← 返回 Skills 市场
x1nq

LogEase Search

作者 x1nq · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
95
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install logeasy-search
功能描述
通过日志易平台支持安全告警、网络设备和系统日志的关键词实时搜索与聚合分析,限定相对时间范围和最多100条返回。
使用说明 (SKILL.md)

日志易 (LogEase) 搜索工具

通过日志易平台搜索各类日志数据,支持安全告警分析、网络设备日志、系统日志等多种场景。

连接信息

  • API 地址: http://10.20.51.16
  • 认证方式: HTTP BasicAuth
  • 用户名: admin
  • 密码: MIma@sec2025
  • 搜索 API: GET /api/v3/search/sheets/
  • 索引: yotta(默认)

搜索脚本

  • 路径: scripts/logeasy_search.py
  • 用法: 
    python logeasy_search.py "query" --time 1h --limit 100
python logeasy_search.py "appname:sip alarm" --time 12h --limit 50
  • 参数: --time (1h/24h/7d/30m), --limit (条数,默认100), --index (默认yotta), --raw (原始JSON)

⚠️ 重要限制

时间格式

  • 唯一可用: time_range=now-1h,now(相对时间)
  • ❌ ISO格式 → 返回0条
  • ❌ 时间戳格式 → 返回0条

返回条数

  • API 硬限制返回 100 条(不管 limit 设多少)
  • 聚合查询(| top)不受 limit 限制,可统计全量分布
  • 统计用聚合,详情用原始查询(最多100条样本)

内容审核

  • 大量原始告警内容可能触发 data_inspection_failed 500 错误
  • 触发后减少单次查询的数据量或分批查询

已知日志源

日志源 查询条件 关键字段 说明
SIP 态势感知 appname:sip sip.attack_ip, sip.suffer_ip, sip.attack_type_name 等 安全告警,详见 logeasy-sip skill
飞廉 logtype:feilian feilian.content.client_ip, feilian.content.connection_ip VPN/连接日志
H3C 交换机 appname:switch tag:h3c_newbase raw_message(非结构化) 交换机 syslog
日志易自身 appname:rizhiyi remote_addr 系统日志
其他网络设备 appname:switch raw_message 各类交换机/路由器

查询模板

SIP 安全告警(用 logeasy-sip skill)

# 所有 SIP 告警
python logeasy_search.py "appname:sip alarm" --time 12h --limit 50

# 攻击成功的高危告警
python logeasy_search.py "appname:sip sip.attack_state:1" --time 1h --limit 20

H3C 交换机日志

# 所有 H3C 交换机日志
python logeasy_search.py "appname:switch tag:h3c_newbase" --time 12h --limit 100

# 特定告警类型(ARP冲突、风扇异常等)
python logeasy_search.py "appname:switch tag:h3c_newbase ARP_SENDER_IPCONFLICT" --time 12h --limit 20

# 特定设备
python logeasy_search.py "appname:switch tag:h3c_newbase hostname:10.5.1.43" --time 1h --limit 20

飞廉日志

# 飞廉连接日志
python logeasy_search.py "logtype:feilian" --time 1h --limit 20

# 特定客户端IP
python logeasy_search.py "logtype:feilian client_ip:10.45.123.44" --time 1h --limit 20

通用搜索

# 关键词搜索(全文匹配)
python logeasy_search.py "关键词" --time 1h --limit 20

# 按主机搜索
python logeasy_search.py "hostname:10.20.51.11" --time 1h --limit 20

# 字段搜索(部分字段支持)
python logeasy_search.py "appname:sip sip.suffer_ip:10.10.185.8" --time 1h --limit 20

聚合查询模板

聚合查询用于全量统计,不受 100 条限制:

# 按攻击类型分布
search("appname:sip sip.attack_type_name:* | top sip.attack_type_name", time_range="now-12h,now")

# 按主机分布
search("appname:switch tag:h3c_newbase hostname:* | top hostname", time_range="now-12h,now")

# 按日志级别分布
search("appname:switch tag:h3c_newbase %%*/*/* | ...", time_range="now-12h,now")

H3C 交换机日志分析要点

日志格式

\x3Cpriority>Mar 25 11:45:52 2026 设备名 %%模块/级别/事件: 事件详情
  • priority: syslog 优先级
  • 设备名: 如 ITC-C15-U16-Border-Leaf-1DMZ-C13-U38-10G-ASW-2
  • 模块: 如 ARP(ARP事件)、DEV(设备)、SEC(安全)

常见告警类型

告警关键词 严重度 说明
ARP_SENDER_IPCONFLICT ⚠️ 中 ARP发送者IP冲突
DUPIFIP ⚠️ 中 重复地址检测
FAN_DIRECTION_NOT_PREFERRED ℹ️ 低 风扇方向非首选
LINK_UPDOWN ⚠️ 中 链路上下行变化
CPU_HIGH 🔴 高 CPU使用率过高

已知设备清单

  • 核心交换机:10.5.1.11(日志量最大)
  • 边界交换机:10.5.1.43(ITC-C15-U16-Border-Leaf-1)
  • DMZ 区域:10.5.1.51/52(DMZ-C12/C13)
  • STM 区域:10.5.2.23/24(STM-D01/D02)

