Книга: Fedora™ Unleashed, 2008 edition

Using a Simple Script to Automate Tasks

Using a Simple Script to Automate Tasks

You could use a simple script to examine your system log for certain keywords. If the script is run via your system's scheduling table, /etc/crontab, it can help automate security monitoring. By combining the output capabilities of existing Linux commands with the language facilities of the shell, you can quickly build a useful script to perform a task normally requiring a number of command lines. For example, you can create a short script, named greplog, like this:

#!/bin/sh
#  name: greplog
#  use: mail grep of designated log using keyword
# version: v.01 08aug02
#
#  author: bb
#
# usage: greplog [keyword] [logpathname]
#
#  bugs: does not check for correct number of arguments
# build report name using keyword search and date log_report=/tmp/$1.logreport.`date '+%m%d%y'`
# build report header with system type, hostname, date and time
echo "=============================================================="
>$log_report
echo "               S Y S T E M   M O N I T O R   L O G" >>$log_report
echo uname -a >>$log_report
echo "Log report for" `hostname -f` "on" `date '+%c'` >>$log_report
echo "=============================================================="
>>$log_report ; echo "" >>$log_report
# record log search start
echo "Search for->" $1 "starting" `date '+%r'` >>$log_report
echo "" >>$log_report
# get and save grep results of keyword ($1) from logfile ($2)
grep -i $1 $2 >>$log_report
# build report footer with time echo "" >>$log_report
echo "End of" $log_report at `date '+%r'` >>$log_report
# mail report to root
mail -s "Log Analysis for $1" root <$log_report
# clean up and remove report
rm $log_report
exit 0

In this example, the script creates the variable $log_report, which will be the filename of the temporary report. The keyword ($1) and first argument on the command line is used as part of the filename, along with the current date (with perhaps a better approach in using $$ instead of the date, which appends the script's PID as a file extension). Next, the report header containing some formatted text, the output of the uname command, and the hostname and date is added to the report. The start of the search is then recorded, and any matches of the keyword in the log are added to the report. A footer containing the name of the report and the time is then added. The report is mailed to root with the search term as the subject of the message, and the temporary file is deleted.

NOTE

By default, Fedora uses the logwatch log monitoring command (actually a Perl script) in your system's /etc/cron.daily directory to generate various reports each day at 0402 (4:02 a.m.). Configure logwatch by editing the file /etc/log.d/logwatch.conf. Other system monitoring tools are included, such as tripwire. You can control system logging by editing /etc/syslog.conf.

You can test the script by running it manually and feeding it a keyword and a pathname to the system log, /var/log/messages, like this:

# greplog FAILED /var/log/messages

Note that your system should be running the syslogd daemon. If any login failures have occurred on your system, the root operator might get an email message that looks like this:

Date: Mon, 12 Nov 2007 16:23:24 -0000
From: root <[email protected]>
To: [email protected]
Subject: FAILED
==============================================================
               S Y S T E M   M O N I T O R   L O G
Linux werewolf 2.6.23-1.41 #1 Thu Nov 8 21:41:26 EST 2007 i686 i686 i386
+GNU/Linux
Log report for werewolf.hudson.com on Tue 12 Nov 2007 04:23:24 PM GMT
==============================================================
Search for-> FAILED starting 04:23:24 PM
12 16:23:04 werewolf login[1769]: FAILED LOGIN 3 FROM (null) FOR ahudson,
+Authentication failure
End of /tmp/FAILED.logreport.102303 at 04:23:24 PM

To further automate the process, you can include command lines using the script in another script to generate a series of searches and reports.

Оглавление книги


Генерация: 1.350. Запросов К БД/Cache: 3 / 0
поделиться
Вверх Вниз