实时日志监控告警脚本 #!/bin/bash # 实时日志监控告警脚本 LOG_FILE="/var/log/nginx/access.log" ERROR_THRESHOLD=50 # 每分钟错误数阈值 ALERT_EMAIL="admin@example.com" monitor_realtime() { echo "开始实时监控 $LOG_FILE..." # 创建临时文件记录状态 TEMP_DIR="/tmp/log_monitor" mkdir -p "$TEMP_DIR" tail -F "$LOG_FILE" | while read line; do # 提取时间戳 (分钟级别) timestamp=$(echo "$line" | awk '{print substr($4, 2, 16)}') current_minute=$(date '+%d/%b/%Y:%H:%M') # 检查是否是错误请求 if echo "$line" | grep -qE " (4[0-9]{2}|5[0-9]{2}) "; then error_file="$TEMP_DIR/errors_$current_minute" echo "$line" >> "$error_file" # 统计当前分钟的错误数 error_count=$(wc -l < "$error_file" 2>/dev/null || echo 0) if [ "$error_count" -ge "$ERROR_THRESHOLD" ]; then send_alert "$current_minute" "$error_count" "$error_file" # 重置计数器，避免重复告警 > "$error_file" fi fi # 清理旧的临时文件 find "$TEMP_DIR" -name "errors_*" -mmin +5 -delete done } send_alert() { local time_period=$1 local error_count=$2 local error_file=$3 echo "🚨 告警: $time_period 发生 $error_count 个错误请求" # 分析错误类型 echo "错误分析:" awk '{print $9, $1, $7}' "$error_file" | \ sort | uniq -c | sort -nr | head -5 | \ awk '{printf "状态码%s: %d次, IP:%s, URL:%s\n", $2, $1, $3, $4}' # 发送邮件告警 (需要配置sendmail) if command -v mail >/dev/null; then { echo "时间: $time_period" echo "错误数量: $error_count" echo "详细信息:" head -10 "$error_file" } | mail -s "网站错误告警" "$ALERT_EMAIL" fi } # 启动监控 monitor_realtime

多维度日志日志分析脚本 #!/bin/bash # 多维度nginx日志分析 LOG_FILE="/var/log/nginx/access.log" multi_dimension_analysis() { echo "=== 多维度分析报告 ===" # 按小时统计访问量 echo "24小时访问量分布:" awk '{ time = substr($4, 14, 2) hour_count[time]++ } END { for (h=0; h<24; h++) { printf "%02d:00-%02d:59 %6d 次", h, h, hour_count[sprintf("%02d", h)]+0 # 简单的图形化显示 bars = int((hour_count[sprintf("%02d", h)]+0) / 100) for (i=0; i<bars; i++) printf "█" printf "\n" } }' "$LOG_FILE" # IP地理位置分析 (需要geoip数据库) echo "访问来源分析:" awk '{print $1}' "$LOG_FILE" | \ sort | uniq -c | sort -nr | head -20 | \ while read count ip; do # 这里可以集成GeoIP查询 printf "%-15s %8d 次\n" "$ip" "$count" done # 用户代理分析 echo "浏览器/爬虫统计:" awk -F'"' '{ ua = $6 if (ua ~ /bot|spider|crawler/i) type = "爬虫" else if (ua ~ /Mobile|Android|iPhone/i) type = "移动端" else if (ua ~ /Chrome|Firefox|Safari/i) type = "桌面浏览器" else type = "其他" ua_type[type]++ } END { for (type in ua_type) { printf "%-12s %8d 次\n", type, ua_type[type] } }' "$LOG_FILE" # 响应码时间分布 echo "响应码时间分布:" awk '{ hour = substr($4, 14, 2) status = $9 status_hour[status"_"hour]++ total_hour[hour]++ } END { for (status in {"200":1, "404":1, "500":1}) { printf "\n%s状态码分布:\n", status for (h=0; h<24; h++) { key = status"_"sprintf("%02d", h) count = status_hour[key]+0 total = total_hour[sprintf("%02d", h)]+0 if (total > 0) { percentage = count * 100 / total printf "%02d时: %6d次 (%.1f%%)\n", h, count, percentage } } } }' "$LOG_FILE" } multi_dimension_analysis

