YogSottot · January 31, 2025 10:49 · YogSottot · Jan 31, 2025
diff --git a/SSH_auth.log.yaml b/SSH_auth.log.yaml
 zabbix_export:
  version: '7.0'
  template_groups:
    - uuid: 6bdf2c96bf374172a0e108c0e1ddb355
      name: 'Линукс Сервера/Linux servers'
  templates:
    - uuid: b2f90633a77c4b618d61797170349cb4
      template: 'SSH Auth'
      name: 'SSH auth.log'
      groups:
        - name: 'Линукс Сервера/Linux servers'
      items:
        - uuid: 0c4baad562514abe95ed78c1af45fc80
          name: 'SSH auth'
          type: ZABBIX_ACTIVE
          key: 'log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"]'
          history: 30d
          value_type: LOG
          trends: '0'
          description: |
            Элемента данных SSH auth, с ключом log[/var/log/auth,»^.*sshd.*(Accepted|closed|Button).*»,,,,,] и типом данных — Журнал (лог)
            Выводим все строки которые начинаются на sshd и содержат один из перечисленных параметров Accepted|closed|Button
          tags:
            - tag: Application
              value: SSH
          triggers:
            - uuid: e17453232f854669818879a92c6bef83
              expression: 'find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"like","Accepted")=1'
              name: 'SSH auth {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted (?:password|publickey) for (.*)port", "\1")}'
              status: DISABLED
              priority: INFO
              description: 'Открыта Сессия {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted password for (.*)port", "\1")}'
              manual_close: 'YES'
            - uuid: c0d81de738f645bd953884599072e1bb
              expression: |
                find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"like","Accepted")=1 and
                (last(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1)<>last(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#2))=1 and
                (find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"like","preauth")=0) and
                (find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"regexp","({$SSH_IP_IGNORE})")=0) and
                (find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"regexp","({$SSH_USER_IGNORE})")=0)
              recovery_mode: RECOVERY_EXPRESSION
              recovery_expression: |
                find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"like","closed")=1 or
                find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"like","Received")=1 and
                (find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"like","preauth")=0) and
                (find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"regexp","({$SSH_IP_IGNORE})")=0) and
                (find(/SSH Auth/log[{$SSH_LOG},"^.*sshd.*(Accepted|closed|Received).*"],#1,"regexp","({$SSH_USER_IGNORE})")=0)
              correlation_mode: TAG_VALUE
              correlation_tag: 'session-Deb.Ubu-{{ITEM.VALUE}.iregsub("\[(.*)\]:", "\1")}{{ITEM.VALUE}.iregsub("(Received .*)", "\1")}'
              name: 'SSH auth {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted (?:password|publickey) for (.*)port", "\1")}'
              priority: INFO
              description: |
                Открыта Сессия {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted password for (.*)port", "\1")}
                
                Тег для перезагрузки выкидывает все ссесии - {{ITEM.VALUE}.iregsub("(Button .*)", "\1")}
              type: MULTIPLE
              manual_close: 'YES'
              tags:
                - tag: 'session-Deb.Ubu-{{ITEM.VALUE}.iregsub("\[(.*)\]:", "\1")}'
