上一篇介绍了用ELK分析4亿多条审计日志过程,现在介绍如何用Python3分析ES的程序
需要分析的核心库审计数据:
1,950多张表,几十个账号,
2,5种操作类型(select,update,insert,delete,replace),14个实例(1主13从库)
分析说明:
select汇总: 必须包含from关键字:排除INSERT INTO 表 SELECT '609818','1' 这样情况
insert汇总: 必须有into关键字: 排除select中有insert关键字
update汇总: 不包含for 关键字: 排查 for update 的select查询
delete汇总: 不包含into 关键字: 排除insert等内容里包含delete的数据情况
replace汇总: 必须有into 关键字: 排除select查询中有replace函数
分析方法:
为保证把以上数据都能分析出来, 将950多张表,存放到数据表中,循环950多次表,每个表循环5次类型:
sql="select id,name,ea_time from tab order by id desc --查询全部表
dml={'select','update','insert','delete','replace'} --每个表循环5次类型
后来研发发现,分析程序表ol_list统计,但"库名.表",如line.ol_list,不会统计出来。后来修改EQL解决,具体代码如下:
下列是“”select“查询EQL的代码:
if op.find('select')>=0: # select,包含from
body ={"query":{
"bool":{ "must":[{
"match":{"Sql":'{op}'.format(op=op) }},{
"match":{"Sql": 'from'}}],
"should": [{
"term": {"Sql": '{name}'.format(name=tabname)}}, {
"term": {"Sql": 'online.{name}'.format(name=tabname)}}],
"minimum_should_match": 1,
"filter":{
"range":{
"Timestamp.keyword":{
"lte": "{date}".format(date=end_time),
"gte": "{begindate}".format(begindate=begin_time),
}
} }}},
"size":0, "aggs":{ "aggr_mame":{
"terms":{
"field":"User.keyword",
"size":2000
},
"aggs":{
"aggr_der":{
"terms":{
"field":"PolicyName.keyword"
},
"aggs":{
"top_tag_hits":{
"top_hits":{
"size":1
}
} }}}}}
}
说明:
1,使用:"minimum_should_match": 1, ,这个是兼容: "表名","库名.表名“
5种类型的全部EQL:
if op.find('select')>=0: # select,包含from
body ={"query":{
"bool":{ "must":[{
"match":{"Sql":'{op}'.format(op=op) }},{
"match":{"Sql": 'from'}}],
"should": [{
"term": {"Sql": '{name}'.format(name=tabname)}}, {
"term": {"Sql": 'online.{name}'.format(name=tabname)}}],
"minimum_should_match": 1,
"filter":{
"range":{
"Timestamp.keyword":{
"lte": "{date}".format(date=end_time),
"gte": "{begindate}".format(begindate=begin_time),
}
} }}},
"size":0, "aggs":{ "aggr_mame":{
"terms":{
"field":"User.keyword",
"size":2000
},
"aggs":{
"aggr_der":{
"terms":{
"field":"PolicyName.keyword"
},
"aggs":{
"top_tag_hits":{
"top_hits":{
"size":1
}
} }}}}}
}
elif op.find('update')>=0: # update 不能有for关键字
body = {"query": {
"bool": {"must": [{
"match": {"Sql": '{op}'.format(op=op)}},{
"match": {"PolicyName.keyword": 'd8t'}}],
"must_not": [{"match": {"Sql": "for"}}],
"should": [{
"term": {"Sql": '{name}'.format(name=tabname)}}, {
"term": {"Sql": 'online.{name}'.format(name=tabname)}}],
"minimum_should_match": 1,
"filter": {
"range": {
"Timestamp.keyword": {
"lte": "{date}".format(date=end_time),
"gte": "{begindate}".format(begindate=begin_time),
}
}}}},
"size": 0, "aggs": {"aggr_mame": {
"terms": {
"field": "User.keyword",
"size": 2000
},
"aggs": {
"aggr_der": {
"terms": {
"field": "PolicyName.keyword"
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1
}
}}}}}}
}
elif op.find('replace') >= 0: # replace 必须有into关键字
body = {"query": {
"bool": {"must": [{
"match": {"Sql": '{op}'.format(op=op)}}, {
"match": {"PolicyName.keyword": 'd8t'}},{
"match": {"Sql": 'into'}}],
"should": [{
"term": {"Sql": '{name}'.format(name=tabname)}}, {
"term": {"Sql": 'online.{name}'.format(name=tabname)}}],
"minimum_should_match": 1,
"filter": {
"range": {
"Timestamp.keyword": {
"lte": "{date}".format(date=end_time),