磁盘空间清理脚本 #!/bin/bash # 磁盘空间分析和清理脚本 echo "=== 磁盘空间分析 ===" # 找出占用空间最大的目录 echo "占用空间最大的目录 TOP 10:" du -h /var 2>/dev/null | \ sort -hr | head -10 | \ awk '{printf "%-10s %s\n", $1, $2}' # 找出大文件 echo "大于100MB的文件:" find /var/log -type f -size +100M -exec ls -lh {} \; 2>/dev/null | \ awk '{printf "%-10s %s\n", $5, $9}' | \ sort -hr # 分析日志文件增长趋势 echo "日志文件大小变化 (最近7天):" for i in {0..6}; do date_str=$(date -d "$i days ago" '+%Y-%m-%d') total_size=$(find /var/log -name "*.log*" -newermt "$date_str 00:00:00" ! -newermt "$date_str 23:59:59" -exec du -cb {} + 2>/dev/null | tail -1 | awk '{print $1}') if [ -n "$total_size" ] && [ "$total_size" -gt 0 ]; then printf "%s: %.2f MB\n" "$date_str" $(echo "scale=2; $total_size/1024/1024" | bc) fi done

网站被攻击时的应急响应脚本 #!/bin/bash # 应急响应脚本 echo "=== 安全事件分析 ===" # 查找异常IP echo "可疑IP (请求量 > 1000):" awk '{print $1}' /var/log/nginx/access.log | \ sort | uniq -c | \ awk '$1 > 1000 {print $2, $1}' | \ sort -k2 -nr # 查找SQL注入尝试 echo "SQL注入尝试:" grep -i "union\|select\|drop\|insert" /var/log/nginx/access.log | \ awk '{print $1, $7}' | \ sort | uniq -c | \ sort -nr # 查找文件包含攻击 echo "文件包含攻击:" grep -E "\.\./|etc/passwd|proc/self" /var/log/nginx/access.log | \ awk '{print $1, $7}' | head -20

实用系统监控脚本 #!/bin/bash # 系统资源监控脚本 THRESHOLD_CPU=80 THRESHOLD_MEM=85 THRESHOLD_DISK=90 check_system() { echo "=== 系统监控报告 $(date) ===" # CPU检查 local cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | sed 's/%us,//') echo "CPU使用率: ${cpu_usage}%" if (( $(echo "$cpu_usage > $THRESHOLD_CPU" | bc -l) )); then echo "CPU使用率超过阈值 ($THRESHOLD_CPU%)" echo "TOP 5 CPU消耗进程:" ps aux | awk 'NR>1 {print $11, $3, $2}' | sort -k2 -nr | head -5 | \ awk '{printf "%-20s CPU: %6.2f%% PID: %s\n", $1, $2, $3}' fi # 内存检查 local mem_info=$(free | awk 'NR==2{printf "%.2f %.2f %.2f", $3*100/$2, $3, $2}') local mem_usage=$(echo $mem_info | awk '{print $1}') local mem_used=$(echo $mem_info | awk '{print $2}') local mem_total=$(echo $mem_info | awk '{print $3}') echo "内存使用率: ${mem_usage}% ($(echo "scale=1; $mem_used/1024/1024" | bc)G/$(echo "scale=1; $mem_total/1024/1024" | bc)G)" if (( $(echo "$mem_usage > $THRESHOLD_MEM" | bc -l) )); then echo "内存使用率超过阈值 ($THRESHOLD_MEM%)" echo "TOP 5 内存消耗进程:" ps aux | awk 'NR>1 {print $11, $4, $2}' | sort -k2 -nr | head -5 | \ awk '{printf "%-20s MEM: %6.2f%% PID: %s\n", $1, $2, $3}' fi # 磁盘检查 echo "磁盘使用情况:" df -h | awk 'NR>1 && $1 !~ /tmpfs|devtmpfs/ { usage = $5 gsub(/%/, "", usage) printf "%-20s %8s/%8s (%s)\n", $1, $3, $2, $5 if (usage > '$THRESHOLD_DISK') { printf " %s 使用率超过阈值 ('$THRESHOLD_DISK'%%)\n", $1 } }' # 网络连接检查 local tcp_connections=$(ss -t | wc -l) local established=$(ss -t state established | wc -l) echo "网络连接: TCP总数 $tcp_connections, 已建立 $established" # 负载检查 local load_avg=$(uptime | awk -F'load average:' '{print $2}' | awk '{print $1}' | sed 's/,//') echo "系统负载: $load_avg" # 检查是否有僵尸进程 local zombie_count=$(ps aux | awk '$8 ~ /^Z/ {count++} END {print count+0}') if [ $zombie_count -gt 0 ]; then echo "发现 $zombie_count 个僵尸进程" fi } check_system