root@syslogserver:~# influx org list
ID Name
0abaf03af8aafaa00 test
| influxdb v1 설치 후 telegraf 연동하기 (0) | 2024.03.18 |
|---|---|
| MIB search path: mibs (0) | 2024.03.15 |
| telegraf 설정하기 (0) | 2024.03.15 |
| influxdb token 확인하기 (0) | 2024.03.15 |
| telegraf 설치하기 (1) | 2024.03.15 |
root@syslogserver:~# vi /etc/telegraf/telegraf.conf
# 아래 outputs.influxdb_v2 항목을 내 환경에 맞게 수정
# # Configuration for sending metrics to InfluxDB
[[outputs.influxdb_v2]]
# ## The URLs of the InfluxDB cluster nodes.
# ##
# ## Multiple URLs can be specified for a single cluster, only ONE of the
# ## urls will be written to each interval.
# ## ex: urls = ["https://us-west-2-1.aws.cloud2.influxdata.com"]
urls = ["http://127.0.0.1:8086"]
#
# ## Token for authentication.
token = "**********************************=="
#
# ## Organization is the name of the organization you wish to write to; must exist.
organization = "test"
#
# ## Destination bucket to write into.
bucket = "test-bucket"
#
# ## The value of this tag will be used to determine the bucket. If this
# ## tag is not set the 'bucket' option is used as the default.
# # bucket_tag = ""
#
# ## If true, the bucket tag will not be added to the metric.
# # exclude_bucket_tag = false
#
# ## Timeout for HTTP messages.
timeout = "5s"
위의 정보들을 잘 모를 때에는 아래 게시판 참조 하세요.
[token]
https://dirt-spoon.tistory.com/267
[org]
https://dirt-spoon.tistory.com/269
| MIB search path: mibs (0) | 2024.03.15 |
|---|---|
| influxdb org 확인 하기 (0) | 2024.03.15 |
| influxdb token 확인하기 (0) | 2024.03.15 |
| telegraf 설치하기 (1) | 2024.03.15 |
| InfluxDB 2.x 설치하기 (1) | 2024.03.15 |
root@syslogserver:~# influx auth list
ID Description Token User Name User ID Permissions
0abaf03af8aafaa00 bpadmin's Token **************************************************************************************== admin 0abaf03af8aafaa00 [read:/authorizations write:/authorizations read:/buckets write:/buckets read:/dashboards write:/dashboards read:/orgs write:/orgs read:/sources write:/sources read:/tasks write:/tasks read:/telegrafs write:/telegrafs read:/users write:/users read:/variables write:/variables read:/scrapers write:/scrapers read:/secrets write:/secrets read:/labels write:/labels read:/views write:/views read:/documents write:/documents read:/notificationRules write:/notificationRules read:/notificationEndpoints write:/notificationEndpoints read:/checks write:/checks read:/dbrp write:/dbrp read:/notebooks write:/notebooks read:/annotations write:/annotations read:/remotes write:/remotes read:/replications write:/replications]
root@syslogserver:~#
| influxdb org 확인 하기 (0) | 2024.03.15 |
|---|---|
| telegraf 설정하기 (0) | 2024.03.15 |
| telegraf 설치하기 (1) | 2024.03.15 |
| InfluxDB 2.x 설치하기 (1) | 2024.03.15 |
| sudo 권한 부여하기 (0) | 2024.03.11 |
https://www.influxdata.com/downloads/
InfluxData Downloads
Register your download Get access to the new InfluxDB Open Source Software Onboarding Guide, product updates, and free InfluxDB stickers!
www.influxdata.com
# influxdata-archive_compat.key GPG fingerprint:
# 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E
wget -q https://repos.influxdata.com/influxdata-archive_compat.key
echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c influxdata-archive_compat.key' | sha256sum -c && cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
sudo apt-get update && sudo apt-get install telegraf
root@syslogserver:~# apt install telegraf
패키지 목록을 읽는 중입니다... 완료
의존성 트리를 만드는 중입니다... 완료
상태 정보를 읽는 중입니다... 완료
다음 새 패키지를 설치할 것입니다:
telegraf
0개 업그레이드, 1개 새로 설치, 0개 제거 및 5개 업그레이드 안 함.
60.4 M바이트 아카이브를 받아야 합니다.
이 작업 후 225 M바이트의 디스크 공간을 더 사용하게 됩니다.
받기:1 https://repos.influxdata.com/debian stable/main amd64 telegraf amd64 1.30.0-1 [60.4 MB]
내려받기 60.4 M바이트, 소요시간 7초 (8,265 k바이트/초)
Selecting previously unselected package telegraf.
(데이터베이스 읽는중 ...현재 329648개의 파일과 디렉터리가 설치되어 있습니다.)
Preparing to unpack .../telegraf_1.30.0-1_amd64.deb ...
Unpacking telegraf (1.30.0-1) ...
telegraf (1.30.0-1) 설정하는 중입니다 ...
