1、首先编辑并添加邮件配置到server.conf(注意:是添加)
vim /etc/graylog/server/server.conf
# Email transport
transport_email_enabled = true
transport_email_hostname = smtp.qq.com
transport_email_port = 465
transport_email_use_auth = true
transport_email_auth_username = xxxxxx@qq.com
transport_email_auth_password = xxxxxxxxx
transport_email_subject_prefix = [graylog]
transport_email_from_email = xxxxxx@qq.com
transport_email_use_tls = false
transport_email_use_ssl = true
2、创建一个新用户
3、在Alerts中,单击右侧Notifications -> Create 创建一个告警类型
收到一封测试邮件
4、在Alerts中选择Event Definitions,来进行告警事件规则的创建。Priority是告警等级,可以按照实际形况选择,完成后点击下一步Next
5、验证
Linux服务器上进行爆破:watch -n 1 "hydra -l root -p admin@123 192.168.*.* ssh"
6、控制频率,因为ssh爆破是很频繁的
把频率改为1分钟爆破6次才报警
7、钉钉报警
准备一个钉钉群机器人
钉钉机器人安全设置中为webhook所在服务器的公网出口IP
下载webhook
https://github.com/adnanh/webhook
cd /opt
tar -zxvf webhook-linux-amd64.tar.gz -C ./
cp webhook-linux-amd64/webhook ./
chmod 755 webhook
./webhook --help
vi /opt/hooks.json
[
{
"id": "push2dingtalk",
"execute-command" : "/opt/push2robot.sh",
"pass-arguments-to-command":
[
{
"source":"entire-payload",
#"name":"parameter-name"
}
]
}
]
启动webhook
./webhook -hooks /opt/hooks.json -port 8080 --verbose
firewall-cmd --add-port=8080/tcp --permanent --zone=public
firewall-cmd --reload
并测试
curl -H "Content-Type: application/json" -X POST -d 'test' http://192.168.31.127:8080/hooks/push2dingtalk
再新建HTTP Notification
Title:钉钉机器人告警
URL http://192.168.31.127:8080/hooks/push2dingtalk
接下来配置Alert
配置推送到钉钉机器人的脚本
yum安装jq工具
yum install -y jq
2个脚本 如下:
[root@centos ~]# cat /opt/push2robot.sh
#!/bin/bash
PAYLOAD= $1
echo $1 >> /var/log/test.log
PAYLOAD1=`echo $1 | jq '.event_definition_title' | sed 's/"//g'`
PAYLOAD2=`echo $1 | jq '.backlog[].fields.full_message' | sed 's/"//g'`
echo $PAYLOAD1 >> /var/log/payload1.log
echo $PAYLOAD2 >> /var/log/payload2.log
sed -i "s/PAYLOAD1/$PAYLOAD1/g" /opt/alert.json
sed -i "s/PAYLOAD2/$PAYLOAD2/g" /opt/alert.json
curl -H "Content-Type: application/json" -X POST -d @/opt/alert.json https://oapi.dingtalk.com/robot/send?access_token=413d9a8435aeaXXXXXXXXX91648b73a069c7aa2e709595
cat > /opt/alert.json << \EOF
{
"msgtype": "markdown",
"markdown":
{
"title":"PAYLOAD1",
"text": "#### PAYLOAD1 \n #####原始日志:PAYLOAD2 \n"
}
}
EOF
chmod 755 /opt/push2robot.sh
触发一下SSH登录失败
watch -n 1 "hydra -l root -p admin@123 192.168.31.232 ssh"