zmMhPlZKFUrFBGGoaPAP54WtaGM"
}
{
"timestamp": "2024-06-30T16:39:31.236649+08:00",
"hostname": "a3",
"app-name": "systemd-logind",
"procid": "756",
"message": "New session 13 of user root."
}
{
"timestamp": "2024-06-30T16:39:31.239941+08:00",
"hostname": "a3",
"app-name": "sshd",
"procid": "2680",
"message": "pam_unix(sshd:session): session opened for user root by (uid=0)"
}
ssh 退出日志解析
原始日志
# /var/log/secure
Jun 30 16:29:49 a3 sshd[2683]: Received disconnect from 192.168.31.201 port 37680:11: disconnected by user
Jun 30 16:29:49 a3 sshd[2683]: Disconnected from user root 192.168.31.201 port 37680
Jun 30 16:29:49 a3 sshd[2680]: pam_unix(sshd:session): session closed for user root
Jun 30 16:29:49 a3 systemd-logind[756]: Session 13 logged out. Waiting for processes to exit.
Jun 30 16:29:49 a3 systemd-logind[756]: Removed session 13.
解析日志为 json 格式
// /var/log/sshd_json.log
{
"timestamp": "2024-06-30T16:41:47.414181+08:00",
"hostname": "a3",
"app-name": "sshd",
"procid": "2683",
"message": "Received disconnect from 192.168.31.201 port 37680:11: disconnected by user"
}
{
"timestamp": "2024-06-30T16:41:47.415198+08:00",
"hostname": "a3",
"app-name": "sshd",
"procid": "2683",
"message": "Disconnected from user root 192.168.31.201 port 37680"
}
....