Apr 152012
 

I’ve got Simple Log File Monitor in my environment monitoring the /var/log/auth.log log file at the moment, using default settings, which is quoted below –

AppName=AuthLog,AppLogFile=/var/log/auth.log,AppMarkText===MARK==,AppMarkFile=0,AppProcess=grep "Accepted password",AppAction=mail -s "Access Logs" <EMAIL>

I have replaced the in the default config with my own email address.

The first time the script ran, it emailed this to my email address

Apr 8 21:41:18 server sshd[7726]: Accepted password for user from 10.1.1.150 port 46582 ssh2
Apr 8 21:45:39 server sshd[7825]: Accepted password for user from 10.1.1.150 port 46593 ssh2
Apr 8 21:49:07 server sshd[7936]: Accepted password for user from 10.1.1.150 port 46596 ssh2
Apr 8 21:49:21 server sshd[7940]: Accepted password for user from 10.1.1.150 port 46597 ssh2
Apr 10 10:44:22 server sshd[24150]: Accepted password for user from 2.151.180.140 port 53894 ssh2
Apr 10 10:55:51 server sshd[24615]: Accepted password for root from 124.73.163.174 port 50267 ssh2
Apr 10 21:30:50 server sshd[30071]: Accepted password for user from 10.1.1.150 port 44807 ssh2
Apr 10 21:51:46 server sshd[30272]: Accepted password for root from 10.1.1.150 port 45046 ssh2
Apr 10 23:36:26 server sshd[31043]: Accepted password for user from 10.1.1.150 port 46084 ssh2
Apr 11 21:31:12 server sshd[22030]: Accepted password for user from 10.1.1.150 port 52350 ssh2
Apr 11 22:40:57 server sshd[22779]: Accepted password for user from 10.1.1.150 port 52521 ssh2
Apr 12 09:13:26 server sshd[29172]: Accepted password for root from 124.73.163.174 port 60181 ssh2
Apr 12 09:37:35 server sshd[29546]: Accepted password for user from 2.151.180.140 port 53802 ssh2
Apr 12 22:44:10 server sshd[4718]: Accepted password for user from 10.1.1.150 port 33128 ssh2
Apr 12 23:17:09 server sshd[5111]: Accepted password for user from 10.1.1.150 port 33552 ssh2
Apr 12 23:18:12 server sshd[5115]: Accepted password for user from 10.1.1.150 port 33554 ssh2
Apr 12 23:19:18 server sshd[5119]: Accepted password for user from 10.1.1.150 port 33556 ssh2
Apr 13 01:42:51 server sshd[15465]: Accepted password for user from 10.1.1.150 port 34823 ssh2
Apr 13 23:11:39 server sshd[28603]: Accepted password for user from 10.1.1.150 port 45111 ssh2
Apr 13 23:22:13 server sshd[28769]: Accepted password for user from 10.1.1.150 port 45505 ssh2
Apr 13 23:24:16 server sshd[28925]: Accepted password for user from 10.1.1.150 port 45517 ssh2
Apr 13 23:28:24 server sshd[29199]: Accepted password for user from 10.1.1.150 port 45561 ssh2
Apr 13 23:43:37 server sshd[29436]: Accepted password for user from 10.1.1.150 port 45628 ssh2
Apr 14 00:02:36 server sshd[30422]: Accepted password for user from 10.1.1.228 port 35761 ssh2

This should be the expected output from the script with the default settings.

This has been scheduled to run every hour via crontab, and will email me the authentication successes for the past hour each and every hour, though this can be modified via crontab.
The script can be modified to not send if there’s nothing to report, but at the moment I have not made that configurable as of yet. It will be done for a later version.
The default configuration file variable also has to be changed if you intend to run the script without the -c switch to set the path of the configuration variable.

Share

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)