优享资讯 | 使用 rsyslog 解析 ssh 日志为 json 格式

掘金后端 ( ) • 2024-07-01 17:45

使用 rsyslog 解析 ssh 日志为 json 格式

在日常运维工作中，通常需要监控各系统的 ssh 登录情况，为便于解析相关 ssh 日志，需要将 ssh 原始日志转换为 json 格式

下面我将使用 rsyslog（一个开源的系统日志服务） 将 ssh 日志解析为 json 格式，并保存到文件 /var/log/sshd_json.log

环境介绍：

1》Rocky Linux release 8.9 （kernel 4.18.0）

2》rsyslogd 8.2102.0 ， openssh-server-8.0p1（sshd 服务）

具体操作流程如下：

部署并配置 rsyslog 服务

1、安装系统日志管理程序

sudo dnf install rsyslog

2、自定义 json 模板，将相关日志解析为 json 格式

# cat /etc/rsyslog.d/sshd.conf
template(name="JsonFormat" type="list") {
    constant(value="{")
    constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"hostname\":\"")    property(name="hostname")
    constant(value="\",\"app-name\":\"")    property(name="app-name")
    constant(value="\",\"procid\":\"")      property(name="procid")
    constant(value="\",\"message\":\"")     property(name="msg" format="json")
    constant(value="\"}\n")
}

# 过滤日志并使用自定义 JSON 格式
if $programname == 'sshd' or $programname == 'systemd-logind' then {
    action(type="omfile" file="/var/log/sshd_json.log" template="JsonFormat")
}

3、确保如下配置项打开

# /etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")

4、重启 rsyslog 服务，使配置生效

systemctl restart rsyslog.service

ssh 登录日志解析

原始日志

# /var/log/secure
Jun 30 16:29:28 a3 sshd[2680]: Accepted publickey for root from 192.168.31.201 port 37680 ssh2: RSA SHA256:MO4xpAhc5wXQc022zmMhPlZKFUrFBGGoaPAP54WtaGM
Jun 30 16:29:28 a3 systemd-logind[756]: New session 13 of user root.
Jun 30 16:29:28 a3 sshd[2680]: pam_unix(sshd:session): session opened for user root by (uid=0)

解析日志为 json 格式

// /var/log/sshd_json.log
{
    "timestamp": "2024-06-30T16:39:31.222920+08:00",
    "hostname": "a3",
    "app-name": "sshd",
    "procid": "2680",
    "message": "Accepted publickey for root from 192.168.31.201 port 37680 ssh2: RSA SHA256:MO4xpAhc5wXQc022zmMhPlZKFUrFBGGoaPAP54WtaGM"
}
{
    "timestamp": "2024-06-30T16:39:31.236649+08:00",
    "hostname": "a3",
    "app-name": "systemd-logind",
    "procid": "756",
    "message": "New session 13 of user root."
}
{
    "timestamp": "2024-06-30T16:39:31.239941+08:00",
    "hostname": "a3",
    "app-name": "sshd",
    "procid": "2680",
    "message": "pam_unix(sshd:session): session opened for user root by (uid=0)"
}

ssh 退出日志解析

原始日志

# /var/log/secure
Jun 30 16:29:49 a3 sshd[2683]: Received disconnect from 192.168.31.201 port 37680:11: disconnected by user
Jun 30 16:29:49 a3 sshd[2683]: Disconnected from user root 192.168.31.201 port 37680
Jun 30 16:29:49 a3 sshd[2680]: pam_unix(sshd:session): session closed for user root
Jun 30 16:29:49 a3 systemd-logind[756]: Session 13 logged out. Waiting for processes to exit.
Jun 30 16:29:49 a3 systemd-logind[756]: Removed session 13.

解析日志为 json 格式

// /var/log/sshd_json.log
{
    "timestamp": "2024-06-30T16:41:47.414181+08:00",
    "hostname": "a3",
    "app-name": "sshd",
    "procid": "2683",
    "message": "Received disconnect from 192.168.31.201 port 37680:11: disconnected by user"
}
{
    "timestamp": "2024-06-30T16:41:47.415198+08:00",
    "hostname": "a3",
    "app-name": "sshd",
    "procid": "2683",
    "message": "Disconnected from user root 192.168.31.201 port 37680"
}
....