Real-time user operation Audit System

Summary: The server permissions used by multiple users are difficult to manage and fail due to misoperations. The best way is to record user operations to logs in real time, and pushed to the remote log server. Including the User Logon Time, directory, Operation Command, and timestamp ). For future tracking. ----- This online copy --

Solution: record these operations to a local file, and then collect the logs to the remote log server through fluentd to implement Pseudo Real-Time. As mentioned above, Elasticsearch can be directly stored, and then displayed with kibana for convenience.

To facilitate secondary development, this time the log is stored in mongodb, and of course it can also be stored in mysql (this article will not discuss this)

--------------------

1. Modify the record to a local file first.

(1) Modify/etc/profile

export PROMPT_COMMAND='{ date "+%Y-%m-%d %T $(ifconfig | grep eth -A 1 | grep "192.168" | grep -oP "(?<=addr:)[\d\.]+") $(who am i |awk "{print \$1\" \"\$2\" \"\$3\" \"\$4\" \"\$5}") [`pwd`] $(history 1 | { read x cmd; echo "$cmd"; })"; } >> /var/log/audit.log'

(2) execute source/etc/profile

The content of the file recorded in the local format is as follows:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140209/2332553Y5-0.jpg "title =" 11111.jpg" alt = "wKioL1L1xV-wzzrsAAPB0K7Kzew928.jpg"/>

Content format: record time local IP user terminal logon time source directory Execute Command

Note: Other users must have the write permission on audit. log.

2. Collect data to mongodb

The fluentd client configuration is as follows:

<source>  type tail  format /^(?<time>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}) (?<src>[^ ]*) (?<user>[^ ]*) (?<zhongduan>[^ ]*) (?<logintime>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}) \((?<dst>[^ ]*)\) \[(?<pwd>[^\]]*)\] (?<cmd>.*)?$/  path /var/log/audit.log  pos_file /var/log/td-agent/audit.pos  tag mongo.fluent.audit</source>

Fluentd server is similar to the previous article

The content recorded in mongodb is as follows:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140209/2332551528-1.jpg "title =" 12312.jpg" alt = "wKioL1L1yHvwTHnbAAMBlanhep8299.jpg"/>

This ends ....

This article from the "TNT, O & M path" blog, please be sure to keep this source http://tntdba.blog.51cto.com/1199791/1357259