natlog
所属分类:远程控制/远程桌面
开发工具:GO
文件大小:6448KB
下载次数:0
上传日期:2019-03-13 11:58:39
上 传 者:
sh-1993
说明: RDP EcoNat系统日志解析器和ClickHouse的编写器
(RDP EcoNat syslog parser and writer to ClickHouse)
文件列表:
cfg (0, 2019-03-13)
cfg\cfg.go (726, 2019-03-13)
chwriter (0, 2019-03-13)
chwriter\chwriter.go (3540, 2019-03-13)
go.mod (266, 2019-03-13)
go.sum (4193, 2019-03-13)
natlog (13288486, 2019-03-13)
natlog.go (1752, 2019-03-13)
natlog.sql (374, 2019-03-13)
natlog.toml (243, 2019-03-13)
parser (0, 2019-03-13)
parser\bench_test.go (1478, 2019-03-13)
parser\parser.go (4957, 2019-03-13)
parser\parser_test.go (4042, 2019-03-13)
# RDP/EcoNat syslog parser and writer to ClickHouse
## Usage:
```bash
/path/to/natlog -c /etc/natlog.toml
```
-c: path to config file in toml format, as follows:
```
[listener]
listen-ip = "0.0.0.0" # Which ip/port to listen for syslog messages
listen-port = 5555
workers = 32 # Workers count (they parse syslog messages)
# As you may know, data should not be written into clickhouse per row, but should be written with large banches:
[ch]
max-count = 100000 # Maximum collected records to write in one banch
max-interval = 30 # Maximum seconds between writes
connection-string = "tcp://127.0.0.1:9000?database=natlog&compress=true&debug=false"
```
After running, we can see something like this:
```
./natlog -c /etc/natlog.toml
{"level":"info","ts":155247***79.295355,"caller":"natlog/natlog.go:35","msg":"Starting syslog collector"}
{"level":"info","ts":155247***79.2960026,"caller":"chwriter/chwriter.go:47","msg":"resetTimer()"}
{"level":"info","ts":155247***95.5292575,"caller":"chwriter/chwriter.go:84","msg":"writing to db","records":100001}
{"level":"info","ts":155247***95.8284068,"caller":"chwriter/chwriter.go:47","msg":"resetTimer()"}
{"level":"info","ts":1552476511.3948112,"caller":"chwriter/chwriter.go:84","msg":"writing to db","records":100001}
{"level":"info","ts":1552476511.67508***,"caller":"chwriter/chwriter.go:47","msg":"resetTimer()"}
```
## RDP requirements
Currently this tool parse syslog messages with following EcoNat settings:
```
use_hex_format off
log_on_release on
log_individual_conn on
strip_tags off
pack_msgs on
log_format syslog
```
## Wiewing results:
My ip is '10.20.30.40' and i just executed ping to '1.1.1.1':
```
$ clickhouse-client
USE natlog
select date, time, IPv4NumToString(dst_ip), IPv4NumToString(nat_ip), IPv4NumToString(local_ip), \
dst_port, nat_port, local_port, proto, type \
from connections where dst_ip=IPv4StringToNum('1.1.1.1') AND local_ip=IPv4StringToNum('10.20.30.40')
┌───────date─┬────────────────time─┬─IPv4NumToString(dst_ip)─┬─IPv4NumToString(nat_ip)─┬─IPv4NumToString(local_ip)─┬─dst_port─┬─nat_port─┬─local_port─┬─proto─┬─type─┐
│ 2019-03-13 │ 2019-03-13 14:50:05 │ 1.1.1.1 │ 101.102.103.104 │ 10.20.30.40 │ 1 │ 1 │ 1 │ ICMP │ E │
└────────────┴─────────────────────┴─────────────────────────┴─────────────────────────┴───────────────────────────┴──────────┴──────────┴────────────┴───────┴──────┘
```
近期下载者:
相关文件:
收藏者: