Prometheus exporter for collecting metrics from linux auth.log file.
The client provides a metric authlog_events_total which contains the number of auth events group by event type, user and ip address. Client also could analyze the location of IP addresses found in auth.log if geoIP database is specified.
Example metrics:
# HELP authlog_events_total The total number of auth events by user and IP addresses
# TYPE authlog_events_total counter
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="invalidUser",ipAddress="12.123.12.123",user="support"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="notAllowedUser",ipAddress="12.123.12.123",user="root"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="notAllowedUser",ipAddress="12.123.123.1",user="root"} 5
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="authAccepted",ipAddress="123.123.12.12",user="testuser"} 2
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="authFailed",ipAddress="123.123.12.12",user="root"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="authFailed",ipAddress="123.123.12.123",user="root"} 1
authlog_events_total{cityName="",countryName="",countyISOCode="",eventType="connectionClosed",ipAddress="123.123.12.12",user="testuser"} 1
If geoIP database is specified:
# HELP authlog_events_total The total number of auth events by user and IP addresses
# TYPE authlog_events_total counter
authlog_events_total{cityName="",countryName="United States",countyISOCode="US",eventType="invalidUser",ipAddress="12.123.12.123",user="support"} 1
authlog_events_total{cityName="",countryName="United States",countyISOCode="US",eventType="notAllowedUser",ipAddress="12.123.12.123",user="root"} 1
authlog_events_total{cityName="",countryName="United States",countyISOCode="US",eventType="notAllowedUser",ipAddress="12.123.123.1",user="root"} 5
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="authAccepted",ipAddress="123.123.12.12",user="testuser"} 2
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="authFailed",ipAddress="123.123.12.12",user="root"} 1
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="authFailed",ipAddress="123.123.12.123",user="root"} 1
authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",eventType="connectionClosed",ipAddress="123.123.12.12",user="testuser"} 1
Prefix regexp:
^(?P<date>[A-Z][a-z]{2}\\s+\\d{1,2}) (?P<time>(\\d{2}:?){3}) (?P<host>[a-zA-Z0-9_\\-\\.]+) (?P<ident>[a-zA-Z0-9_\\-]+)(\\[(?P<pid>\\d+)\\])?:
Collecting events:
| Event type | Regexp for search event |
|---|---|
| authAccepted | Accepted (password|publickey) for (?P<user>.*) from (?P<ipAddress>.*) port |
| authFailed | Failed (password|publickey) for (invalid user )?(?P<user>.*) from (?P<ipAddress>.*) port |
| invalidUser | Invalid user (?P<user>.*) from (?P<ipAddress>.*) port |
| notAllowedUser | User (?P<user>.*) from (?P<ipAddress>.*) not allowed because |
| connectionClosed | Connection closed by authenticating user (?P<user>.*) (?P<ipAddress>.*) port |
git clone https://github.com/woblerr/authlog_exporter.git
cd authlog_exporter
make build
./authlog_exporter <flags>By default, metrics will be collecting from /var/log/auth.log and will be available at http://localhost:9991/metrics.
This means that the user who runs authlog_exporter should have read permission to file /var/log/auth.log.
You can changed log file location by using the--auth.log flag.
For geoIP analyze you need to specify --geo.type flag:
db- for local geoIP database file,url- for geoIP database API.
For local geoIP database usage you also need specify --geo.db flag (path to geoIP database file).
The flag --web.config.file allows to specify the path to the configuration for TLS and/or basic authentication.
The description of TLS configuration and basic authentication can be found at exporter-toolkit/web.
Available configuration flags:
./authlog_exporter --help
usage: authlog_exporter [<flags>]
Flags:
-h, --[no-]help Show context-sensitive help (also try --help-long and --help-man).
--auth.log="/var/log/auth.log"
Path to auth.log.
--web.endpoint="/metrics" Endpoint used for metrics.
--web.listen-address=:9991 ...
Addresses on which to expose metrics and web interface. Repeatable for multiple addresses.
--web.config.file="" [EXPERIMENTAL] Path to configuration file that can enable TLS or authentication.
--geo.db="" Path to geoIP database file.
--geo.lang="en" Output language format.
--geo.timeout=2 Timeout in seconds for waiting response from geoIP database API.
--geo.type="" Type of geoIP database: db, url.
--geo.url="https://reallyfreegeoip.org/json/"
URL for geoIP database API.
--[no-]metric.hideip Set this flag to hide IPs in the output and therefore drastically reduce the amount of metrics
published.
--[no-]metric.hideuser Set this flag to hide user accounts in the output and therefore drastically reduce the amount of metrics
published.
--log.level=info Only log messages with the given severity or above. One of: [debug, info, warn, error]
--log.format=logfmt Output format of log messages. One of: [logfmt, json]To analyze IP addresses location found in the log from local geoIP database you need to free download: GeoLite2-City.
The library geoip2-golang is used for reading the GeoLite2 database.
./authlog_exporter --geo.type db --geo.db /path/to/GeoLite2-City.mmdbУou can specify output language (default en):
./authlog_exporter --geo.type db --geo.db /path/to/GeoLite2-City.mmdb --geo.lang ruMetric example:
authlog_events_total{cityName="Пекин",countryName="Китай",countyISOCode="CN",eventType="authAccepted",ipAddress="123.123.12.12",user="testuser"} 2
To analyze IP addresses location using external API https://reallyfreegeoip.org:
./authlog_exporter --geo.type urlBe aware that API may have a limit of requests per hour. See API documentation.
make testFor building and running on test log:
make run-test- Register
authlog_exporter(already builded, if not - execmake buildbefore) as a systemd service:
make prepare-serviceValidate prepared file authlog_exporter.service and run:
sudo make install-service- View service logs:
journalctl -u authlog_exporter.service- Delete systemd service:
sudo make remove-serviceManual register systemd service:
cp authlog_exporter.service.template authlog_exporter.serviceIn file authlog_exporter.service replace /usr/bin to full path to authlog_exporter.
sudo cp authlog_exporter.service /etc/systemd/system/authlog_exporter.service
sudo systemctl daemon-reload
sudo systemctl enable authlog_exporter.service
sudo systemctl restart authlog_exporter.service
systemctl -l status authlog_exporter.serviceBe aware that user who runs docker container should have read permission to file /var/log/auth.log. Otherwise, the container won't start.
- Build container:
make docker-buildor manual:
docker build -f Dockerfile -t authlog_exporter.- Run container
make docker-runor manual:
docker run -d --restart=always \
--name authlog_exporter \
-p 9991:9991 \
-v /var/log/auth.log:/log/auth.log:ro \
-u $(id -u):$(id -g) \
authlog_exporter \
--auth.log /log/auth.logYou can use the already prepared rpm/deb package to install the exporter. Only the authlog_exporter binary and the service file are installed by package.
For example:
rpm -ql authlog_exporter
/etc/systemd/system/authlog_exporter.service
/usr/bin/authlog_exporter