日志审计脚本#
脚本说明#
日志审计脚本用于审计系统日志,包括登录日志、操作日志、错误日志等。
脚本代码#
#!/bin/bash
# 日志审计脚本
# 功能:审计系统日志
# 作者:System Admin
# 日期:2026-01-01
set -euo pipefail
# 配置变量
LOG_DIR="/var/log"
AUDIT_LOG="/var/log/audit.log"
REPORT_DIR="/tmp/audit_reports"
TIME_RANGE="24h"
LOG_TYPE="all"
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# 日志函数
log() {
local level=$1
shift
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [$level] $@" | tee -a "$AUDIT_LOG"
}
log_info() {
log "INFO" "$@"
}
log_error() {
log "ERROR" "$@"
}
log_warning() {
log "WARNING" "$@"
}
# 创建报告目录
create_report_dir() {
if [ ! -d "$REPORT_DIR" ]; then
mkdir -p "$REPORT_DIR"
log_info "创建报告目录: $REPORT_DIR"
fi
}
# 审计登录日志
audit_login_logs() {
log_info "审计登录日志"
echo "登录日志审计"
echo "=========="
# 检查认证日志
local auth_log="/var/log/auth.log"
if [ ! -f "$auth_log" ]; then
auth_log="/var/log/secure"
fi
if [ ! -f "$auth_log" ]; then
log_error "认证日志文件不存在"
return 1
fi
# 检查失败的登录尝试
echo ""
echo "失败的登录尝试:"
grep "Failed password" "$auth_log" | tail -20
# 检查成功的登录
echo ""
echo "成功的登录:"
grep "Accepted" "$auth_log" | tail -20
# 检查root登录
echo ""
echo "root登录:"
grep "root" "$auth_log" | tail -20
# 检查sudo使用
echo ""
echo "sudo使用:"
grep "sudo:" "$auth_log" | tail -20
# 统计登录用户
echo ""
echo "登录用户统计:"
grep "Accepted" "$auth_log" | awk '{print $9}' | sort | uniq -c | sort -rn
}
# 审计系统日志
audit_system_logs() {
log_info "审计系统日志"
echo ""
echo "系统日志审计"
echo "=========="
# 检查系统日志
if [ -f "/var/log/syslog" ]; then
echo ""
echo "最近的系统错误:"
grep -i "error" /var/log/syslog | tail -20
echo ""
echo "最近的系统警告:"
grep -i "warning" /var/log/syslog | tail -20
fi
# 检查内核日志
if [ -f "/var/log/kern.log" ]; then
echo ""
echo "内核日志:"
tail -20 /var/log/kern.log
fi
# 检查消息日志
if [ -f "/var/log/messages" ]; then
echo ""
echo "系统消息:"
tail -20 /var/log/messages
fi
}
# 审计应用日志
audit_application_logs() {
log_info "审计应用日志"
echo ""
echo "应用日志审计"
echo "=========="
# 检查Nginx日志
if [ -f "/var/log/nginx/access.log" ]; then
echo ""
echo "Nginx访问日志:"
tail -20 /var/log/nginx/access.log
echo ""
echo "Nginx错误日志:"
tail -20 /var/log/nginx/error.log
# 统计访问量
echo ""
echo "访问量统计:"
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10
fi
# 检查Apache日志
if [ -f "/var/log/apache2/access.log" ]; then
echo ""
echo "Apache访问日志:"
tail -20 /var/log/apache2/access.log
echo ""
echo "Apache错误日志:"
tail -20 /var/log/apache2/error.log
fi
# 检查MySQL日志
if [ -f "/var/log/mysql/error.log" ]; then
echo ""
echo "MySQL错误日志:"
tail -20 /var/log/mysql/error.log
fi
}
# 审计安全日志
audit_security_logs() {
log_info "审计安全日志"
echo ""
echo "安全日志审计"
echo "=========="
# 检查安全日志
if [ -f "/var/log/secure" ]; then
echo ""