Created symlink /etc/systemd/system/multi-user.target.wants/telegraf.service → /lib/systemd/system/telegraf.service.
root@syslogserver:~# systemctl enable telegraf.service
root@syslogserver:~#
| telegraf 설정하기 (0) | 2024.03.15 |
|---|---|
| influxdb token 확인하기 (0) | 2024.03.15 |
| InfluxDB 2.x 설치하기 (1) | 2024.03.15 |
| sudo 권한 부여하기 (0) | 2024.03.11 |
| snmp-exporter에 MIB 등록하기 (0) | 2024.02.07 |
https://www.influxdata.com/downloads/
InfluxData Downloads
Register your download Get access to the new InfluxDB Open Source Software Onboarding Guide, product updates, and free InfluxDB stickers!
www.influxdata.com
# influxdata-archive_compat.key GPG fingerprint:
# 9D53 9D90 D332 8DC7 D6C8 D3B9 D8FF 8E1F 7DF8 B07E
wget -q https://repos.influxdata.com/influxdata-archive_compat.key
echo '393e8779c89ac8d958f81f942f9ad7fb82a25e133faddaf92e15b16e6ac9ce4c influxdata-archive_compat.key' | sha256sum -c && cat influxdata-archive_compat.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg > /dev/null
echo 'deb [signed-by=/etc/apt/trusted.gpg.d/influxdata-archive_compat.gpg] https://repos.influxdata.com/debian stable main' | sudo tee /etc/apt/sources.list.d/influxdata.list
sudo apt-get update && sudo apt-get install influxdb2
root@syslogserver:~# apt install influxdb2
패키지 목록을 읽는 중입니다... 완료
의존성 트리를 만드는 중입니다... 완료
상태 정보를 읽는 중입니다... 완료
The following additional packages will be installed:
influxdb2-cli
다음 새 패키지를 설치할 것입니다:
influxdb2 influxdb2-cli
0개 업그레이드, 2개 새로 설치, 0개 제거 및 5개 업그레이드 안 함.
11.5 M바이트/58.9 M바이트 아카이브를 받아야 합니다.
이 작업 후 133 M바이트의 디스크 공간을 더 사용하게 됩니다.
계속 하시겠습니까? [Y/n] y
받기:1 https://repos.influxdata.com/debian stable/main amd64 influxdb2-cli amd64 2.7.3-1 [11.5 MB]
내려받기 11.5 M바이트, 소요시간 2초 (5,183 k바이트/초)
Selecting previously unselected package influxdb2.
(데이터베이스 읽는중 ...현재 329632개의 파일과 디렉터리가 설치되어 있습니다.)
Preparing to unpack .../influxdb2_2.7.5-1_amd64.deb ...
Unpacking influxdb2 (2.7.5-1) ...
Preparing to unpack .../influxdb2-cli_2.7.3-1_amd64.deb ...
Unpacking influxdb2-cli (2.7.3-1) ...
influxdb2 (2.7.5-1) 설정하는 중입니다 ...
Synchronizing state of influxdb.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable influxdb
Failed to enable unit: Unit file /etc/systemd/system/influxdb.service is masked.
influxdb2-cli (2.7.3-1) 설정하는 중입니다 ...
root@syslogserver:~#
root@syslogserver:~# influxd
2024-03-15T01:52:00.472320Z info Welcome to InfluxDB {"log_id": "0nwxmwr0000", "version": "v2.7.5", "commit": "09a9607fd9", "build_date": "2024-01-05T17:17:04Z", "log_level": "info"}
2024-03-15T01:52:00.759754Z info Resources opened {"log_id": "0nwxmwr0000", "service": "bolt", "path": "/root/.influxdbv2/influxd.bolt"}
2024-03-15T01:52:00.759929Z info Resources opened {"log_id": "0nwxmwr0000", "service": "sqlite", "path": "/root/.influxdbv2/influxd.sqlite"}
2024-03-15T01:52:00.784775Z info Bringing up metadata migrations {"log_id": "0nwxmwr0000", "service": "KV migrations", "migration_count": 20}
2024-03-15T01:52:07.466993Z info Bringing up metadata migrations {"log_id": "0nwxmwr0000", "service": "SQL migrations", "migration_count": 8}
2024-03-15T01:52:09.607580Z info Using data dir {"log_id": "0nwxmwr0000", "service": "storage-engine", "service": "store", "path": "/root/.influxdbv2/engine/data"}
2024-03-15T01:52:09.607821Z info Compaction settings {"log_id": "0nwxmwr0000", "service": "storage-engine", "service": "store", "max_concurrent_compactions": 2, "throughput_bytes_per_second": 50331648, "throughput_bytes_per_second_burst": 50331648}
2024-03-15T01:52:09.607849Z info Open store (start) {"log_id": "0nwxmwr0000", "service": "storage-engine", "service": "store", "op_name": "tsdb_open", "op_event": "start"}
2024-03-15T01:52:09.607944Z info Open store (end) {"log_id": "0nwxmwr0000", "service": "storage-engine", "service": "store", "op_name": "tsdb_open", "op_event": "end", "op_elapsed": "0.097ms"}
2024-03-15T01:52:09.608023Z info Starting retention policy enforcement service {"log_id": "0nwxmwr0000", "service": "retention", "check_interval": "30m"}
2024-03-15T01:52:09.608050Z info Starting precreation service {"log_id": "0nwxmwr0000", "service": "shard-precreation", "check_interval": "10m", "advance_period": "30m"}
2024-03-15T01:52:09.609422Z info Starting query controller {"log_id": "0nwxmwr0000", "service": "storage-reads", "concurrency_quota": 1024, "initial_memory_bytes_quota_per_query": 9223372036854775807, "memory_bytes_quota_per_query": 9223372036854775807, "max_memory_bytes": 0, "queue_size": 1024}
2024-03-15T01:52:09.612387Z info Configuring InfluxQL statement executor (zeros indicate unlimited). {"log_id": "0nwxmwr0000", "max_select_point": 0, "max_select_series": 0, "max_select_buckets": 0}
2024-03-15T01:52:09.798125Z info Starting {"log_id": "0nwxmwr0000", "service": "telemetry", "interval": "8h"}
2024-03-15T01:52:09.798375Z info Listening {"log_id": "0nwxmwr0000", "service": "tcp-listener", "transport": "http", "addr": ":8086", "port": 8086}
root@syslogserver:~# systemctl enable --now influxdb.service
Synchronizing state of influxdb.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable influxdb
Created symlink /etc/systemd/system/influxd.service → /lib/systemd/system/influxdb.service.
