لطفا منتظر باشید ...
Hack 77. Send Email Alerts for System Events
Track log entries and send an email to yourselfwhen something looks suspicious.In [Hack #27] you used X11
On-Screen Display (XOSD)
to make system alerts (such as
possible attempts to break into the system) as visible as possible.
As effective as that approach can be, it doesn't
work very well if you're not looking at your monitor
when the alert appears.The next best thing is to have a program send you an email alert.
This "hack" is simply an
explanation of how you can configure two different log monitor
programs, swatch and
logsentry, to send you email alerts.Fortunately, if you use swatch to monitor one of
your logs for keywords, you don't have to settle for
one method of notification. You can list several ways to have
swatch notify you of an alert. For example, you
can have swatch check to see if the word
"failure" appears in your
authentication log (that might indicate someone is trying to guess a
password). Normally, it echoes the log entry to the screen where you
started swatch. [Hack #27] explained how to make the log
entry appear on-screen. The following entry in the
.swatchrc file does both of these things and
also sends you an email alert:
watchfor /failure/Assuming you are running swatch as root, all you
echo bold
pipe "osd_cat -c magenta -p middle -f -*-helvetica-*-*-*-*-20-*-*-*-*-*-*-*
-d 60 "
mail person-to-alert@yourdomain.com, subject="Alert from swatch"
have to do is edit your /root/.swatchrc file to
include the previous lines, and then start
swatch with this command:
# swatch -t /var/log/auth.log
9.9.1. The logsentry Difference
The logsentry program is
similar to swatch in
that it monitors logs for keywords and sends alerts. The difference
is that swatch does it all in real time, but
logsentry is usually set up to run as a cronjob
every hour or so. Most packaged versions of
logsentry place a file, such as
logsentry.cron in
/etc/cron.hourly, where programs are run every
hour. Here is the simple logsentry.cron file:
#!/bin/shThe logsentry.cron file simply runs the
/bin/sh /etc/logcheck/logcheck.sh
/etc/logcheck/logcheck.sh program.The /etc/logcheck directory contains more than
the logcheck.sh program. It also includes these
files:logcheck.shlogcheck.hackinglogcheck.ignorelogcheck.violationslogcheck.violations.ignore
The logcheck.sh file checks your logs according
to the keywords and key phrases in the other files. The
logcheck.hacking and
logcheck.violations files contain many keywords
and key phrases that might indicate trouble. The
logcheck.ignore and
logcheck.violations.ignore files include
keywords and key phrases that either are false alarms or
aren't useful. The default values in these lists are
quite reliable, but you are free to modify the lists to trigger more
alerts and/or ignore more events.You need to configure the logcheck.sh file to
have it send alerts by mail. The SYSADMIN enTRy
should point to the email address where you want alerts sent:
SYSADMIN=person-to-alert@yourdomain.comThe rest of the variables you want to customize for your system are
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/auth.log >> $TMPDIR/check.$$
$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$
the lines that point to the logs you want to monitor. Each Linux
distribution uses different log names for different purposes. Make
sure you're monitoring the right logs, or
logsentry will be useless to you.The only other entry you might need to change is the definition of
the mail program on your system. logsentry
assumes you have the mail program installed, and
that your mail program accepts the -s argument for
the Subject line. If you don't have
mail installed, or your version of mail does not
support the -s switch, you need to find a
substitute that does and redefine the program name in your
logsentry.sh file. The
mailx program is a likely candidate:
# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
