質問編集履歴
1
表示の整形をしました
test
CHANGED
File without changes
|
test
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
|
1
|
+
### 前提・実現したいこと
|
2
2
|
|
3
3
|
|
4
4
|
|
@@ -14,6 +14,10 @@
|
|
14
14
|
|
15
15
|
|
16
16
|
|
17
|
+
### 発生している問題
|
18
|
+
|
19
|
+
|
20
|
+
|
17
21
|
色々確認した所、rsyslogでログがフィルタに引っかからない為、結果的に通知がされないのが原因と考えているのですが、なぜ引っかからないのかがわからず行き詰まってしまいました。
|
18
22
|
|
19
23
|
|
@@ -24,153 +28,173 @@
|
|
24
28
|
|
25
29
|
今回検知したいログは下記のような形になっています。
|
26
30
|
|
27
|
-
-----------
|
28
|
-
|
29
|
-
Sep 23 16:44:56 gateway PP[ANONYMOUS01] Call detected from user 'test'
|
31
|
+
> Sep 23 16:44:56 gateway PP[ANONYMOUS01] Call detected from user 'test'
|
30
|
-
|
32
|
+
|
33
|
+
|
34
|
+
|
35
|
+
|
36
|
+
|
31
|
-
|
37
|
+
### 設定および作成したシェルスクリプト
|
32
38
|
|
33
39
|
|
34
40
|
|
35
41
|
Slackに飛ばすためのConfは下記の通り
|
36
42
|
|
37
|
-
|
43
|
+
|
38
44
|
|
39
45
|
/etc/rsyslog.d/00_slack.conf
|
40
46
|
|
41
|
-
|
42
|
-
|
47
|
+
|
48
|
+
|
43
|
-
$template login_msg, "%timegenerated% %fromhost% %msg%\n"
|
49
|
+
> $template login_msg, "%timegenerated% %fromhost% %msg%\n"
|
50
|
+
|
44
|
-
|
51
|
+
>
|
45
|
-
|
46
|
-
|
52
|
+
|
47
|
-
module(load="omprog")
|
53
|
+
> module(load="omprog")
|
54
|
+
|
48
|
-
|
55
|
+
>
|
49
|
-
|
50
|
-
|
56
|
+
|
51
|
-
if $msg contains 'Call detected from user' \
|
57
|
+
> if $msg contains 'Call detected from user' \
|
52
|
-
|
58
|
+
|
53
|
-
then {
|
59
|
+
> then {
|
54
|
-
|
60
|
+
|
55
|
-
action(
|
61
|
+
> action(
|
56
|
-
|
62
|
+
|
57
|
-
type="omprog"
|
63
|
+
> type="omprog"
|
58
|
-
|
64
|
+
|
59
|
-
binary="/etc/rsyslog.d/WebHook_Slack_stdin.sh"
|
65
|
+
> binary="/etc/rsyslog.d/WebHook_Slack_stdin.sh"
|
60
|
-
|
66
|
+
|
61
|
-
template="login_msg"
|
67
|
+
> template="login_msg"
|
62
|
-
|
63
|
-
|
68
|
+
|
64
|
-
|
65
|
-
}
|
66
|
-
|
67
|
-
|
69
|
+
> )
|
70
|
+
|
71
|
+
> }
|
72
|
+
|
73
|
+
|
68
74
|
|
69
75
|
|
70
76
|
|
71
77
|
Slackへ飛ばすためのWebhookシェルスクリプトは単体にて動作確認済み。
|
72
78
|
|
73
|
-
|
79
|
+
|
74
80
|
|
75
81
|
/etc/rsyslog.d/WebHook_Slack_stdin.sh
|
76
82
|
|
77
83
|
|
78
84
|
|
79
|
-
#!/bin/bash
|
85
|
+
> #!/bin/bash
|
86
|
+
|
80
|
-
|
87
|
+
>
|
81
|
-
|
82
|
-
|
88
|
+
|
83
|
-
WEBHOOK_URL='https://hooks.slack.com/xxxxxxxx'
|
89
|
+
> WEBHOOK_URL='https://hooks.slack.com/xxxxxxxx'
|
90
|
+
|
84
|
-
|
91
|
+
>
|
85
|
-
|
86
|
-
|
92
|
+
|
87
|
-
while read LINE; do
|
93
|
+
> while read LINE; do
|
88
|
-
|
94
|
+
|
89
|
-
MESSAGE=`echo $LINE | sed -z 's/\n//g'`
|
95
|
+
> MESSAGE=`echo $LINE | sed -z 's/\n//g'`
|
90
|
-
|
96
|
+
|
91
|
-
curl -X POST --data-urlencode "payload={\"channel\": \"#nagios\", \"username\": \"Aleat_bot\", \"icon_emoji\": \":computer:\", \"text\": \"${MESSAGE}\"}" $WEBHOOK_URL
|
97
|
+