#influxdb.service 서비스가 왜 influxd.service 이렇게 등록이 되는지는 모르겠어요.
root@syslogserver:~# systemctl restart influxd
influxd.service influxdb.service
root@syslogserver:~#
#수동으로 변경해줍니다.
root@syslogserver:~# mv /etc/systemd/system/influxd.service /etc/systemd/system/influxdb.service
root@syslogserver:~# systemctl restart influxd \tab
influxd.service influxdb.service # 아직 2개가 검색이 됩니다.
root@syslogserver:~# systemctl restart influxd^C # Ctrl + C 눌러서 중지
root@syslogserver:~# systemctl daemon-reload
root@syslogserver:~# systemctl restart influxdb.service # influxdb.service 한개만 검색 됩니다.
| influxdb token 확인하기 (0) | 2024.03.15 |
|---|---|
| telegraf 설치하기 (1) | 2024.03.15 |
| sudo 권한 부여하기 (0) | 2024.03.11 |
| snmp-exporter에 MIB 등록하기 (0) | 2024.02.07 |
| elastalert2 rules 설정 (0) | 2024.01.15 |
root@syslogserver:/etc# cat /etc/group | grep sudo
sudo:x:27:logmgmt,ayaan <- 해당 부분에 허용할 그룹을 추가해주면 됩니다.
root@syslogserver:/etc#
| telegraf 설치하기 (1) | 2024.03.15 |
|---|---|
| InfluxDB 2.x 설치하기 (1) | 2024.03.15 |
| snmp-exporter에 MIB 등록하기 (0) | 2024.02.07 |
| elastalert2 rules 설정 (0) | 2024.01.15 |
| elastalert2 설치하기 (0) | 2024.01.15 |
이전 기록을 찾아서 자료 공유합니다.
이전 자료이다보니 UI가 최신이 아니에요. 소스코드를 중점으로 보시길~
제 기준으로 AWS의 정보보안 업무를 위해서 모니터링을 진행한 코드입니다.
각 담당자 분들 상황에 맞게 소스코드 수정해서 사용하시면 좋을 것 같아요.
생성 함수는 CloudWatch Logs → Lambda로 전달 받을 수 있어야 함.
Runtime은 Node.js로 설정
//------------------------------------------------------------------------------------------------
// Import Library
//------------------------------------------------------------------------------------------------
var https = require('https');
var util = require('util');
var zlib = require('zlib');
//------------------------------------------------------------------------------------------------
// Prototype Overriding
//------------------------------------------------------------------------------------------------
Date.prototype.format = function(f) {
if (!this.valueOf()) return " ";
var weekName = ["일요일", "월요일", "화요일", "수요일", "목요일", "금요일", "토요일"];
var d = this;
return f.replace(/(yyyy|yy|MM|dd|E|hh|mm|ss|a\/p)/gi, function($1) {
switch ($1) {
case "yyyy": return d.getFullYear();
case "yy": return (d.getFullYear() % 1000).zf(2);
case "MM": return (d.getMonth() + 1).zf(2);
case "dd": return d.getDate().zf(2);
case "E": return weekName[d.getDay()];
case "HH": return d.getHours().zf(2);
case "hh": return ((d.getHours() % 12) ? d.getHours() : 12).zf(2);
case "mm": return d.getMinutes().zf(2);
case "ss": return d.getSeconds().zf(2);
case "a/p": return d.getHours() < 12 ? "오전" : "오후";
default: return $1;
}
});
};
String.prototype.string = function(len){var s = '', i = 0; while (i++ < len) { s += this; } return s;};
String.prototype.zf = function(len){return "0".string(len - this.length) + this;};
Number.prototype.zf = function(len){return this.toString().zf(len);};
//------------------------------------------------------------------------------------------------
// Global Variable Define
//------------------------------------------------------------------------------------------------
var FINAL_CONTEXT;
var attachment = {
"title" : null,
"color" : null,
"pretext" : null,
"title_link" : null,
"text" : null,
};
//------------------------------------------------------------------------------------------------
// Function Define
//------------------------------------------------------------------------------------------------
// function makeSlackAttachment(title, body, color){
function makeSlackAttachment(body, color){ // <- Slack 메시지 알림시 title 제거해야 보기가 좋음
var newAttachment = attachment.constructor();
// newAttachment.title = title;
newAttachment.text = body;
newAttachment.color = color;
return newAttachment;
}
// slackMessage를 게시하도록 요청
function sendSlackMessage(attachments, channel) {
// console.log("\n 슬랙 메세지 전송할 내용 >>> " + JSON.stringify(attachments));
var slackApiBody = {
"channel": "aws_log",
"username": "CloudTrail",
"text": null,
"icon_emoji": ":cloudtrail:",
"attachments" : []
};
// var newSlackApiBody = slackApiBody; // .constructor();
slackApiBody.attachments.push(attachments);
// newSlackApiBody.channel = channel;
try {
console.log("\n 최종 바디 메세지 >>>> " + JSON.stringify(slackApiBody));
var options = {
method: 'POST',
hostname: 'hooks.slack.com',
port: 443,
path: '???????????????????????????????????????????????????'
