質問編集履歴

1

表示の整形をしました

2021/09/24 10:32

投稿

kurenai_taka
kurenai_taka

スコア0

test CHANGED
File without changes
test CHANGED
@@ -1,4 +1,4 @@
1
- 皆さま。
1
+ ### 前提・実現したいこと
2
2
 
3
3
 
4
4
 
@@ -14,6 +14,10 @@
14
14
 
15
15
 
16
16
 
17
+ ### 発生している問題
18
+
19
+
20
+
17
21
  色々確認した所、rsyslogでログがフィルタに引っかからない為、結果的に通知がされないのが原因と考えているのですが、なぜ引っかからないのかがわからず行き詰まってしまいました。
18
22
 
19
23
 
@@ -24,153 +28,173 @@
24
28
 
25
29
  今回検知したいログは下記のような形になっています。
26
30
 
27
- -----------
28
-
29
- Sep 23 16:44:56 gateway PP[ANONYMOUS01] Call detected from user 'test'
31
+ > Sep 23 16:44:56 gateway PP[ANONYMOUS01] Call detected from user 'test'
30
-
32
+
33
+
34
+
35
+
36
+
31
- -----------
37
+ ### 設定および作成したシェルスクリプト
32
38
 
33
39
 
34
40
 
35
41
  Slackに飛ばすためのConfは下記の通り
36
42
 
37
- --------------------
43
+
38
44
 
39
45
  /etc/rsyslog.d/00_slack.conf
40
46
 
41
-
42
-
47
+
48
+
43
- $template login_msg, "%timegenerated% %fromhost% %msg%\n"
49
+ > $template login_msg, "%timegenerated% %fromhost% %msg%\n"
50
+
44
-
51
+ >
45
-
46
-
52
+
47
- module(load="omprog")
53
+ > module(load="omprog")
54
+
48
-
55
+ >
49
-
50
-
56
+
51
- if $msg contains 'Call detected from user' \
57
+ > if $msg contains 'Call detected from user' \
52
-
58
+
53
- then {
59
+ > then {
54
-
60
+
55
- action(
61
+ > action(
56
-
62
+
57
- type="omprog"
63
+ > type="omprog"
58
-
64
+
59
- binary="/etc/rsyslog.d/WebHook_Slack_stdin.sh"
65
+ > binary="/etc/rsyslog.d/WebHook_Slack_stdin.sh"
60
-
66
+
61
- template="login_msg"
67
+ > template="login_msg"
62
-
63
- )
68
+
64
-
65
- }
66
-
67
- --------------------
69
+ > )
70
+
71
+ > }
72
+
73
+
68
74
 
69
75
 
70
76
 
71
77
  Slackへ飛ばすためのWebhookシェルスクリプトは単体にて動作確認済み。
72
78
 
73
- ---------------------------
79
+
74
80
 
75
81
  /etc/rsyslog.d/WebHook_Slack_stdin.sh
76
82
 
77
83
 
78
84
 
79
- #!/bin/bash
85
+ > #!/bin/bash
86
+
80
-
87
+ >
81
-
82
-
88
+
83
- WEBHOOK_URL='https://hooks.slack.com/xxxxxxxx'
89
+ > WEBHOOK_URL='https://hooks.slack.com/xxxxxxxx'
90
+
84
-
91
+ >
85
-
86
-
92
+
87
- while read LINE; do
93
+ > while read LINE; do
88
-
94
+
89
- MESSAGE=`echo $LINE | sed -z 's/\n//g'`
95
+ > MESSAGE=`echo $LINE | sed -z 's/\n//g'`
90
-
96
+
91
- curl -X POST --data-urlencode "payload={\"channel\": \"#nagios\", \"username\": \"Aleat_bot\", \"icon_emoji\": \":computer:\", \"text\": \"${MESSAGE}\"}" $WEBHOOK_URL
97
+ > curl -X POST --data-urlencode "payload={\"channel\": \"#nagios\", \"username\": \"Aleat_bot\", \"icon_emoji\": \":computer:\", \"text\": \"${MESSAGE}\"}" $WEBHOOK_URL
92
-
98
+
93
- done
99
+ > done
94
-
95
- --------------------
100
+
101
+
96
102
 
