promtail采集messages日志,配置ssh登录失败次数超限告警。
# logql计算语句,统计同一ip5分钟内错误次数超过十次的IP。
sum by (ip,remote_ip) ( count_over_time( {job="ssh"} | regexp `Failed password for invalid user (?P<user>\S+) from (?P<remote_ip>\S+) port (?P<port>\S+) ssh2` |~ `Failed password` [5m] ) ) >10# promtail配置文件
# 这里的ip标签主要作用是用于区分是哪台主机
server:
http_listen_port: 0 # 如需启用http端口,直接修改端口号即可
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://localhost:3100/loki/api/v1/push
scrape_configs:
- job_name: messages
static_configs:
- targets:
- x.x.x.x
labels:
ip: x.x.x.x
host_name: '主机名'
job: messages
__path__: /var/log/messages
pipeline_stages:
- regex:
expression: '(?P<level>[A-Z]+)'
- drop:
expression: 'level\=(debug|info)'
- job_name: ssh_failure
static_configs:
- targets:
- x.x.x.x
labels:
ip: x.x.x.x
job: ssh
__path__: /var/log/messages
pipeline_stages:
- regex:
expression: 'sshd\['
# expression: 'Failed password for invalid user (?P<user>\S+) from (?P<ip>\S+) port (?P<port>\S+) ssh2'
- drop:
expression: 'loki\[|systemd\[|grafana\[|promtail\[|dhclient\[|systemctl\[|chronyd\[|kdump-udev-throttler\[|rsyslogd\[|python3\[|prometheus\[|categraf'