};
var req = https.request(options, function (res) {
res.setEncoding('utf8');
res.on('data', function (chunk) {
console.log('Slack Message SUCCESS !!');
// FINAL_CONTEXT.done('Slack Message SUCCESS !!');
FINAL_CONTEXT.succeed('Slack Message SUCCESS !!');
});
});
req.on('error', function (e) {
console.log('problem with request: ' + e.message);
FINAL_CONTEXT.fail('Slack Message FAIL !!');
});
req.write(util.format("%j", slackApiBody));
req.end();
console.log('Slack Message Request complete !!');
} catch (error) {
console.log('Slack Send Exception : ' + error.Message);
FINAL_CONTEXT.fail('Slack Message FAIL !!');
} finally {
console.log('Slack Message Request END !!');
// FINAL_CONTEXT.done('Slack Message END !!');
}
}
// CloudWatch Log는 zlib를 통해 복호화 과정을 거쳐야만 해석이 가능하다.
function cloudWatchUnzip(input) {
// console.log(input);
var payload = new Buffer(input.awslogs.data, 'base64');
zlib.gunzip(payload, function(e, result) {
if (e) {
FINAL_CONTEXT.fail(e);
} else {
result = JSON.parse(result.toString('ascii'));
if (result.logEvents != undefined) {
loopEvents(result.logEvents);
} else {
console.log("\n cloudWatchUnzip Result is >>>> " + JSON.stringify(result));
console.log("\n cloudWatchUnzip Type Is Un Correct !! [ 예상하지 못한 유형의 Result ] !! ");
}
}
});
}
// 정책 내 전체 허용 값의 존재 유무
function ipOpenPublic(ipArray, eventName) {
var isPublic = false;
if (ipArray != undefined) {
for (var j = 0; j < ipArray.length; j++) {
var targetIp = (ipArray[j].cidrIp != undefined) ? ipArray[j].cidrIp : ipArray[j].cidrIpv6;
// 전체 허용한 정책이 있는 경우, 경고메세지 추가
if (eventName === "AuthorizeSecurityGroupIngress" && (targetIp === "0.0.0.0/0" || targetIp === "::/0")) {
isPublic = true;
break;
}
}
}
return isPublic;
}
// Target IP 에 대한 메세지를 생성한다.
function addMessageFromIpArray(ipArray, originMessage, ipMessageHead, eventName) {
if (ipArray != undefined) {
for (var j = 0; j < ipArray.length; j++) {
var cidrIp = ipArray[j].cidrIp;
var ipMessage = ipMessageHead + " / 대상: " + cidrIp;
// 전체 허용한 정책이 있는 경우, 경고메세지 추가
if (eventName === "AuthorizeSecurityGroupIngress" && (cidrIp === "0.0.0.0/0" || cidrIp === "::/0")) {
ipMessage = ipMessage + " - 대상 지정 필요 여부 확";
}
originMessage = addMessage(originMessage, ipMessage);
}
}
return originMessage;
}
// 실제 이벤트를 해석하여 각 이벤트명에 따라 구분 동작하도록 하는 함수이다.
function parsingEvent(eventLog) {
// 실제 원하는 로그는 로그이벤트 내 Message 항목이다.
var log = eventLog;
var oneHour = 3600000;
var koreaOffsetHour = 9;
console.log("\n\n 실제 이벤트 로그 >> " + JSON.stringify(log) + "\n\n");
// 로그 공통 포맷
var utc = new Date(log.eventTime).getTime() + (new Date(log.eventTime).getTimezoneOffset() * 60000);
var exetime = new Date(utc + (oneHour*koreaOffsetHour)).format("yyyy년 MM월 dd일 a/p hh시 mm분 ss초");
var sourceip = log.sourceIPAddress;
var eventName = log.eventName;
var exeregion = log.awsRegion;
var userType = log.userIdentity.type;
var useragent = (log.userAgent === undefined) ? "" : log.userAgent;
var username = (log.userIdentity.type === "IAMUser") ? "Account: " + log.userIdentity.userName + " (" + sourceip + ")" : "Account: Root (" + sourceip + ")";
// var channel = (log.userIdentity.type == "IAMUser") ? "@" + log.userIdentity.userName : "@sangmin";
var channel = "aws_log";
// 기본 공통 메세지
var headMessage = `${username}`;
var tailMessage1 = `\n Event Time: ${exetime}`;
var tailMessage2 = `\n Region: ${exeregion} `;
var detailMessage = "";
// 슬랙 메세지 양식
var slackTitle;
var slackBody;
var slackColor = "good"; // danger:빨간색 | warning:주황색 | good:녹색
if (eventName != undefined && (eventName).indexOf('Create') > -1) {
if (eventName != "CreateLogStream"){
// Create 값이 있는 경우
console.log("로그수집 >>>> " + JSON.stringify(log));
}
}
// 채널이 있는 경우이거나, 사용자가 Root나 User가 아닌 경우이거나, 회사 IP가 아닌 경우
// if (channel != "" && (userType === "Root" || userType === "IAMUser") && (sourceip != "121.165.242.121")) {
if (channel != "" && (userType === "Root" || userType === "IAMUser")) {
// EC2 인스턴스를 실행한 경우
if (eventName === "RunInstances") {
var items = log.responseElements.instancesSet.items;
for (var i = 0; i < items.length; i++) {
var exeinstance = items[i].instanceId;
slackTitle = "EC2 인스턴스 생성"
slackColor = "good";
detailMessage = `\n 시작된 인스턴스 ID: ${exeinstance} (${exeregion})`;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
}
// EC2 인스턴스를 중지한 경우
if (eventName === "StopInstances") {
var items = log.responseElements.instancesSet.items;
for (var i = 0; i < items.length; i++) {
var exeinstance = items[i].instanceId;
slackTitle = "EC2 인스턴스 중지"
slackColor = "danger";
detailMessage = `\n 중지된 인스턴스 ID: ${exeinstance} (${exeregion})`;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
}
// EC2 인스턴스를 종료한 경우
