#!/bin/bash
#这里放注释
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH mail_to=”test@test.com test2@test.com ”
nslog=/dev/shm/ns.log #下面就是脚本的主要内容,可以声明变量可以写函数之类的
cat ${nslog} |awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==50'' | nali | iconv -f utf-8 -t gb2312 | mail -s "防火墙半小时访问IP统计TOP50" ${mail_to}
cat ${nslog} |grep 199.198.197.81| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "movie.test.com(199.198.197.81)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.98| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "search.test.com(199.198.197.98)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.99| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "people.test.com(199.198.197.99)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.100| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "news.test.com(199.198.197.100)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.41| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "my.test.com(199.198.197.41)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.16| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "i.test.com(199.198.197.16)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.68| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "dyy.test.com(199.198.197.68)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.57| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "img2.test.com(199.198.197.57)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.101| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "service.test.com(199.198.197.101)访问IP统计TOP20" ${mail_to}
cat ${nslog} |grep 199.198.197.32| awk ''{print $22}'' | sort | uniq -c | sort -rnk1 | awk ''NR==1,NR==20'' | nali | iconv -f utf-8 -t gb2312 | mail -s "theater.test.com(199.198.197.32)访问IP统计TOP20" ${mail_to} # The logs path
logs_path="/var/log/netscreen/" mkdir -p ${logs_path}$(date -d "today" "%Y")/$(date -d "today" "%m")/
mv ${nslog} ${logs_path}$(date -d "today" "%Y")/$(date -d "today" "%m")/ns_$(date -d "today" "%Y%m%d%H%M").log
kill -SIGHUP `cat /var/run/syslogd.pid`
设计思想: 将SYSLOG接收到的防火墙日志进行定时切断(半小时一次)并输出到文件(当然可以采用压缩备档) 经实践 kill -SIGHUP `cat /var/run/syslogd.pid` 这个可以搞定截断. 如此则可以采用一个较小的日志文件进行分析. 将SYSLOG接收文件目录设置为内存之中(32G),减低读写IO负担,大幅增加日志分析的速度. 每个分析的语句还是冗余了,有待提炼简化.
|