"gte": "{begindate}".format(begindate=begin_time),
}
}}}},
"size": 0, "aggs": {"aggr_mame": {
"terms": {
"field": "User.keyword",
"size": 2000
},
"aggs": {
"aggr_der": {
"terms": {
"field": "PolicyName.keyword"
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1
}
}}}}}}
}
elif op.find('insert') >= 0: # insert 必须有into关键字
body = {"query": {
"bool": {"must": [{
"match": {"Sql": '{op}'.format(op=op)}}, {
"match": {"PolicyName.keyword": 'd8t'}},{
"match": {"Sql": 'into'}}],
"should": [{
"term": {"Sql": '{name}'.format(name=tabname)}}, {
"term": {"Sql": 'online.{name}'.format(name=tabname)}}],
"minimum_should_match":1,
"filter": {
"range": {
"Timestamp.keyword": {
"lte": "{date}".format(date=end_time),
"gte": "{begindate}".format(begindate=begin_time),
}
}}}},
"size": 0, "aggs": {"aggr_mame": {
"terms": {
"field": "User.keyword",
"size": 2000
},
"aggs": {
"aggr_der": {
"terms": {
"field": "PolicyName.keyword"
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1
}
}}}}}}
}
else: # delete 不能有into关键字
body = {"query": {
"bool": {"must": [{
"match": {"Sql": '{op}'.format(op=op)}},{
"match": {"PolicyName.keyword": 'd8t'}}],
"must_not": [{"match": {"Sql": "into"}}],
"should": [{
"term": {"Sql": '{name}'.format(name=tabname)}}, {
"term": {"Sql": 'online.{name}'.format(name=tabname)}}],
"minimum_should_match": 1,
"filter": {
"range": {
"Timestamp.keyword": {
"lte": "{date}".format(date=end_time),
"gte": "{begindate}".format(begindate=begin_time),
}
}}}},
"size": 0, "aggs": {"aggr_mame": {
"terms": {
"field": "User.keyword",
"size": 2000
},
"aggs": {
"aggr_der": {
"terms": {
"field": "PolicyName.keyword"
},
"aggs": {
"top_tag_hits": {
"top_hits": {
"size": 1
}
}}}}}}
}
写入统计数据Py:
doc = res["aggregations"]["aggr_mame"]['buckets']
cn = conn()
cur = cn.cursor()
if len(doc):
for item in doc:
user=item['key'] # 账号
total=str(item['doc_count']) # 该账号在全部实例下的调用次数
if len(item["aggr_der"]["buckets"]):
for bucket in item["aggr_der"]["buckets"]:
server=bucket['key'] # 服务器实例
s_total =str(bucket['doc_count']) # 该服务器实例下的调用次数
sql=bucket["top_tag_hits"]["hits"]["hits"][0]["_source"]["Sql"] # 样例Sql
sql=emoji.demojize(transferContent(sql)) #转义并去掉表情符号
tsql="replace into ea_tj(tab,username,op,num,server,sqltext,dt) "\
" values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')".format(tabname,user,op,s_total,server,sql,dt)
cur.execute(tsql)
cn.commit()
存放分析结果表:
CREATE TABLE `ea_tj` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`tab` varchar(200) NOT NULL COMMENT '表名',
`username` varchar(200) NOT NULL COMMENT '账号',
`op` varchar(50) DEFAULT NULL COMMENT '操作类型',
`num` bigint(11) NOT NULL COMMENT '次数',
`server` varchar(200) NOT NULL COMMENT '实例策略名',
`create_time` datetime DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
`sqltext` text COMMENT '样例SQL',
`dt` date DEFAULT NULL COMMENT '线上SQL执行日期',
`update_time` datetime DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '更新时间',
PRIMARY KEY (`id`) USING BTREE,
UNIQUE KEY `un` (`tab`,`username`,`op`,`server`,`dt`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8mb4
具体汇总数据:
1,每天13个实例,表,账号,操作之间关系汇总(用来Online表拆分)
2,每天13个数据库实例账号的连接IP汇总(用来迁移VPC)
3,统计调用总次数 (用来分析调用次数异常)
汇总1的结果数据: