Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/totekuh/saltstack-monitor

A bounde of scripts based on the saltstack automation software which can help you to monitor your minion(s) activity.
https://github.com/totekuh/saltstack-monitor

Last synced: 1 day ago
JSON representation

A bounde of scripts based on the saltstack automation software which can help you to monitor your minion(s) activity.

Host: GitHub
URL: https://github.com/totekuh/saltstack-monitor
Owner: totekuh
Created: 2019-05-04T22:50:56.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2019-05-20T01:12:08.000Z (over 5 years ago)
Last Synced: 2024-11-05T09:25:58.931Z (about 2 months ago)
Language: Python
Homepage:
Size: 133 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# saltstack-monitor
This project is based on the saltstack automation framework. See https://www.saltstack.com/ https://docs.saltstack.com/en/latest/topics/installation/index.html for more info.

Saltstack WebMonitor is used for the three purposes:

1. Communicate with a minion and ask him to collect web server's logs.

2. Receive this information, analyze it and print a report about suspicious traffic received by the web server.

3. Block the suspicious traffic according to the report, pushing generated iptables drop statements to the minion.

Please refer to the project wiki to get more info.

Installation:

On the minion side:

1. install saltstack: run saltstack-minion-setup.sh from the project repo

2. add a master's IP address to the salt-minion configuration file: /etc/salt/minion

On the master side:

1. install saltstack: run saltstack-master-setup.sh from the project repo

2. minion will try to communicate with master as soon as it comes online. you should accept the minion's key and authorize it.

# salt-key --list

# salt-key --accept minion_id

# salt-key --list #to make sure that you have accepted the minion's key

Running:

On the minion side:

(Optional) make sure that you have a link 'web-monitor-minion' to web_monitor_minion.py script in the /usr/bin directory, so master would be able to call your minion. Master will ask for a command e.g.: 'web-monitor-minion --path /var/log/nginx/access.log --last 10d. In general, the saltstack-minion-setup.sh should do it for you.

On the master side:

# python3 web_monitor.py --saltstack --minions id:/remote/path/to/logs/access.log --daemon

to run the master in daemon monitor mode: interact with your minion (or minions - you can provide a comma (,) separated list of all your minions that your want to monitor). Master will print statistics of events received from the minion and suggest you to block the most aggressive addresses.

#python3 web_monitor.py --saltstack --minions id:/remote/path/to/logs/access.log --daemon --push

to run the master in daemon monitor mode and push iptables rules to the minion. e.g. of created rules: 'iptables -A INPUT --source 123.213.123.213 -j DROP'

123.213.123.213 here is an IP addresses that was marked as a dangerous one (more than 100 hits)

You can specify several minions:

# python3 web_monitor.py --saltstack --minions id:/path/to/log,id2:/path/to/log

You can (and probably should) review the generated statements before pushing them, you can also receive a geolocation lookup of collected threats. You can run the web-monitor-master in daemon mode to keep watching your web-monitor-minion(s).

#python3 web_monitor.py --saltstack --minions id:/remote/path/to/logs/access.log --verbose

to print explanatory information about incoming events - and tell you why some events were marked as dangerous and were suggested to be blocked.

#python3 web_monitor.py --saltstack --minions id:/remote/path/to/logs/access.log --geolookup

to perform a geolocation lookup to get an overview of the source of the malicious activity.

use ./web_monitor.py --help to see more options.