Article From:https://www.cnblogs.com/luoahong/p/9469409.html

 I. Introduction of strace command

 Test command screenshots

The first window executes the following command.

[root@elk ~]# w
 16:51:56 up 3 days,  6:01,  3 users,  load average: 0.04, 0.07, 0.11
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.118.83   10:38    6:09m  0.05s  0.05s -bash
root     pts/1    192.168.118.30   11:45    4.00s  0.11s  0.10s -bash
root     pts/2    192.168.118.30   16:41    3:24   0.05s  0.05s -bash
[root@elk ~]# ps -ef|grep ssh
root       875     1  0 8Month 10? 00:00:00 /usr/sbin/sshd -DRoot 71918750 16:41? 00:00:00 sshd: root@pTs/2Root 7507244460 16:47 pts/1 00:00:00 grep --color=auto SSHRoot 20957875010:38? 00:00:00 sshd: root@pts/0Root 244448750 11:45? 00:00:00 sshd: root@pTs/1[root@elk] strace -f -p 24444 -t -o trace.logStrace: Process 24444 attached

 Second window operations

[root@elk conf]# cd
[root@elk ~]# ll
Total amount of 8-rw-------. 1 root root 10028 month 2 17:18 anaconda-ks.cfg-rw-r--r-- 1 root root 8428 month 1316:47 trace.log[root@elk] netstat -lntupActive Internet connections (only servers)Proto Recv-QSend-Q Local Address Foreign Address State PID/Program nameTCP 00 0.0.0.0:22 0.0.0.0:* LISTEN 875/sshdTcp6 00:: 4002:: * LISTEN 14808/javaTcp6 00:: 4102:: * LISTEN 14808/javaTcp6 00:: 9200:: * LISTEN 5207/javaTcp6 00:: 9300:: *LISTEN 5207/javaTcp6 00:: 22:: *LISTEN 875/sshdTcp6 00:: 8090:: * LISTEN14808/javaUDP 00 0.0.0.0:68 0.0.0.0:* 819/Dhclient[root@elk] topTop - 16:47:37 up 3 days, 5:57, 3 users, load average: 0.06, 0.08, 0.1TwoTasks: 101 total, 2 running, 99 sleeping, 0 stopped, 0 zombie%Cpu (s): 5.9 us, 5.9 sy, 0.0 Ni, 88.2 ID, 0 WA, 0 Hi, 0 Si, 0 stKiB Mem: 18136232 total, 14974344 free, 1835300Used, 1326588 buff/cacheKiB Swap: 8388604 total, 8388604 free, 0 used. 15926016 avail MeMPID USER PR NI VIRT RES SHR S%CPU%MEM TIME+%MEM1 root 2005161637602568 S 0 0 1:01.66 SYSTEMd2 root 200000 S0 0 0:00.06 kthreadd3 root 200000 S 0 0 0:02.01 ksofTirqd/05 root 0-20000 S 0 0 0:00.00 kworker/0:0H7 rootRT 0000 S 0 0 0:00.00 migration/08 root 200000 S 0 0 0:00.00 rcu_bh9 root 200000 S 0 00:17.93 rcu_sched10 root 0-20000 S 0 0 0:00.00 lru-add-drain11 root RT 0000 S 0 0 0:02.32 watchdog/0[root@elk] llTotal amount of 8-rw-------. 1 root root 10028 month 2 17:18 anaconda-ks.cfg-rw-r--r-- 1 root root 8428 month 13 16:47Trace.log[root@elk] CD /usr/local/[root@elk local]# llTotal amount of 4Drwxr-xr-x. 2 root root 64 months11 12:59 binDrwxr-xr-x 15 root root 1548 month 13 11:53 ccb-clientDrwxr-xr-x. 2 root root 64 months11 12:59 etcDrwxr-xr-x. 2 root root 64 month 11 12:59 gamesDrwxr-xr-x. 2 root root 64 month 1112:59 includeDrwxr-xr-x 81014340963 months 212016 jdk1.8.0_77Drwxr-xr-x. 2 root root 64 months11 12:59 LibDrwxr-xr-x. 2 root root 64 month 11 12:59 lib64Drwxr-xr-x. 2 root root 64 month 1112:59 libexecDrwxr-xr-x. 2 root root 64 month 11 12:59 SBINDrwxr-xr-x. 5 root root 464 month 1112:59 shareDrwxr-xr-x. 2 root root 518 month 2 17:28 SRC[root@elk local]# CD..[root@elk usr]# VIm /etc/hosts

