zabbix-agent python脚本侦听服务器异常登录，并告警

个人博客地址

http://www.darkghost.life

py脚本

import re,subprocess,time,datetime

#gpasswd -a zabbix adm
def ftime(a):
    a = a.replace('Jan','01')
    a = a.replace('Feb','02')
    a = a.replace('Mar','03')
    a = a.replace('Apr','04')
    a = a.replace('May','05')
    a = a.replace('Jun','06')
    a = a.replace('Jul','07')
    a = a.replace('Aug','08')
    a = a.replace('Sep','09')
    a = a.replace('Oct','10')
    a = a.replace('Nov','11')
    a = a.replace('Dec','12')
    return a
def auth():
    try:
        cmd = 'more /var/log/auth.log | grep Accepted'
        ret = subprocess.Popen(cmd,shell=True,stdout=subprocess.PIPE,stderr=subprocess.PIPE).communicate()[0]
        ret = ret.decode('utf8')
        now_time = int(datetime.datetime.now().strftime('%m%d%H%M%S'))
        list = [#白名单列表]
        host = re.findall('\d+\.\d+\.\d+\.\d+',ret)
        logtime = (re.findall('[A-Z,a-z]+\s+\d+\s\d+:\d+:\d+',ret，flags=re.M))
        count = len(host)
        for x in range(count-1,-1,-1):
                f_logtime = int(ftime(logtime[x].replace(':','').replace('  ','0').replace(' ','')))
                if host[x] not in list and now_time - f_logtime < 1000:
                    ip = host[x].replace('.','0')
                    return int(ip)  
        return(int(0))
    except Exception as a:
        return a
if __name__  == "__main__":
    print(auth())

 

zabbix item配置与triggers配置略

效果如下