我已将 SFTP 登录日志启用到默认日志文件中/var/log/syslog,并尝试过滤每个用户的登录时间并将其插入数据库。
但过滤并没有像我预期的那样发挥作用。
示例日志文件:
Jun 23 15:47:03 ip-172-16-0-62 systemd[24938]: Reached target Shutdown.
Jun 23 15:47:03 ip-172-16-0-62 systemd[24938]: Starting Exit the Session..c.
Jun 23 15:47:03 ip-172-16-0-62 systemd[24938]: Received SIGRTMIN+24 from PID 24980 (kill).
Jun 23 15:47:03 ip-172-16-0-62 systemd[1]: Stopped User Manager for UID 1051.
Jun 23 15:47:03 ip-172-16-0-62 systemd[1]: Removed slice User Slice of nidasu.
Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Created slice User Slice of ftpuser1.
Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Starting User Manager for UID 1069...
Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Started Session 11907571 of user ftpuser1.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Listening on REST API socket for snapd user session agent.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Paths.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Timers.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Sockets.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Basic System.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Default.
Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Startup finished in 15ms.
需要过滤用户登录消息,例如:
Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Started Session 11907571 of user ftpuser1.
我需要通过匹配字符串“11907571用户的启动会话ftpuser1”来将其取出
会话号11907571是一个随机数,用户名也不同,因此 grepping 可以忽略数字和用户名,只需要检查字符串如:“**”已启动用户 *** 的会话 ***“
并且需要解析该行和grep用户date + time名然后将其插入到MySQL数据库中。
如果有任何选项可以创建一个守护进程来运行并将详细信息插入到数据库中,它将帮助我完成任务。