主机配置变更
主机配置变更采集器支持监控 Linux 主机上各类配置的变更,构建变更事件数据并上报观测云平台。
注意:此采集器仅支持 Linux 操作系统,不支持 Windows 系统。
功能说明¶
主机配置变更采集器支持以下变更检测功能:
| 功能模块 | 说明 |
|---|---|
| 用户和组变更 | 监控 /etc/passwd、/etc/shadow、/etc/group、/etc/gshadow 文件,检测用户和组的创建、删除、属性修改及成员变更 |
| Crontab 变更 | 监控 /etc/crontab、/etc/cron.d/*、/var/spool/cron/crontabs/* 文件,检测定时任务变更 |
| 文件内容变更 | 监控指定文件的内容变更,支持差异对比 |
| 服务变更 | 监控 systemd 或 sysvinit 服务的创建、删除、属性修改及状态变更 |
| 网络配置变更 | 监控网络接口、DNS 配置、路由配置、防火墙规则、hosts 文件的变更 |
配置¶
进入 DataKit 安装目录下的 conf.d/samples 目录,复制 host_change.conf.sample 并命名为 host_change.conf。示例如下:
[[inputs.host_change]]
## Interval between collections
interval = "1m"
## Enable user and group change detection
[inputs.host_change.user_group]
## Whether to enable user and group change detection
enabled = true
## Crontab change detection configuration
# Collect files from /etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/*
[inputs.host_change.crontab]
## Whether to enable crontab change detection
enabled = true
## File change detection configuration
[inputs.host_change.file]
## Whether to enable file change detection
enabled = false
## Files to monitor for changes
# Notes:
# 1. Only regular files are supported, directories are not allowed
# 2. All paths must be absolute paths
files = [
# "/etc/passwd",
# "/etc/group",
# "/etc/sudoers"
]
## Files larger than this size will not compare full content.
## Default value: 262144 bytes (256KB)
max_file_size = 262144
## Paths to ignore when monitoring file changes
ignore_paths = [
# "/etc/ssh/sshd_config.d/*",
# "/tmp/",
# "*.tmp"
]
## Service change detection configuration
[inputs.host_change.service]
## Whether to enable service change detection
enabled = true
## Service types to monitor (systemd, sysvinit)
# If empty, all service types will be monitored and systemd is preferred when both are available
service_types = ["systemd"]
## Services to ignore (service names without .service suffix, supports regex)
ignore_services = []
## Services to include (service names without .service suffix, supports regex)
# If not empty, only services matching these patterns will be monitored
# include_services = []
## Network configuration change detection configuration
[inputs.host_change.network]
## Whether to enable network configuration change detection
enabled = true
## Interfaces to ignore (interface names, supports wildcard)
ignore_interfaces = [
# "lo",
# "docker*",
# "veth*"
]
[inputs.host_change.tags]
# some_tag = "some_value"
# more_tag = "some_other_value"
配置好后,重启 DataKit 即可。
可通过 ConfigMap 方式注入采集器配置 开启采集器。
变更事件¶
以下所有数据采集,默认会追加名为 host 的全局 tag(tag 值为 DataKit 所在主机名),也可以在配置中通过 [inputs.host_change.tags] 指定其它标签:
事件字段说明¶
Change Event¶
| Tags & Fields | Description |
|---|---|
| change_id ( tag) |
Unique identifier for the user or group change event. |
| df_event_id ( tag) |
Event ID. |
| df_message ( tag) |
Event message. |
| df_source ( tag) |
Source name. |
| df_status ( tag) |
Event status. |
| df_sub_status ( tag) |
Event detail status. |
| df_title ( tag) |
Event title. |
| host ( tag) |
System hostname. |
| change_time_us | Timestamp of the change event in microseconds. Type: int | (count) Unit: timeStamp,usec |
变更事件类型¶
- 用户和组变更事件
| 变更 ID | 说明 |
|---|---|
host_change_01_01 |
新增用户 |
host_change_01_02 |
删除用户 |
host_change_01_03 |
修改用户属性 |
host_change_01_04 |
新增组 |
host_change_01_05 |
删除组 |
host_change_01_06 |
修改组属性 |
host_change_01_07 |
组新增成员 |
host_change_01_08 |
组删除成员 |
- Crontab 变更事件
| 变更 ID | 说明 |
|---|---|
host_change_02_01 |
Crontab 任务变更 |
- 文件变更事件
| 变更 ID | 说明 |
|---|---|
host_change_03_01 |
文件内容变更 |
- 服务变更事件
| 变更 ID | 说明 |
|---|---|
host_change_04_01 |
新增服务 |
host_change_04_02 |
删除服务 |
host_change_04_03 |
修改服务 |
host_change_04_04 |
服务状态变更 |
- 网络配置变更事件
| 变更 ID | 说明 |
|---|---|
host_change_05_01 |
网络接口变更 |
host_change_05_02 |
DNS 配置变更 |
host_change_05_03 |
路由配置变更 |
host_change_05_04 |
防火墙规则变更 |
host_change_05_05 |
Hosts 文件变更 |