Summary: The server permissions used by multiple users are difficult to manage and fail due to misoperations. The best way is to record user operations to logs in real time, and pushed to the remote log server. Including the User Logon Time, directory, Operation Command, and timestamp ). For future tracking. ----- This online copy --
Solution: record these operations to a local file, and then collect the logs to the remote log server through fluentd to implement Pseudo Real-Time. As mentioned above, Elasticsearch can be directly stored, and then displayed with kibana for convenience.
To facilitate secondary development, this time the log is stored in mongodb, and of course it can also be stored in mysql (this article will not discuss this)
--------------------
1. Modify the record to a local file first.
(1) Modify/etc/profile
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T $(ifconfig | grep eth -A 1 | grep "192.168" | grep -oP "(?<=addr:)[\d\.]+") $(who am i |awk "{print \$1\" \"\$2\" \"\$3\" \"\$4\" \"\$5}") [`pwd`] $(history 1 | { read x cmd; echo "$cmd"; })"; } >> /var/log/audit.log'
(2) execute source/etc/profile
The content of the file recorded in the local format is as follows:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140209/2332553Y5-0.jpg "title =" 11111.jpg" alt = "wKioL1L1xV-wzzrsAAPB0K7Kzew928.jpg"/>
Content format: record time local IP user terminal logon time source directory Execute Command
Note: Other users must have the write permission on audit. log.
2. Collect data to mongodb
The fluentd client configuration is as follows:
<source> type tail format /^(?<time>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}) (?<src>[^ ]*) (?<user>[^ ]*) (?<zhongduan>[^ ]*) (?<logintime>\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}) \((?<dst>[^ ]*)\) \[(?<pwd>[^\]]*)\] (?<cmd>.*)?$/ path /var/log/audit.log pos_file /var/log/td-agent/audit.pos tag mongo.fluent.audit</source>
Fluentd server is similar to the previous article
The content recorded in mongodb is as follows:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/140209/2332551528-1.jpg "title =" 12312.jpg" alt = "wKioL1L1yHvwTHnbAAMBlanhep8299.jpg"/>
This ends ....
This article from the "TNT, O & M path" blog, please be sure to keep this source http://tntdba.blog.51cto.com/1199791/1357259