Prometheus exporter for collecting metrics from linux auth.log
file.
The client provides a metric authlog_events_total
which contains the number of auth events group by event type
, user
and ip address
. Client also could analyze the location of IP addresses found in auth.log
if geoIP database is specified.
Example metrics:
# HELP authlog_events_total The total number of auth events by user and IP addresses
# TYPE authlog_events_total counter
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="invalidUser",ipAddress="12.123.12.123",user="support"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="notAllowedUser",ipAddress="12.123.12.123",user="root"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="notAllowedUser",ipAddress="12.123.123.1",user="root"} 5
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="authAccepted",ipAddress="123.123.12.12",user="testuser"} 2
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="authFailed",ipAddress="123.123.12.12",user="root"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="authFailed",ipAddress="123.123.12.123",user="root"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="connectionClosed",ipAddress="123.123.12.12",user="testuser"} 1
If geoIP database is specified:
# HELP authlog_events_total The total number of auth events by user and IP addresses
# TYPE authlog_events_total counter
authlog_events_total{cityName="",countryName="United States",countyISOCode="US",eventType="invalidUser",ipAddress="12.123.12.123",user="support"} 1
authlog_events_total{cityName="",countryName="United States",countyISOCode="US",eventType="notAllowedUser",ipAddress="12.123.12.123",user="root"} 1
authlog_events_total{cityName="",countryName="United States",countyISOCode="US",eventType="notAllowedUser",ipAddress="12.123.123.1",user="root"} 5
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="authAccepted",ipAddress="123.123.12.12",user="testuser"} 2
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="authFailed",ipAddress="123.123.12.12",user="root"} 1
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="authFailed",ipAddress="123.123.12.123",user="root"} 1
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="connectionClosed",ipAddress="123.123.12.12",user="testuser"} 1
Prefix regexp:
^(?P<date>[A-Z][a-z]{2}\\s+\\d{1,2}) (?P<time>(\\d{2}:?){3}) (?P<host>[a-zA-Z0-9_\\-\\.]+) (?P<ident>[a-zA-Z0-9_\\-]+)(\\[(?P<pid>\\d+)\\])?:
Collecting events:
Event type | Regexp for search event |
---|---|
authAccepted | Accepted (password|publickey) for (?P<user>.*) from (?P<ipAddress>.*) port |
authFailed | Failed (password|publickey) for (invalid user )?(?P<user>.*) from (?P<ipAddress>.*) port |
invalidUser | Invalid user (?P<user>.*) from (?P<ipAddress>.*) port |
notAllowedUser | User (?P<user>.*) from (?P<ipAddress>.*) not allowed because |
connectionClosed | Connection closed by authenticating user (?P<user>.*) (?P<ipAddress>.*) port |
sudoIncorrectPasswordAttempts | [ ]+(?P<user>.*) : (?P<attempts>\\d+) incorrect password attempts ; TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*) |
sudoNotInSudoers | [ ]+(?P<user>.*) : user NOT in sudoers ; TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*) |
sudoSucceeded | [ ]+(?P<user>.*) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*) |
suSucceeded | \\(to (?P<user_as>.*)\\) (?P<user>.*) on (?P<tty>[^ ]+) |
suFailed | FAILED SU \\(to (?P<user_as>.*)\\) (?P<user>.*) on (?P<tty>[^ ]+) |
git clone https://github.com/woblerr/authlog_exporter.git
cd authlog_exporter
make build
./authlog_exporter <flags>
By default, metrics will be collecting from /var/log/auth.log
and will be available at http://localhost:9991/metrics.
This means that the user who runs authlog_exporter
should have read permission to file /var/log/auth.log
.
You can changed log file location by using the--auth.log
flag.
For geoIP analyze you need to specify --geo.type
flag:
db
- for local geoIP database file,url
- for geoIP database API.
For local geoIP database usage you also need specify --geo.db
flag (path to geoIP database file).
The flag --web.config.file
allows to specify the path to the configuration for TLS and/or basic authentication.
The description of TLS configuration and basic authentication can be found at exporter-toolkit/web.
Available configuration flags:
./authlog_exporter --help
usage: authlog_exporter [<flags>]
Flags:
-h, --[no-]help Show context-sensitive help (also try --help-long and --help-man).
--auth.log="/var/log/auth.log"
Path to auth.log.
--web.endpoint="/metrics" Endpoint used for metrics.
--web.listen-address=:9991 ...
Addresses on which to expose metrics and web interface. Repeatable for multiple addresses.
--web.config.file="" Path to configuration file that can enable TLS or authentication. See:
https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
--geo.db="" Path to geoIP database file.
--geo.lang="en" Output language format.
--geo.timeout=2 Timeout in seconds for waiting response from geoIP database API.
--geo.type="" Type of geoIP database: db, url.
--geo.url="https://reallyfreegeoip.org/json/"
URL for geoIP database API.
--[no-]metric.hideip Set this flag to hide IPs in the output and therefore drastically reduce the amount of metrics published.
--[no-]metric.hideuser Set this flag to hide user accounts in the output and therefore drastically reduce the amount of metrics published.
--log.level=info Only log messages with the given severity or above. One of: [debug, info, warn, error]
--log.format=logfmt Output format of log messages. One of: [logfmt, json]
To analyze IP addresses location found in the log from local geoIP database you need to free download: GeoLite2-City.
The library geoip2-golang is used for reading the GeoLite2 database.
./authlog_exporter --geo.type db --geo.db /path/to/GeoLite2-City.mmdb
Уou can specify output language (default en
):
./authlog_exporter --geo.type db --geo.db /path/to/GeoLite2-City.mmdb --geo.lang ru
Metric example:
authlog_events_total{cityName="Пекин",countryName="Китай",countyISOCode="CN",eventType="authAccepted",ipAddress="123.123.12.12",user="testuser"} 2
To analyze IP addresses location using external API https://reallyfreegeoip.org:
./authlog_exporter --geo.type url
Be aware that API may have a limit of requests per hour. See API documentation.
make test
For building and running on test log:
make run-test
- Register
authlog_exporter
(already builded, if not - execmake build
before) as a systemd service:
make prepare-service
Validate prepared file authlog_exporter.service
and run:
sudo make install-service
- View service logs:
journalctl -u authlog_exporter.service
- Delete systemd service:
sudo make remove-service
Manual register systemd service:
cp authlog_exporter.service.template authlog_exporter.service
In file authlog_exporter.service
replace /usr/bin to full path to authlog_exporter
.
sudo cp authlog_exporter.service /etc/systemd/system/authlog_exporter.service
sudo systemctl daemon-reload
sudo systemctl enable authlog_exporter.service
sudo systemctl restart authlog_exporter.service
systemctl -l status authlog_exporter.service
Be aware that user who runs docker container should have read permission to file /var/log/auth.log
. Otherwise, the container won't start.
- Build container:
make docker-build
or manual:
docker build -f Dockerfile -t authlog_exporter.
- Run container
make docker-run
or manual:
docker run -d --restart=always \
--name authlog_exporter \
-p 9991:9991 \
-v /var/log/auth.log:/log/auth.log:ro \
-u $(id -u):$(id -g) \
authlog_exporter \
--auth.log /log/auth.log
You can use the already prepared rpm/deb package to install the exporter. Only the authlog_exporter binary and the service file are installed by package.
For example:
rpm -ql authlog_exporter
/etc/systemd/system/authlog_exporter.service
/usr/bin/authlog_exporter