if (eventName === "TerminateInstances") {
var items = log.responseElements.instancesSet.items;
for (var i = 0; i < items.length; i++) {
var exeinstance = items[i].instanceId;
slackTitle = "EC2 인스턴스 종료"
slackColor = "danger";
detailMessage = `\n 종료된 인스턴스 ID: ${exeinstance} (${exeregion})`;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
}
// IAM을 이용하여 User를 생성한 경우
if (eventName === "CreateUser") {
var createuser = log.responseElements.user.userName;
slackTitle = "User 생성"
slackColor = "good";
detailMessage = `\n 생성된 User ID: ${createuser} (${exeregion})`;
slackBody = `${slackTitle} \n` + `User를 생성한 ${headMessage}` + tailMessage1 + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// IAM을 이용하여 User를 Group에 넣은 경우
if (eventName === "AddUserToGroup") {
var createuser = log.requestParameters.userName;
var usergroup = log.requestParameters.groupName;
slackTitle = "User 그룹 지정"
slackColor = "good";
detailMessage = `\n User: ${createuser} (${exeregion}) \n User Group: ${usergroup}`;
slackBody = `${slackTitle} \n` + `User Group을 지정한 ${headMessage}` + tailMessage1 + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// RDS를 생성한 경우
else if (eventName === "CreateDBInstance") {
slackTitle = "RDS 생성";
slackColor = "good";
detailMessage = `\n DB Name:` + log.responseElements.dBName + ` \ DB Engine :` + log.responseElements.engine;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + tailMessage2 + `( ${exeregion})` + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// DynamoDB 테이블을 생성한 경우
else if (log.eventSource === "dynamodb.amazonaws.com" && eventName == "CreateTable") {
slackTitle = "DynamoDB 테이블 생성";
slackColor = "good";
detailMessage = `\n Table Name: ` + log.requestParameters.tableName;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + `( ${exeregion})` + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// Elasticache를 생성한 경우
else if (log.eventSource === "elasticache.amazonaws.com" && eventName == "CreateCacheCluster") {
slackTitle = "Elasticache 생성";
slackColor = "good";
detailMessage = `\n Elasticache Engine : ` + log.requestParameters.engine;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + `( ${exeregion})` + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// S3 버킷을 생성한 경우
else if (log.eventSource === "s3.amazonaws.com" && eventName == "CreateBucket") {
slackTitle = "S3 버킷 생성";
slackColor = "good";
detailMessage = `\n S3 Bucket Name : ` + log.requestParameters.bucketName;
slackBody = `${slackTitle} \n` + headMessage + tailMessage1 + `( ${exeregion})` + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// 콘솔을 로그인한 경우
// else if (eventName === "ConsoleLogin" && log.responseElements.ConsoleLogin == "Success") {
else if (eventName === "ConsoleLogin") {
var loginResult = (log.responseElements.ConsoleLogin == "Success") ? "성공" : "실패";
slackTitle = "AWS Console 로그인 " + loginResult;
slackColor = (log.responseElements.ConsoleLogin == "Success") ? "good" : "danger";
slackBody = `\n ${slackTitle} \n ${username} \n 접속 시간: ${exetime}`;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
// SecurityGroup의 정책을 수정하거나 생성할 경우 정책이 ALL로 Open 된 경우
else if (eventName === "AuthorizeSecurityGroupIngress" || eventName === "RevokeSecurityGroupIngress") {
var items = log.requestParameters.ipPermissions.items;
var sgname = log.requestParameters.groupId;
for (var i = 0; i < items.length; i++) {
var toport = items[i].toPort;
var ipV4Array = items[i].ipRanges.items;
var ipV6Array = items[i].ipv6Ranges.items;
// 80 또는 443포트가 아닌데, IP 전체 허용을 한 경우에만 SlackMessage 발송되도록 처리
if (toport != "80" && toport != "443" && (ipOpenPublic(ipV4Array, eventName) || ipOpenPublic(ipV6Array, eventName))) {
var protocol = items[i].ipProtocol;
var fromport = items[i].fromPort;
var action = (eventName === "AuthorizeSecurityGroupIngress") ? "추가 / 변경" :"삭제";
var ipMessageFormat = `\n SecurityGroup Name: ${sgname} (${exeregion}) \n Inbound / ${protocol} / ${fromport} -> ${toport}`;
detailMessage = addMessageFromIpArray(ipV6Array, detailMessage, ipMessageFormat, eventName); // IP v6
detailMessage = addMessageFromIpArray(ipV4Array, detailMessage, ipMessageFormat, eventName); // IP v4
slackTitle = `Security Group 정책 ${action}`;
slackColor = (eventName === "AuthorizeSecurityGroupIngress") ? "warning" :"good";
slackBody = `${slackTitle} \n` + headMessage + detailMessage;
sendSlackMessage(makeSlackAttachment(slackBody, slackColor), channel);
// sendSlackMessage(makeSlackAttachment(slackTitle, slackBody, slackColor), channel);
}
}
}
else {
console.log("EventName 해당사항 없음 !! >>>> " + JSON.stringify(log));
}
}
}
// 이벤트가 Array형태를 갖는 경우, 반복문을 통해 각각의 이벤트를 파싱하도록 한다.