                - tag: '{{ITEM.VALUE}.iregsub("(Received .*)", "\1")}'
        - uuid: 85c90660f16b438bb7304a163c7110f5
          name: 'SSH auth 1'
          type: ZABBIX_ACTIVE
          key: 'log[{$SSH_LOG},"^.*systemd-logind.*(New|Removed|Button).*"]'
          history: 30d
          value_type: LOG
          trends: '0'
          status: DISABLED
          description: 'Элемента данных SSH auth, с ключом log[/var/log/auth,»^.*systemd-logind.*(New|Removed|Button).*»,,,,,] и типом данных — Журнал (лог)'
          tags:
            - tag: Application
              value: SSH
          triggers:
            - uuid: fe445ca4aa3b4a2aa852509e11ccc226
              expression: |
                find(/SSH Auth/log[{$SSH_LOG},"^.*systemd-logind.*(New|Removed|Button).*"],#1,"like","New session")=1 and
                (last(/SSH Auth/log[{$SSH_LOG},"^.*systemd-logind.*(New|Removed|Button).*"],#1)<>last(/SSH Auth/log[{$SSH_LOG},"^.*systemd-logind.*(New|Removed|Button).*"],#2))=1
              recovery_mode: RECOVERY_EXPRESSION
              recovery_expression: |
                find(/SSH Auth/log[{$SSH_LOG},"^.*systemd-logind.*(New|Removed|Button).*"],#1,"like","Removed session")=1 or
                find(/SSH Auth/log[{$SSH_LOG},"^.*systemd-logind.*(New|Removed|Button).*"],#1,"like","Button")=1
              correlation_mode: TAG_VALUE
              correlation_tag: 'session-Deb.Ubu{{ITEM.VALUE}.iregsub("session ([0-9]+)( of|.)", "\1")}{{ITEM.VALUE}.iregsub("^.*(Button).*", "\1")}'
              name: 'SSH auth {HOST.NAME1} {{ITEM.VALUE}.iregsub("(session .*)", "\1")}'
              status: DISABLED
              priority: INFO
              description: 'Открыта сессия {HOST.NAME1} {{ITEM.VALUE}.iregsub("(session .*)", "\1")}'
              type: MULTIPLE
              manual_close: 'YES'
              tags:
                - tag: 'session-Deb.Ubu{{ITEM.VALUE}.iregsub("session ([0-9]+)( of|.)", "\1")}'
                - tag: '{{ITEM.VALUE}.iregsub("^.*(Button).*", "\1")}'
      macros:
        - macro: '{$SSH_IP_IGNORE}'
          value: 1\.1\.1\.1|2\.2\.2\.2
          description: 'ignore ip list, | separated without spaces, with backslashes'
        - macro: '{$SSH_LOG}'
          value: /var/log/auth.log
          description: 'path to ssh-log'
        - macro: '{$SSH_USER_IGNORE}'
          description: 'ignore user list, | separated'
	zabbix_export:
	version: '7.0'
	template_groups:
	- uuid: 6bdf2c96bf374172a0e108c0e1ddb355
	name: 'Линукс Сервера/Linux servers'
	templates:
	- uuid: b2f90633a77c4b618d61797170349cb4
	template: 'SSH Auth'
	name: 'SSH auth.log'
	groups:
	- name: 'Линукс Сервера/Linux servers'
	items:
	- uuid: 0c4baad562514abe95ed78c1af45fc80
	name: 'SSH auth'
	type: ZABBIX_ACTIVE
	key: 'log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"]'
	history: 30d
	value_type: LOG
	trends: '0'
	description: \|
	Элемента данных SSH auth, с ключом log[/var/log/auth,»^.sshd.(Accepted\|closed\|Button).*»,,,,,] и типом данных — Журнал (лог)
	Выводим все строки которые начинаются на sshd и содержат один из перечисленных параметров Accepted\|closed\|Button
	tags:
	- tag: Application
	value: SSH
	triggers:
	- uuid: e17453232f854669818879a92c6bef83
	expression: 'find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"like","Accepted")=1'
	name: 'SSH auth {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted (?:password\|publickey) for (.*)port", "\1")}'
	status: DISABLED
	priority: INFO
	description: 'Открыта Сессия {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted password for (.*)port", "\1")}'
	manual_close: 'YES'