Python 调用模板

import urllib.request, urllib.parse, json, sys, base64

sys.stdout.reconfigure(encoding='utf-8')

USER = 'admin'
PASS = 'MIma@sec2025'
CRED = base64.b64encode(f'{USER}:{PASS}'.encode()).decode()
HEADERS = {'Authorization': f'Basic {CRED}'}
BASE = 'http://10.20.51.16/api/v3/search/sheets/'

def search(query, time_range='now-1h,now', limit=100):
    """搜索日志"""
    url = f'{BASE}?query={urllib.parse.quote(query)}&time_range={urllib.parse.quote(time_range)}&index_name=yotta&limit={limit}'
    req = urllib.request.Request(url, headers=HEADERS)
    resp = urllib.request.urlopen(req, timeout=60)
    return json.loads(resp.read())

def count(query, time_range='now-1h,now'):
    """计数"""
    r = search(query, time_range, limit=1)
    return r.get('results', {}).get('total_hits', 0)

踩坑记录

  1. 字段搜索不一定有效: client_ip:10.x.x.x 这类字段搜索可能返回0条,用关键词搜索代替
  2. 搜索日志污染: 每次搜索操作会被日志易自身记录,大量搜索后分析需排除 appname:rizhiyi
  3. PowerShell 环境: 命令连接符用 ; 不要用 &&,多行代码写文件再执行
  4. event_type 字段不存在: SIP 日志没有结构化 event_type,用 alarm 关键字全文匹配
  5. 飞廉字段需前缀: 飞廉关键字段需要 feilian.content. 前缀,如 feilian.content.client_ip
  6. 攻击源IP字段: SIP 用 sip.attack_ip(不是 sip.ip,sip.ip 是探针自身IP)
安全使用建议
This package implements a LogEase search service and largely matches its claimed function, but there are several red flags: (1) SKILL.md contains a hardcoded internal IP and plaintext BasicAuth credentials — do NOT use those credentials in production or on sensitive agents. (2) The code tries to read a developer-local absolute path and .env files, so if the skill runs on your agent it may access local configuration. (3) Many runnable JS/Python files are bundled even though no install is declared. Before installing: verify the skill's provenance and ask the publisher why secrets and absolute paths are embedded; replace hardcoded credentials with secure env vars; run the skill in an isolated sandbox or test account; inspect and/or remove any code that reads local filesystem paths; if those hardcoded credentials were ever used in your network, rotate them. If you cannot verify the source and do not want internal network access from third-party code, avoid installing.
能力评估
Purpose & Capability
Name/description and the included code (log search, aggregation, anomaly detection) are coherent with a log-search tool. However, the SKILL metadata declares no required env vars or credentials while SKILL.md embeds a BasicAuth credential (admin:MIma@sec2025) and internal IP (http://10.20.51.16). The shipped server code also expects LOGEASE_* env vars. The presence of hardcoded internal targets and credentials with no declared environment requirements is disproportionate and inconsistent.
Instruction Scope
SKILL.md instructs direct HTTP access to an internal IP using embedded BasicAuth credentials and recommends running included Python scripts. The runtime instructions therefore direct network calls with secrets. The repository code also contains logic to load .env files and an absolute filesystem path to an OpenAPI YAML in the developer's Downloads folder (fs.readFileSync('/Users/rizhiyi/...')), indicating the package will attempt to read local files—scope creep beyond a simple query helper. Instructions and code could access local .env, config, and internal network resources.
Install Mechanism
No install spec is provided (instruction-only), which is lower install-risk. But the package contains many executable JS/TS and Python files (server components, client code, scripts). Although nothing is declared to be installed, those files could be executed by the agent runtime. The mismatch between 'no install' and presence of full server/client code is a maintenance/packaging inconsistency and increases risk if the platform auto-executes bundled code.
Credentials
The skill does not declare required env vars, yet code reads LOGEASE_BASE_URL, LOGEASE_AUTH_HEADER, LOGEASE_API_KEY, LOGEASE_TLS_REJECT_UNAUTHORIZED and also loads .env files. SKILL.md hardcodes an admin username/password for an internal host (exposed secret). Requiring or embedding internal credentials and offering defaults for internal IPs is disproportionate for a third-party skill and could enable network access or credential misuse. The code also accepts disabled TLS verification by default in places, which reduces security.
Persistence & Privilege
The skill does not request always:true and uses normal MCP server constructs; autonomous invocation is allowed (platform default). There is no explicit request to persist across agents. However, server code (StdioServerTransport) and dotenv usage mean the skill may read local configuration and environment if executed—so run it in a restricted/sandboxed environment or confirm execution policy.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install logeasy-search
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /logeasy-search 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Major expansion: log source catalog, H3C switch templates, aggregation queries, Python templates, pitfall docs
元数据
Slug logeasy-search
版本 1.1.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

LogEase Search 是什么?

通过日志易平台支持安全告警、网络设备和系统日志的关键词实时搜索与聚合分析,限定相对时间范围和最多100条返回。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 95 次。

如何安装 LogEase Search?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install logeasy-search」即可一键安装,无需额外配置。

LogEase Search 是免费的吗?

是的,LogEase Search 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

LogEase Search 支持哪些平台?

LogEase Search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 LogEase Search?

由 x1nq(@x1nq)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论