function loopEvents(logEvents) {
// 로그 이벤트가 여러개이므로, 반복하여 각 이벤트를 뽑아 낸다.
logEvents.forEach(function(element) {
if (element.eventName != undefined) {
parsingEvent(element);
} else if (element.message != undefined) {
console.log("\n element.message is >>>> " + JSON.stringify(JSON.parse(element.message)));
parsingEvent(JSON.parse(element.message));
} else {
console.log("\n element is >>>> " + JSON.stringify(element));
console.log("\n element Type Is Un Correct !! [ 예상하지 못한 유형의 element ] !! ");
}
});
}
// mainMessage 의 유무에 따라, 메세지를 합친다.
function addMessage(mainMessage, addMessage) {
// 사실 구분할 필요 없음
if (mainMessage === "") {
return addMessage;
} else {
return mainMessage = mainMessage + "\n" + addMessage;
}
}
//------------------------------------------------------------------------------------------------
// S T A R T !!
//------------------------------------------------------------------------------------------------
// Lamda에서 호출하는 핸들러 (시작점)
exports.handler = function(input, context) {
console.log("\n Lamda Trigger Event Catch !! \n input is >>>> " + JSON.stringify(input));
FINAL_CONTEXT = context;
if (input.Records != undefined) {
console.log("\n Input from [ S3 ] !! ");
loopEvents(input.Records);
} else if (input.awslogs != undefined && input.awslogs.data != undefined) {
console.log("\n Input from [ CloudWatch ] !! ");
cloudWatchUnzip(input);
} else if (input.eventName != undefined){
console.log("\n Input from [ JSON TEST ] !! ");
parsingEvent(input);
} else {
console.log("\n Input Type Is Un Correct !! [ 예상하지 못한 유형의 Input ] !! ");
}
// context.succeed();
}
| AWS 콘솔 점검 스크립트 (0) | 2023.02.17 |
|---|
저는 다운로드 받은 파일에 확장자가 txt가 붙었네요.
확장자가 붙은 경우 txt 확장자를 제거해주시거나, ubuntu로 옮긴 후 확장자 제거해 주세요.
C:\Users\test\Downloads>scp .\FORTINET-CORE-MIB.txt .\FORTINET-FORTIGATE-MIB.txt logmgmt@192.168.0.100:~
ID@192.168.0.100's password:
FORTINET-CORE-MIB.txt 100% 15KB 4.9MB/s 00:00
FORTINET-FORTIGATE-MIB.txt 100% 397KB 24.2MB/s 00:00
C:\Users\test\Downloads>
logmgmt@syslogserver:~$ ls -al
total 8492
drwxr-x--- 14 logmgmt logmgmt 4096 2월 6 15:55 .
drwxr-xr-x 3 root root 4096 11월 28 13:53 ..
-rw------- 1 logmgmt logmgmt 43176 2월 6 12:26 .bash_history
-rw-r--r-- 1 logmgmt logmgmt 220 11월 28 13:53 .bash_logout
-rw-r--r-- 1 logmgmt logmgmt 3771 11월 28 13:53 .bashrc
drwx------ 11 logmgmt logmgmt 4096 1월 12 16:59 .cache
drwx------ 11 logmgmt logmgmt 4096 11월 28 18:07 .config
-rw------- 1 logmgmt logmgmt 20 12월 28 10:44 .lesshst
drwx------ 5 logmgmt logmgmt 4096 1월 12 17:15 .local
-rw-r--r-- 1 logmgmt logmgmt 807 11월 28 13:53 .profile
-rw------- 1 logmgmt logmgmt 5 1월 12 16:44 .python_history
-rw-r--r-- 1 logmgmt logmgmt 0 11월 28 18:04 .sudo_as_admin_successful
-rw-rw-r-- 1 logmgmt logmgmt 254 12월 22 17:57 .wget-hsts
-rw-rw-r-- 1 logmgmt logmgmt 15309 2월 6 15:55 FORTINET-CORE-MIB.txt
-rw-rw-r-- 1 logmgmt logmgmt 406521 2월 6 15:55 FORTINET-FORTIGATE-MIB.txt
-rw-rw-r-- 1 logmgmt logmgmt 8134656 1월 15 14:37 elastalert.txt
drwx------ 5 logmgmt logmgmt 4096 12월 26 17:51 snap
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 공개
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 다운로드
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 문서
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 바탕화면
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 비디오
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 사진
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 음악
drwxr-xr-x 2 logmgmt logmgmt 4096 11월 28 16:14 템플릿
logmgmt@syslogserver:~$ sudo mv ./FORTINET-CORE-MIB.txt ./FORTINET-FORTIGATE-MIB.txt /usr/share/snmp/mibs/ietf
[sudo] password for logmgmt:
logmgmt@syslogserver:~$ cd /usr/share/snmp/mibs/ietf
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$ ls -al | grep FORTINET
-rw-rw-r-- 1 logmgmt logmgmt 15309 2월 6 15:55 FORTINET-CORE-MIB.txt
-rw-rw-r-- 1 logmgmt logmgmt 406521 2월 6 15:55 FORTINET-FORTIGATE-MIB.txt
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$ sudo mv ./FORTINET-CORE-MIB.txt ./FORTINET-CORE-MIB