97
103
 
98
104
 
99
105
  rsyslog.confはほぼデフォルトになります(コメントアウト行割愛)
100
106
 
101
- --------------------
102
-
103
- #### MODULES ####
104
-
105
-
106
-
107
- $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
108
-
109
- $ModLoad imjournal # provides access to the systemd journal
110
-
111
-
112
-
113
- # Provides UDP syslog reception
114
-
115
- $ModLoad imudp
116
-
117
- $UDPServerRun 514
118
-
119
-
120
-
121
- # Provides TCP syslog reception
122
-
123
- $ModLoad imtcp
124
-
125
- $InputTCPServerRun 514
126
-
127
-
128
-
129
- $AllowedSender UDP, 127.0.0.1, 192.168.107.0/24 # UDPの場合
130
-
131
- $AllowedSender TCP, 127.0.0.1, 192.168.107.0/24 # TCPの場合
132
-
133
-
134
-
135
- #### GLOBAL DIRECTIVES ####
136
-
137
- $WorkDirectory /var/lib/rsyslog
138
-
139
- $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
140
-
141
- $IncludeConfig /etc/rsyslog.d/*.conf
142
-
143
- $OmitLocalLogging on
144
-
145
-
146
-
147
- # File to store the position in the journal
148
-
149
- $IMJournalStateFile imjournal.state
150
-
151
-
152
-
153
- #### RULES ####
154
-
155
- *.info;mail.none;authpriv.none;cron.none /var/log/messages
156
-
157
- authpriv.* /var/log/secure
158
-
159
- mail.* -/var/log/maillog
160
-
161
- cron.* /var/log/cron
162
-
163
- *.emerg :omusrmsg:*
164
-
165
- uucp,news.crit /var/log/spooler
166
-
167
- local7.* /var/log/boot.log
168
-
169
-
170
-
171
- # ### begin forwarding rule ###
172
-
173
- --------------------
107
+
108
+
109
+ >
110
+
111
+ > $ModLoad imuxsock
112
+
113
+ > $ModLoad imjournal
114
+
115
+ >
116
+
117
+ > $ModLoad imudp
118
+
119
+ > $UDPServerRun 514
120
+
121
+ >
122
+
123
+ > $ModLoad imtcp
124
+
125
+ > $InputTCPServerRun 514
126
+
127
+ >
128
+
129
+ > $AllowedSender UDP, 127.0.0.1, 192.168.107.0/24
130
+
131
+ > $AllowedSender TCP, 127.0.0.1, 192.168.107.0/24
132
+
133
+ >
134
+
135
+ > $WorkDirectory /var/lib/rsyslog
136
+
137
+ > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
138
+
139
+ > $IncludeConfig /etc/rsyslog.d/*.conf
140
+
141
+ > $OmitLocalLogging on
142
+
143
+ >
144
+
145
+ > $IMJournalStateFile imjournal.state
146
+
147
+ >
148
+
149
+ > *.info;mail.none;authpriv.none;cron.none /var/log/messages
150
+
151
+ > authpriv.* /var/log/secure
152
+
153
+ > mail.* -/var/log/maillog
154
+
155
+ > cron.* /var/log/cron
156
+
157
+ > *.emerg :omusrmsg:*
158
+
159
+ > uucp,news.crit /var/log/spooler
160
+
161
+ > local7.* /var/log/boot.log
162
+
163
+
164
+
165
+ ### 問題の発生した環境
166
+
167
+
168
+
169
+ CentOS7
170
+
171
+
172
+
173
+ rsyslogd -v
174
+
175
+ rsyslogd 8.24.0-57.el7_9.1, compiled with:
176
+
177
+ PLATFORM: x86_64-redhat-linux-gnu
178
+
179
+ PLATFORM (lsb_release -d):
180
+
181
+ FEATURE_REGEXP: Yes
182
+
183
+ GSSAPI Kerberos 5 support: Yes
184
+
185
+ FEATURE_DEBUG (debug build, slow code): No
186
+
187
+ 32bit Atomic operations supported: Yes
188
+
189
+ 64bit Atomic operations supported: Yes
190
+
191
+ memory allocator: system default
192
+
193
+ Runtime Instrumentation (slow code): No
194
+
195
+ uuid support: Yes
196
+
197
+ Number of Bits in RainerScript integers: 64
174
198
 
175
199
 
176
200