 Log tracking file trace.log

[root@elk ~]# cat trace.log
24444 16:47:21 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:47:21 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:47:21 clock_gettime(CLOCK_BOOTTIME, {280620, 614943888}) = 0
24444 16:47:21 read(12, "strace: Process 24444 attached\r\n", 16384) = 32
24444 16:47:21 clock_gettime(CLOCK_BOOTTIME, {280620, 615243828}) = 0
24444 16:47:21 select(13, [3 5 12], [3], NULL, NULL) = 1 (out [3])
24444 16:47:21 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:47:21 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:47:21 clock_gettime(CLOCK_BOOTTIME, {280620, 615599914}) = 0
24444 16:47:21 write(3, "\0\0\0000\237h\n^\203\203\210\363\233\250T:\243\314\303\212a\\\214\264\274q\332\314\347h\v&"..., 84) = 84
24444 16:47:21 clock_gettime(CLOCK_BOOTTIME, {280620, 615804167}) = 0
24444 16:47:21 select(13, [3 5 12], [], NULL, NULL) = 1 (in [3])
24444 16:48:11 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:48:11 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:48:11 clock_gettime(CLOCK_BOOTTIME, {280671, 239232964}) = 0
24444 16:48:11 read(3, "\0\0\0\20\256\365;\234\241\327\376A\265M!\311\257p\304\257\34\301\262\376\222\231\241\1774(\353\347"..., 16384) = 52
24444 16:48:11 clock_gettime(CLOCK_BOOTTIME, {280671, 239559322}) = 0
24444 16:48:11 select(13, [3 5 12], [], NULL, NULL) = 1 (in [3])
24444 16:49:12 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:49:12 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:49:12 clock_gettime(CLOCK_BOOTTIME, {280731, 254936108}) = 0
24444 16:49:12 read(3, "\0\0\0\20\177jU\316\211!5\256\305F\236\4g\16\317\237\302\234\333D\337v\365\3020W\311|"..., 16384) = 52
24444 16:49:12 clock_gettime(CLOCK_BOOTTIME, {280731, 255319942}) = 0
24444 16:49:12 select(13, [3 5 12], [], NULL, NULL) = 1 (in [3])
24444 16:50:12 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:50:12 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:50:12 clock_gettime(CLOCK_BOOTTIME, {280791, 266306720}) = 0
24444 16:50:12 read(3, "\0\0\0\20\203\372\262\354\\\263\322$\242\266\6`\347\271\27\254\224\261i3\250\212\33R\371\"\"\242"..., 16384) = 52
24444 16:50:12 clock_gettime(CLOCK_BOOTTIME, {280791, 266653313}) = 0
24444 16:50:12 select(13, [3 5 12], [], NULL, NULL) = 1 (in [3])
24444 16:51:12 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:51:12 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:51:12 clock_gettime(CLOCK_BOOTTIME, {280851, 280884675}) = 0
24444 16:51:12 read(3, "\0\0\0\20R\260XK\253\233\3\31\321\223\265w\275\335\366\t\277\f\3574\v:\227\276\360s\336K"..., 16384) = 52
24444 16:51:12 clock_gettime(CLOCK_BOOTTIME, {280851, 281262652}) = 0
24444 16:51:12 select(13, [3 5 12], [], NULL, NULL) = 1 (in [3])
24444 16:51:53 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:51:53 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:51:53 clock_gettime(CLOCK_BOOTTIME, {280892, 379224898}) = 0
24444 16:51:53 read(3, "\0\0\0\20\303c\231;\233\2427\273\31\260\277\33\350@\250\3n\344vT\241\351\276\347x\304\363\233"..., 16384) = 52
24444 16:51:53 clock_gettime(CLOCK_BOOTTIME, {280892, 379519032}) = 0
24444 16:51:53 select(13, [3 5 12], [8], NULL, NULL) = 1 (out [8])
24444 16:51:53 rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
24444 16:51:53 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
24444 16:51:53 clock_gettime(CLOCK_BOOTTIME, {280892, 379862413}) = 0
24444 16:51:53 write(8, "\3", 1 <detached ...>

 After filtration, what are they?

