Apr 152012
 

I’ve got Simple Log File Monitor in my environment monitoring the /var/log/auth.log log file at the moment, using default settings, which is quoted below –

AppName=AuthLog,AppLogFile=/var/log/auth.log,AppMarkText===MARK==,AppMarkFile=0,AppProcess=grep "Accepted password",AppAction=mail -s "Access Logs" <EMAIL>

I have replaced the in the default config with my own email address.

The first time the script ran, it emailed this to my email address

Apr 8 21:41:18 server sshd[7726]: Accepted password for user from 10.1.1.150 port 46582 ssh2
Apr 8 21:45:39 server sshd[7825]: Accepted password for user from 10.1.1.150 port 46593 ssh2
Apr 8 21:49:07 server sshd[7936]: Accepted password for user from 10.1.1.150 port 46596 ssh2
Apr 8 21:49:21 server sshd[7940]: Accepted password for user from 10.1.1.150 port 46597 ssh2
Apr 10 10:44:22 server sshd[24150]: Accepted password for user from 2.151.180.140 port 53894 ssh2
Apr 10 10:55:51 server sshd[24615]: Accepted password for root from 124.73.163.174 port 50267 ssh2
Apr 10 21:30:50 server sshd[30071]: Accepted password for user from 10.1.1.150 port 44807 ssh2
Apr 10 21:51:46 server sshd[30272]: Accepted password for root from 10.1.1.150 port 45046 ssh2
Apr 10 23:36:26 server sshd[31043]: Accepted password for user from 10.1.1.150 port 46084 ssh2
Apr 11 21:31:12 server sshd[22030]: Accepted password for user from 10.1.1.150 port 52350 ssh2
Apr 11 22:40:57 server sshd[22779]: Accepted password for user from 10.1.1.150 port 52521 ssh2
Apr 12 09:13:26 server sshd[29172]: Accepted password for root from 124.73.163.174 port 60181 ssh2
Apr 12 09:37:35 server sshd[29546]: Accepted password for user from 2.151.180.140 port 53802 ssh2
Apr 12 22:44:10 server sshd[4718]: Accepted password for user from 10.1.1.150 port 33128 ssh2
Apr 12 23:17:09 server sshd[5111]: Accepted password for user from 10.1.1.150 port 33552 ssh2
Apr 12 23:18:12 server sshd[5115]: Accepted password for user from 10.1.1.150 port 33554 ssh2
Apr 12 23:19:18 server sshd[5119]: Accepted password for user from 10.1.1.150 port 33556 ssh2
Apr 13 01:42:51 server sshd[15465]: Accepted password for user from 10.1.1.150 port 34823 ssh2
Apr 13 23:11:39 server sshd[28603]: Accepted password for user from 10.1.1.150 port 45111 ssh2
Apr 13 23:22:13 server sshd[28769]: Accepted password for user from 10.1.1.150 port 45505 ssh2
Apr 13 23:24:16 server sshd[28925]: Accepted password for user from 10.1.1.150 port 45517 ssh2
Apr 13 23:28:24 server sshd[29199]: Accepted password for user from 10.1.1.150 port 45561 ssh2
Apr 13 23:43:37 server sshd[29436]: Accepted password for user from 10.1.1.150 port 45628 ssh2
Apr 14 00:02:36 server sshd[30422]: Accepted password for user from 10.1.1.228 port 35761 ssh2

This should be the expected output from the script with the default settings.

This has been scheduled to run every hour via crontab, and will email me the authentication successes for the past hour each and every hour, though this can be modified via crontab.
The script can be modified to not send if there’s nothing to report, but at the moment I have not made that configurable as of yet. It will be done for a later version.
The default configuration file variable also has to be changed if you intend to run the script without the -c switch to set the path of the configuration variable.

Share
Apr 132012
 

Hey Everyone

I have just finished making my very first bash script. It’s called Simple Log File Monitor as you may have guessed.
It reads in a log file, either from the beginning or from a mark that the script has set before, then it can perform a user defined action to the output of the log file after it has been read.
It will then apply an action to the resultant output of the logfile, e.g. email it to you.

I have written it in shell script in order for it to be small, and as reliant on as little as possible.
You should be able to run this script with just bash, awk, grep, tail, date, and wc.
The purpose of this was for a router that I plan to build. I didn’t want to install perl onto it as it will have miniscule storage, so I thought this was a better option. This script should also work on any embedded devices that have the required utilities installed, so if there is anyone out there who has one of those, I’d appreciate any testing that could be done on those devices.

This script allows you to set a configuration file with the -c switch when you run the script, but if you don’t set it, the script will use the default slfm.conf that should be located in the same directory as the script itself.

This allows you to customise when the log file is monitored, and which files are monitored by running the script at certain intervals with different command line parameters.
So the script will show the last hours worth of logs if the script is run hourly.

The script will mark it’s position so that it won’t have to read the whole entire logfile again, and then it can redirect the output of the logfile to anywhere. For example it can email you the results, or it can append the results to a file.

The documentation on this isn’t great at the moment so any help with that would be appreciated.
If anyone could please try this script out and provide feedback in the comments section, that would be great.
As this is my first script, please be gentle 😀 but I’m open to any suggestions on how to make this better.

This script can be downloaded from my sourceforge page.
It has a sample configuration file already included to help you get started. Hopefully it’s understandable enough and clear enough to everyone and easy enough to work with.
Hope to hear back from some new users 😀

Share