echo "安全日志:"
tail -20 /var/log/secure
fi
# 检查防火墙日志
if [ -f "/var/log/ufw.log" ]; then
echo ""
echo "防火墙日志:"
tail -20 /var/log/ufw.log
fi
# 检查SELinux日志
if [ -f "/var/log/audit/audit.log" ]; then
echo ""
echo "SELinux日志:"
tail -20 /var/log/audit/audit.log
fi
}
# 审计操作日志
audit_operation_logs() {
log_info "审计操作日志"
echo ""
echo "操作日志审计"
echo "=========="
# 检查命令历史
echo ""
echo "root命令历史:"
if [ -f "/root/.bash_history" ]; then
tail -20 /root/.bash_history
fi
# 检查用户命令历史
for user_home in /home/*; do
if [ -f "$user_home/.bash_history" ]; then
echo ""
echo "$(basename $user_home) 命令历史:"
tail -20 "$user_home/.bash_history"
fi
done
# 检查cron日志
if [ -f "/var/log/cron" ]; then
echo ""
echo "Cron日志:"
tail -20 /var/log/cron
fi
}
# 审计网络日志
audit_network_logs() {
log_info "审计网络日志"
echo ""
echo "网络日志审计"
echo "=========="
# 检查网络连接
echo ""
echo "当前网络连接:"
netstat -an | grep ESTABLISHED | head -20
# 检查监听端口
echo ""
echo "监听端口:"
netstat -tuln | grep LISTEN
# 检查DNS查询
if [ -f "/var/log/syslog" ]; then
echo ""
echo "最近的DNS查询:"
grep "query" /var/log/syslog | tail -20
fi
}
# 审计文件访问日志
audit_file_access_logs() {
log_info "审计文件访问日志"
echo ""
echo "文件访问日志审计"
echo "=========="
# 检查文件修改日志
if [ -f "/var/log/syslog" ]; then
echo ""
echo "最近的文件修改:"
grep -i "modify\|change\|delete" /var/log/syslog | tail -20
fi
# 检查重要文件访问
echo ""
echo "重要文件访问:"
grep -E "passwd|shadow|sudoers" /var/log/auth.log 2>/dev/null | tail -20 || \
grep -E "passwd|shadow|sudoers" /var/log/secure 2>/dev/null | tail -20
}
# 生成审计报告
generate_audit_report() {
log_info "生成审计报告"
create_report_dir
local timestamp=$(date +%Y%m%d_%H%M%S)
local report_file="$REPORT_DIR/audit_report_${timestamp}.txt"
{
echo "日志审计报告"
echo "=========="
echo "审计时间: $(date)"
echo "主机名: $(hostname)"
echo "操作系统: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '\"')"
echo "内核版本: $(uname -r)"
echo ""
audit_login_logs
audit_system_logs
audit_application_logs
audit_security_logs
audit_operation_logs
audit_network_logs
audit_file_access_logs
echo ""
echo "审计完成"
echo "========"
echo "报告生成时间: $(date)"
} > "$report_file"
log_info "审计报告已生成: $report_file"
}
# 搜索日志
search_logs() {
local keyword=$1
local log_file=$2
log_info "搜索日志: $keyword"
if [ -z "$log_file" ]; then
# 搜索所有日志文件
grep -r "$keyword" /var/log/ 2>/dev/null | head -50
else
# 搜索指定日志文件
grep "$keyword" "$log_file" 2>/dev/null | head -50
fi
}
# 统计日志
count_logs() {
local log_file=$1
log_info "统计日志: $log_file"
if [ ! -f "$log_file" ]; then
log_error "日志文件不存在: $log_file"
return 1
fi
echo "日志统计"
echo "========"
echo "文件: $log_file"
echo "总行数: $(wc -l < "$log_file")"
echo "文件大小: $(du -h "$log_file" | cut -f1)"
