zabbix服务器配置syslog服务
修改配置 vi /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
## 这里是服务端添加的配置 begin ###
# 使用RemoteLogs模板接受客户端的日志,保存到本地的/var/log/remote目录下,然后是每台客户端的ip_年份_月份_日期的log
$umask 0000
$template RemoteLogs,"/var/log/remote/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
$FileCreateMode 0644
# 所有服务所有级别的日志都记录
*.* ?RemoteLogs
#服务端本机的日志不记录
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
#指示rsyslog在将消息写入文件后停止处理消息。如果不包含"& ~",则消息将被写入本地文件,导致消息被记录2次。
& ~
### 这里是服务端添加的配置 end ###
防火墙开放端口重启服务
systemctl restart rsyslog
修改文件夹权限 chmod 755
chmod 755 /var/log/remote/ && chmod 755 /var/log/remote/{ip}
防火墙配置syslog的日志
我这边深信服防火墙AF8.0.**版本
1.配置防护日志到log传到zabbix服务器的syslog
2.配置一个新用户设置只允许api访问权限
执行脚本
读取syslog日志获取黑名单ip,通过防火墙api接口提交临时封锁黑名单
#!/usr/bin/python3
# chenzhenhua
# -*- coding: utf8 -*-
from datetime import datetime,timedelta
import json,requests
whiteiplist = []
whiteurllist = []
def getblockiplist(logname):
iplist=[]
with open(logname,'r',encoding='utf-8') as f:
lines=f.readlines()
for line in lines:
##获取web防护高和致命的日志文件
if "日志类型:WEB应用防护" in line and ("严重级别:高" in line or "严重级别:致命" in line):
linelist = line.split()
current_date = datetime.now().strftime('%Y-%m-%d')
current_time = str(current_date)+" " + str(linelist[2])
timestamp1 = datetime.strptime(current_time, '%Y-%m-%d %H:%M:%S')
timestamp2=datetime.now()
time_diff = timestamp2 - timestamp1
#筛选小于30分钟的日志,获取ip地址到列表
if time_diff < timedelta(minutes=30):
waf_blockip=linelist[8].split(":")[-1].strip(",")
iplist.append(waf_blockip)
else:
continue
#print("The time difference is greater than or equal to 30 minutes.")
##获取漏洞防护高和致命的日志文件
elif "日志类型:IPS防护日志" in line and ("严重等级:高" in line or "严重等级:致命" in line):
linelist = line.split()
current_date = datetime.now().strftime('%Y-%m-%d')
current_time = str(current_date) + " " + str(linelist[2])
timestamp1 = datetime.strptime(current_time, '%Y-%m-%d %H:%M:%S')
timestamp2 = datetime.now()
time_diff = timestamp2 - timestamp1
# 筛选小于30分钟的日志,获取ip地址到列表
if time_diff < timedelta(minutes=30):
waf_blockip = linelist[9].split(":")[-1].strip(",")
iplist.append(waf_blockip)
else:
continue
# print("The time difference is greater than or equal to 30 minutes.")
f.close()
###去重,并且取值攻击大于等于2次的
blocklist = list(set([x for x in iplist if iplist.count(x) > 1]))
#print(blocklist)
return blocklist
def gettoken():
tkheaders = {
"content-type": "application/json"
}
url = "https://{ip}/api/v1/namespaces/@namespace/login"
data = {
"name": "username",
"password": "password"
}
r_tk = requests.post(url, data=json.dumps(data), headers=tkheaders, verify=False)
sxf_token = r_tk.json()["data"]["loginResult"]["token"]
return (sxf_token)
def blockip(sxftoken,blocklist):
localtoken = sxftoken
localblocklist=blocklist
blockiplist=[]
returncode=""
url = "https://{ip}/api/batch/v1/namespaces/public/blockip"
###白名单ip################
if len(localblocklist) == 0:
returncode="ok"
else:
for i in localblocklist:
if i in whiteiplist:
continue
else:
blockiplist.append(i)
if len(blockiplist) == 0:
returncode="ok"
else:
headers = {
"content-type": "application/json",
"token": localtoken
}
data = {
"dstIP": [
"0.0.0.0"
],
"ipType": "SRC",
"blockTime": "1d",
"srcIP": blockiplist
}
r = requests.post(url, data=json.dumps(data), headers=headers, verify=False)
returncode=str(blockiplist)+"is deny in shenxinfu fanghuoqiang by waflog"
return returncode
###获取token
sxftoken=gettoken()
###获取高位攻击ip列表
lgname ='{ip}_'+datetime.now().strftime('%Y-%m-%d')+".log"
blocklist= getblockiplist(lgname)
########封锁高危ip###并且打印出来
denylog=blockip(sxftoken,blocklist)
print(denylog)
配置
1.修改服务器agent配置:
vi /etc/zabbix/zabbix_agentd.conf 添加
UnsafeUserParameters=1
UserParameter=waf,/usr/bin/python3 -W ignore /scripts/waf.py
2.Zabbix 主机添加监控项
添加监控(注意信息类型日志格式)
3.添加触发器
如果是3.0版本的zabbix触发器要特殊配置(日志中是否匹配到deny这个值进行判断,要么会报错)