[root@elk ~]# cat trace.log |grep 'write(3'
24444 16:47:21 write(3, "\0\0\0000\237h\n^\203\203\210\363\233\250T:\243\314\303\212a\\\214\264\274q\332\314\347h\v&"..., 84) = 84
[root@elk ~]# cat trace.log |grep 'read(3'
24444 16:48:11 read(3, "\0\0\0\20\256\365;\234\241\327\376A\265M!\311\257p\304\257\34\301\262\376\222\231\241\1774(\353\347"..., 16384) = 52
24444 16:49:12 read(3, "\0\0\0\20\177jU\316\211!5\256\305F\236\4g\16\317\237\302\234\333D\337v\365\3020W\311|"..., 16384) = 52
24444 16:50:12 read(3, "\0\0\0\20\203\372\262\354\\\263\322$\242\266\6`\347\271\27\254\224\261i3\250\212\33R\371\"\"\242"..., 16384) = 52
24444 16:51:12 read(3, "\0\0\0\20R\260XK\253\233\3\31\321\223\265w\275\335\366\t\277\f\3574\v:\227\276\360s\336K"..., 16384) = 52
24444 16:51:53 read(3, "\0\0\0\20\303c\231;\233\2427\273\31\260\277\33\350@\250\3n\344vT\241\351\276\347x\304\363\233"..., 16384) = 52

Two. Directory structure

Three, implementation code

1、Log parsing

import re


class AuditLogHandler(object):
    '''Analysis of audit log log ''Def __init__ (self, log_file):Self.log_file_obj = self._get_file (log_fi)LE)Def _get_file (self, log_file):Return open (log_file)Def parse (self):Cmd_list = []Cmd_str = ''Catch_write5_flag = False #for tab complicationFor line in self.log_file_obj:#print (line.split ())Line = line.split ()Try:PID, time_clock, io_call, char = line[0:4]If io_call.starTswith ('read (4')):If char = = '\\177', ': the retreat of the "Qi".Char ='[1&lT; -del]'If char = = '\\33OB', ': #vim middle and lower arrow.Char ='[down1]'If char = = '\\33OA', ': #vim middle and lower arrow.Char ='[up 1]'If char = = '\\33OC', ': right shift in #vim.Char ='[-> 1]'If char = = '\\33OD', '#vim shift left.Char ='[1< -]If char = = '\33[2; 2R', ': enter the VIM mode.ContinueIf char= = '\\33[> 1; 95; 0C', ': enter into VIM mode.Char ='[----enter VIM mode-----]'If char = = '\\33[A'.Char ='[up 1]'Catch_write5_flag = True, to get the historical command from the up button.If char = = '\\33[B', ':Command line upward arrow.Char ='[down 1]'Catch_write5_flag = TruE, to get the historical command from the down button.If char = = '\\33[C', ': the command line moves 1 bits to the right.Char ='[-> 1]'If char = = '\\33[D', ': the command line moves 1 bits to the left.CHar ='[1< -]Cmd_str + = char.strip ("", ").If char = = ""\\t ", ':Catch_write5_flag = TrueContinueIf char = = '\\r', ':Cmd_list.append ([time_clock, cmd_str])Cmd_str = 'If char = = '' ': #spaceCmd_str + = ''If catch_write5_flag: #to catch tab completionIf io_call.startswith ('write (5')):If io_call = = '\7', ': the air key is not blank, but it can't be returned.keyPassElse:Cmd_str+ = char.strip ("", ").Catch_write5_flag = FalseExcept ValueErroR as e:Print ("\033[031; 1mSession log record err", please contact your IT admin, ITM ", e)#print (cmd_list)For CMD in cmd_list:Print (CMD)RetuRN cmd_listIf __name__ = = "__main__":Parser = AuditLogHandler ('tmp/ssh_log2_4')Parser.parSe ()

2、No solution to PID.

#!/bin/bash

ssh_tag=$1

echo "----$ssh_tag---"

for i in $(seq 1 30);do
     process_id=$(ps -ef |grep $ssh_tag|grep -v sshpass |grep -v grep |grep -v  $0 | awk '{ print $2 }'  )
     echo "---process id: $process_id ---"
     if [ ! -z $process_id  ];then 

         echo 'running str4ack'
         log_path=/home/traum/CrazyEye/log/`date +%F`
         mkdir -p $log_path 
         sudo strace -fp $process_id  -t -o $log_path/session_$2.log
         break; 
     fi; 
     sleep 1;     
done;

3、Standardize log storage

class Session(models.Model):
    '''Generate user operation session ID ''User = models.ForeignKey ('UserProfile')Bind_host = models.ForeignKey ('BindHost')Tag = models.CharField (max_length=128, default='n/a')Closed = models.BooleanField(default=False)Cmd_count = models.IntegerField (default=0) command execution quantityStay_time = models.IntegeRField (default = 0, help_text = "automatically calculate residence time per refresh" and verbose_name = "seconds")Date = models.DateTimeFIeld (auto_now_add=True)Def __str__ (self):Return'< id:%s user:%s bind_host:%s> '% (self.id, self.user.email, self.bind_host.host)Class Meta:Verbose_name = 'audit log'Verbose_name_plural = 'audit log'

  

Leave a Reply

Your email address will not be published. Required fields are marked *