echo ""
echo "错误数量: $(grep -i "error" "$log_file" | wc -l)"
echo "警告数量: $(grep -i "warning" "$log_file" | wc -l)"
echo "失败数量: $(grep -i "fail" "$log_file" | wc -l)"
}
# 清理旧日志
cleanup_old_logs() {
local days=$1
log_info "清理 $days 天前的日志"
# 清理系统日志
find /var/log -name "*.log" -type f -mtime +$days -delete 2>/dev/null || true
# 清理审计日志
find /var/log/audit -name "*.log" -type f -mtime +$days -delete 2>/dev/null || true
log_info "旧日志清理完成"
}
# 显示帮助
show_help() {
echo "用法: $0 [选项] <命令> [参数]"
echo ""
echo "选项:"
echo " -r <目录> 报告目录(默认: /tmp/audit_reports)"
echo " -t <时间> 时间范围(默认: 24h)"
echo " -h 显示帮助信息"
echo ""
echo "命令:"
echo " all 执行完整审计(默认)"
echo " login 审计登录日志"
echo " system 审计系统日志"
echo " application 审计应用日志"
echo " security 审计安全日志"
echo " operation 审计操作日志"
echo " network 审计网络日志"
echo " file 审计文件访问日志"
echo " search <关键词> 搜索日志"
echo " count <文件> 统计日志"
echo " cleanup <天数> 清理旧日志"
echo ""
echo "示例:"
echo " $0"
echo " $0 all"
echo " $0 login"
echo " $0 search \"error\""
echo " $0 count /var/log/auth.log"
echo " $0 cleanup 30"
}
# 主函数
main() {
# 解析选项
while getopts "r:t:h" opt; do
case $opt in
r)
REPORT_DIR="$OPTARG"
log_info "报告目录: $REPORT_DIR"
;;
t)
TIME_RANGE="$OPTARG"
log_info "时间范围: $TIME_RANGE"
;;
h)
show_help
exit 0
;;
*)
log_error "无效选项: $opt"
show_help
exit 1
;;
esac
done
shift $((OPTIND - 1))
# 检查命令
if [ $# -eq 0 ]; then
COMMAND="all"
else
COMMAND=$1
shift
fi
# 执行命令
case $COMMAND in
all)
generate_audit_report
;;
login)
audit_login_logs
;;
system)
audit_system_logs
;;
application)
audit_application_logs
;;
security)
audit_security_logs
;;
operation)
audit_operation_logs
;;
network)
audit_network_logs
;;
file)
audit_file_access_logs
;;
search)
if [ $# -eq 0 ]; then
log_error "缺少搜索关键词"
show_help
exit 1
fi
search_logs "$1" "${2:-}"
;;
count)
if [ $# -eq 0 ]; then
log_error "缺少日志文件"
show_help
exit 1
fi
count_logs "$1"
;;
cleanup)
if [ $# -eq 0 ]; then
log_error "缺少天数参数"
show_help
exit 1
fi
cleanup_old_logs "$1"
;;
*)
log_error "无效的命令: $COMMAND"
show_help
exit 1
;;
esac
}
# 执行主函数
main "$@"使用说明#
添加执行权限:
chmod +x log_audit.sh基本用法:
# 执行完整审计 ./log_audit.sh # 审计登录日志 ./log_audit.sh login # 审计系统日志 ./log_audit.sh system # 审计应用日志 ./log_audit.sh application高级用法:
# 搜索日志 ./log_audit.sh search "error" # 统计日志 ./log_audit.sh count /var/log/auth.log # 清理旧日志 ./log_audit.sh cleanup 30 # 指定报告目录 ./log_audit.sh -r /custom/reports all
功能特点#
- 登录日志审计
- 系统日志审计
- 应用日志审计
- 安全日志审计
- 操作日志审计
- 网络日志审计
- 文件访问日志审计
- 日志搜索
- 日志统计
- 旧日志清理
依赖项#
- grep: 用于日志搜索
- awk: 用于日志处理
- netstat: 用于网络检查
注意事项#
- 需要root权限访问某些日志
- 日志文件路径可能因系统而异
- 搜索大量日志可能需要较长时间
- 清理操作不可逆,请谨慎使用
- 建议定期备份重要日志