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$ sudo mv ./FORTINET-FORTIGATE-MIB.txt ./FORTINET-FORTIGATE-MIB
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$ ls -al | grep FORTINET
-rw-rw-r-- 1 logmgmt logmgmt 15309 2월 6 15:55 FORTINET-CORE-MIB
-rw-rw-r-- 1 logmgmt logmgmt 406521 2월 6 15:55 FORTINET-FORTIGATE-MIB
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$ sudo chown root:root ./FORTINET-*
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$ ls -al | grep FORTINET
-rw-rw-r-- 1 root root 15309 2월 6 15:55 FORTINET-CORE-MIB
-rw-rw-r-- 1 root root 406521 2월 6 15:55 FORTINET-FORTIGATE-MIB
logmgmt@syslogserver:/usr/share/snmp/mibs/ietf$
2.1.1 확장자 txt 일 경우
root@syslogserver:/usr/share/snmp/mibs/ietf# mv ./FORTINET-CORE-MIB ./FORTINET-CORE-MIB.txt
root@syslogserver:/usr/share/snmp/mibs/ietf# mv ./FORTINET-FORTIGATE-MIB ./FORTINET-FORTIGATE-MIB.txt
root@syslogserver:/usr/share/snmp/mibs/ietf# systemctl restart snmp-exporter.service
root@syslogserver:/usr/share/snmp/mibs/ietf# systemctl status snmp-exporter.service | more
● snmp-exporter.service - Prometheus SNMP Exporter Service
Loaded: loaded (/etc/systemd/system/snmp-exporter.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-02-06 15:29:18 KST; 23s ago
Main PID: 2631842 (snmp_exporter)
Tasks: 9 (limit: 19052)
Memory: 10.7M
CPU: 136ms
CGroup: /system.slice/snmp-exporter.service
└─2631842 /usr/local/bin/snmp_exporter --config.file=/opt/snmp_exporter/snmp.yml
2월 06 15:29:18 syslogserver systemd[1]: Started Prometheus SNMP Exporter Service.
2월 06 15:29:18 syslogserver snmp_exporter[2631842]: ts=2024-02-06T06:29:18.664Z caller=main.go:194 level=info msg="Starting snmp_exporter" version="(version=0.25.0, branch=HEAD, revision=9c42d6c87
4d479314e612bca69558c81f8e26287)" concurrency=1
2월 06 15:29:18 syslogserver snmp_exporter[2631842]: ts=2024-02-06T06:29:18.664Z caller=main.go:195 level=info build_context="(go=go1.21.5, platform=linux/amd64, user=root@880115266f70, date=202312
10-10:05:18, tags=netgo)"
2월 06 15:29:18 syslogserver snmp_exporter[2631842]: ts=2024-02-06T06:29:18.758Z caller=tls_config.go:274 level=info msg="Listening on" address=[::]:9116
2월 06 15:29:18 syslogserver snmp_exporter[2631842]: ts=2024-02-06T06:29:18.758Z caller=tls_config.go:277 level=info msg="TLS is disabled." http2=false address=[::]:9116
2월 06 15:29:23 syslogserver snmp_exporter[2631842]: ts=2024-02-06T06:29:23.950Z caller=collector.go:393 level=info auth=public_v2 target=192.168.104.1 module=fortinet_fortigate msg="Error scraping
target" err="error walking target 192.168.104.1: marshal: marshalPDU: unable to marshal varbind list: unable to marshal OID: Invalid object identifier"
2월 06 15:29:38 syslogserver snmp_exporter[2631842]: ts=2024-02-06T06:29:38.952Z caller=collector.go:393 level=info auth=public_v2 target=192.168.104.1 module=fortinet_fortigate msg="Error scraping
target" err="error walking target 192.168.104.1: marshal: marshalPDU: unable to marshal varbind list: unable to marshal OID: Invalid object identifier"
root@syslogserver:/usr/share/snmp/mibs/ietf#
2.1.2 확장자 mib 일 경우
root@syslogserver:/usr/share/snmp/mibs/ietf# mv ./FORTINET-CORE-MIB.txt ./FORTINET-CORE-MIB.mib
root@syslogserver:/usr/share/snmp/mibs/ietf# mv ./FORTINET-FORTIGATE-MIB.txt ./FORTINET-FORTIGATE-MIB.mib
root@syslogserver:/usr/share/snmp/mibs/ietf# systemctl restart snmp-exporter.service
root@syslogserver:/usr/share/snmp/mibs/ietf# systemctl status snmp-exporter.service | more
● snmp-exporter.service - Prometheus SNMP Exporter Service
Loaded: loaded (/etc/systemd/system/snmp-exporter.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-02-06 15:33:20 KST; 3s ago
Main PID: 2631948 (snmp_exporter)
Tasks: 8 (limit: 19052)
Memory: 15.9M
CPU: 142ms
CGroup: /system.slice/snmp-exporter.service
└─2631948 /usr/local/bin/snmp_exporter --config.file=/opt/snmp_exporter/snmp.yml
2월 06 15:33:20 syslogserver systemd[1]: Started Prometheus SNMP Exporter Service.