	- uuid: c0d81de738f645bd953884599072e1bb
	expression: \|
	find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"like","Accepted")=1 and
	(last(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received)."],#1)<>last(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received)."],#2))=1 and
	(find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"like","preauth")=0) and
	(find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"regexp","({$SSH_IP_IGNORE})")=0) and
	(find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"regexp","({$SSH_USER_IGNORE})")=0)
	recovery_mode: RECOVERY_EXPRESSION
	recovery_expression: \|
	find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"like","closed")=1 or
	find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"like","Received")=1 and
	(find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"like","preauth")=0) and
	(find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"regexp","({$SSH_IP_IGNORE})")=0) and
	(find(/SSH Auth/log[{$SSH_LOG},"^.sshd.(Accepted\|closed\|Received).*"],#1,"regexp","({$SSH_USER_IGNORE})")=0)
	correlation_mode: TAG_VALUE
	correlation_tag: 'session-Deb.Ubu-{{ITEM.VALUE}.iregsub("\[(.)\]:", "\1")}{{ITEM.VALUE}.iregsub("(Received .)", "\1")}'
	name: 'SSH auth {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted (?:password\|publickey) for (.*)port", "\1")}'
	priority: INFO
	description: \|
	Открыта Сессия {HOST.NAME1} {{ITEM.VALUE}.iregsub("Accepted password for (.*)port", "\1")}

	Тег для перезагрузки выкидывает все ссесии - {{ITEM.VALUE}.iregsub("(Button .*)", "\1")}
	type: MULTIPLE
	manual_close: 'YES'
	tags:
	- tag: 'session-Deb.Ubu-{{ITEM.VALUE}.iregsub("\[(.*)\]:", "\1")}'
	- tag: '{{ITEM.VALUE}.iregsub("(Received .*)", "\1")}'
	- uuid: 85c90660f16b438bb7304a163c7110f5
	name: 'SSH auth 1'
	type: ZABBIX_ACTIVE
	key: 'log[{$SSH_LOG},"^.systemd-logind.(New\|Removed\|Button).*"]'
	history: 30d
	value_type: LOG
	trends: '0'
	status: DISABLED
	description: 'Элемента данных SSH auth, с ключом log[/var/log/auth,»^.systemd-logind.(New\|Removed\|Button).*»,,,,,] и типом данных — Журнал (лог)'
	tags:
	- tag: Application
	value: SSH
	triggers:
	- uuid: fe445ca4aa3b4a2aa852509e11ccc226
	expression: \|
	find(/SSH Auth/log[{$SSH_LOG},"^.systemd-logind.(New\|Removed\|Button).*"],#1,"like","New session")=1 and
	(last(/SSH Auth/log[{$SSH_LOG},"^.systemd-logind.(New\|Removed\|Button)."],#1)<>last(/SSH Auth/log[{$SSH_LOG},"^.systemd-logind.(New\|Removed\|Button)."],#2))=1
	recovery_mode: RECOVERY_EXPRESSION
	recovery_expression: \|
	find(/SSH Auth/log[{$SSH_LOG},"^.systemd-logind.(New\|Removed\|Button).*"],#1,"like","Removed session")=1 or
	find(/SSH Auth/log[{$SSH_LOG},"^.systemd-logind.(New\|Removed\|Button).*"],#1,"like","Button")=1
	correlation_mode: TAG_VALUE
	correlation_tag: 'session-Deb.Ubu{{ITEM.VALUE}.iregsub("session ([0-9]+)( of\|.)", "\1")}{{ITEM.VALUE}.iregsub("^.(Button).", "\1")}'
	name: 'SSH auth {HOST.NAME1} {{ITEM.VALUE}.iregsub("(session .*)", "\1")}'
	status: DISABLED
	priority: INFO
	description: 'Открыта сессия {HOST.NAME1} {{ITEM.VALUE}.iregsub("(session .*)", "\1")}'
	type: MULTIPLE
	manual_close: 'YES'
	tags:
	- tag: 'session-Deb.Ubu{{ITEM.VALUE}.iregsub("session ([0-9]+)( of\|.)", "\1")}'
	- tag: '{{ITEM.VALUE}.iregsub("^.(Button).", "\1")}'
	macros:
	- macro: '{$SSH_IP_IGNORE}'
	value: 1\.1\.1\.1\|2\.2\.2\.2
	description: 'ignore ip list, \| separated without spaces, with backslashes'
	- macro: '{$SSH_LOG}'
	value: /var/log/auth.log
	description: 'path to ssh-log'
	- macro: '{$SSH_USER_IGNORE}'
	description: 'ignore user list, \| separated'