> curl -X POST --data-urlencode "payload={\"channel\": \"#nagios\", \"username\": \"Aleat_bot\", \"icon_emoji\": \":computer:\", \"text\": \"${MESSAGE}\"}" $WEBHOOK_URL
|
92
|
-
|
98
|
+
|
93
|
-
done
|
99
|
+
> done
|
94
|
-
|
95
|
-
|
100
|
+
|
101
|
+
|
96
102
|
|
97
103
|
|
98
104
|
|
99
105
|
rsyslog.confはほぼデフォルトになります(コメントアウト行割愛)
|
100
106
|
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
$ModLoad im
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
$
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
$
|
124
|
-
|
125
|
-
$
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
$
|
130
|
-
|
131
|
-
$All
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
$
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
lo
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
-
|
107
|
+
|
108
|
+
|
109
|
+
>
|
110
|
+
|
111
|
+
> $ModLoad imuxsock
|
112
|
+
|
113
|
+
> $ModLoad imjournal
|
114
|
+
|
115
|
+
>
|
116
|
+
|
117
|
+
> $ModLoad imudp
|
118
|
+
|
119
|
+
> $UDPServerRun 514
|
120
|
+
|
121
|
+
>
|
122
|
+
|
123
|
+
> $ModLoad imtcp
|
124
|
+
|
125
|
+
> $InputTCPServerRun 514
|
126
|
+
|
127
|
+
>
|
128
|
+
|
129
|
+
> $AllowedSender UDP, 127.0.0.1, 192.168.107.0/24
|
130
|
+
|
131
|
+
> $AllowedSender TCP, 127.0.0.1, 192.168.107.0/24
|
132
|
+
|
133
|
+
>
|
134
|
+
|
135
|
+
> $WorkDirectory /var/lib/rsyslog
|
136
|
+
|
137
|
+
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
|
138
|
+
|
139
|
+
> $IncludeConfig /etc/rsyslog.d/*.conf
|
140
|
+
|
141
|
+
> $OmitLocalLogging on
|
142
|
+
|
143
|
+
>
|
144
|
+
|
145
|
+
> $IMJournalStateFile imjournal.state
|
146
|
+
|
147
|
+
>
|
148
|
+
|
149
|
+
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
|
150
|
+
|
151
|
+
> authpriv.* /var/log/secure
|
152
|
+
|
153
|
+
> mail.* -/var/log/maillog
|
154
|
+
|
155
|
+
> cron.* /var/log/cron
|
156
|
+
|
157
|
+
> *.emerg :omusrmsg:*
|
158
|
+
|
159
|
+
> uucp,news.crit /var/log/spooler
|
160
|
+
|
161
|
+
> local7.* /var/log/boot.log
|
162
|
+
|
163
|
+
|
164
|
+
|
165
|
+
### 問題の発生した環境
|
166
|
+
|
167
|
+
|
168
|
+
|
169
|
+
CentOS7
|
170
|
+
|
171
|
+
|
172
|
+
|
173
|
+
rsyslogd -v
|
174
|
+
|
175
|
+
rsyslogd 8.24.0-57.el7_9.1, compiled with:
|
176
|
+
|
177
|
+
PLATFORM: x86_64-redhat-linux-gnu
|
178
|
+
|
179
|
+
PLATFORM (lsb_release -d):
|
180
|
+
|
181
|
+
FEATURE_REGEXP: Yes
|
182
|
+
|
183
|
+
GSSAPI Kerberos 5 support: Yes
|
184
|
+
|
185
|
+
FEATURE_DEBUG (debug build, slow code): No
|
186
|
+
|
187
|
+
32bit Atomic operations supported: Yes
|
188
|
+
|
189
|
+
64bit Atomic operations supported: Yes
|
190
|
+
|
191
|
+
memory allocator: system default
|
192
|
+
|
193
|
+
Runtime Instrumentation (slow code): No
|
194
|
+
|
195
|
+
uuid support: Yes
|
196
|
+
|
197
|
+
Number of Bits in RainerScript integers: 64
|
174
198
|
|
175
199
|
|
176
200
|
|