zabbix-agent python脚本侦听服务器异常登录,并告警
个人博客地址
py脚本
import re,subprocess,time,datetime #gpasswd -a zabbix adm def ftime(a): a = a.replace('Jan','01') a = a.replace('Feb','02') a = a.replace('Mar','03') a = a.replace('Apr','04') a = a.replace('May','05') a = a.replace('Jun','06') a = a.replace('Jul','07') a = a.replace('Aug','08') a = a.replace('Sep','09') a = a.replace('Oct','10') a = a.replace('Nov','11') a = a.replace('Dec','12') return a def auth(): try: cmd = 'more /var/log/auth.log | grep Accepted' ret = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE).communicate()[0] ret = ret.decode('utf8') now_time = int(datetime.datetime.now().strftime('%m%d%H%M%S')) list = [#白名单列表] host = re.findall('\d+\.\d+\.\d+\.\d+',ret) logtime = (re.findall('[A-Z,a-z]+\s+\d+\s\d+:\d+:\d+',ret,flags=re.M)) count = len(host) for x in range(count-1,-1,-1): f_logtime = int(ftime(logtime[x].replace(':','').replace(' ','0').replace(' ',''))) if host[x] not in list and now_time - f_logtime < 1000: ip = host[x].replace('.','0') return int(ip) return(int(0)) except Exception as a: return a if __name__ == "__main__": print(auth())
zabbix item配置与triggers配置略
效果如下
以驱魔为理想,为生计而奔波