2월 06 15:33:20 syslogserver snmp_exporter[2631948]: ts=2024-02-06T06:33:20.549Z caller=main.go:194 level=info msg="Starting snmp_exporter" version="(version=0.25.0, branch=HEAD, revision=9c42d6c87
4d479314e612bca69558c81f8e26287)" concurrency=1
2월 06 15:33:20 syslogserver snmp_exporter[2631948]: ts=2024-02-06T06:33:20.549Z caller=main.go:195 level=info build_context="(go=go1.21.5, platform=linux/amd64, user=root@880115266f70, date=202312
10-10:05:18, tags=netgo)"
2월 06 15:33:20 syslogserver snmp_exporter[2631948]: ts=2024-02-06T06:33:20.667Z caller=tls_config.go:274 level=info msg="Listening on" address=[::]:9116
2월 06 15:33:20 syslogserver snmp_exporter[2631948]: ts=2024-02-06T06:33:20.667Z caller=tls_config.go:277 level=info msg="TLS is disabled." http2=false address=[::]:9116
2월 06 15:33:23 syslogserver snmp_exporter[2631948]: ts=2024-02-06T06:33:23.951Z caller=collector.go:393 level=info auth=public_v2 target=192.168.104.1 module=fortinet_fortigate msg="Error scraping
target" err="error walking target 192.168.104.1: marshal: marshalPDU: unable to marshal varbind list: unable to marshal OID: Invalid object identifier"
root@syslogserver:/usr/share/snmp/mibs/ietf#
2.1.3 확장자가 없을 경우
root@syslogserver:/usr/share/snmp/mibs/ietf# mv ./FORTINET-CORE-MIB.mib ./FORTINET-CORE-MIB
root@syslogserver:/usr/share/snmp/mibs/ietf# mv ./FORTINET-FORTIGATE-MIB.mib ./FORTINET-FORTIGATE-MIB
root@syslogserver:/usr/share/snmp/mibs/ietf# systemctl restart snmp-exporter.service
root@syslogserver:/usr/share/snmp/mibs/ietf# systemctl status snmp-exporter.service | more
● snmp-exporter.service - Prometheus SNMP Exporter Service
Loaded: loaded (/etc/systemd/system/snmp-exporter.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-02-06 15:36:57 KST; 6s ago
Main PID: 2631988 (snmp_exporter)
Tasks: 8 (limit: 19052)
Memory: 17.4M
CPU: 125ms
CGroup: /system.slice/snmp-exporter.service
└─2631988 /usr/local/bin/snmp_exporter --config.file=/opt/snmp_exporter/snmp.yml
2월 06 15:36:57 syslogserver systemd[1]: Started Prometheus SNMP Exporter Service.
2월 06 15:36:57 syslogserver snmp_exporter[2631988]: ts=2024-02-06T06:36:57.412Z caller=main.go:194 level=info msg="Starting snmp_exporter" version="(version=0.25.0, branch=HEAD, revision=9c42d6c87
4d479314e612bca69558c81f8e26287)" concurrency=1
2월 06 15:36:57 syslogserver snmp_exporter[2631988]: ts=2024-02-06T06:36:57.412Z caller=main.go:195 level=info build_context="(go=go1.21.5, platform=linux/amd64, user=root@880115266f70, date=202312
10-10:05:18, tags=netgo)"
2월 06 15:36:57 syslogserver snmp_exporter[2631988]: ts=2024-02-06T06:36:57.507Z caller=tls_config.go:274 level=info msg="Listening on" address=[::]:9116
2월 06 15:36:57 syslogserver snmp_exporter[2631988]: ts=2024-02-06T06:36:57.507Z caller=tls_config.go:277 level=info msg="TLS is disabled." http2=false address=[::]:9116
root@syslogserver:/usr/share/snmp/mibs/ietf#
| InfluxDB 2.x 설치하기 (1) | 2024.03.15 |
|---|---|
| sudo 권한 부여하기 (0) | 2024.03.11 |
| elastalert2 rules 설정 (0) | 2024.01.15 |
| elastalert2 설치하기 (0) | 2024.01.15 |
| grafana 알람 설정 (0) | 2024.01.08 |
아무것도 아닌데, 모르니까 너무 어렵네요.
snmp-exporter에 mib를 등록하려는데, 정확히 어떻게 해야 한다가 없어서 올립니다.
1. snmp 설정 및 MIB file 다운로드
2. SNMP의 source-ip 설정
utm # config system snmp community
utm (community) # show
config system snmp community
edit 1
set name "test"
config hosts
edit 1
set source-ip 192.168.0.1
set ip 192.168.0.2 255.255.255.255
next
end
set query-v1-status disable
set trap-v1-status disable
next
end
3. 인터페이스의 SNMP 설정 적용
| Send logs to syslog 설정 오류 시 (0) | 2023.12.17 |
|---|---|
| VLAN 통신 설정 시 (0) | 2023.12.06 |
| fortigate NTP Server 설정하기 (3) | 2023.12.05 |
| sslvpn 사용 시 고정 IP 적용하기 (1) | 2023.08.14 |
| sslvpn 패스워드 실패 시 접근 제한 (0) | 2023.08.03 |
AD 계정 삭제 명령어
dsrm "cn=홍길동, ou=test, dc=ksm, dc=com"
| AD 연결 후 권한 요청 뜰 경우 (0) | 2024.05.27 |
|---|---|
| AD에서 파일 배포 하기 (0) | 2023.07.31 |
| AD 계정 정책 설정이 실제와 다를 때 (0) | 2023.07.21 |
| AD 암호정책 적용 시 고려사항 (0) | 2023.07.20 |
| AD 관리 콘솔 만들기 (0) | 2023.07.07 |