I will give an example of installing and configuring Rsyslog + Loganalyzer + MySQL.Continue reading “Installing Rsyslog + Loganalyzer + MySQL”
Using iptables, you can write network activity to the log file, that is, which data is sent to and from where it comes from.
sudo iptables -t filter -A FORWARD -s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j LOG --log-prefix "iptables: "
That the information was written not in rsyslog a file, and separately, we will create a file:
sudo nano /etc/rsyslog.d/10-iptables.conf
And add the following to it:
:msg, contains, "iptables: " -/var/log/iptables.log & ~
To apply the changes, restart rsyslog:
sudo /etc/init.d/rsyslog reload
Done, the network activity specified in the first rule will be written to the file /var/log/iptables.log.
It is also desirable to configure logrotate to remove old logs, to save disk space.
Here are a few ways to receive e-mail notifications about someone connecting to the server via SSH.
With a text editor, for example nano, open the file /etc/ssh/sshrc (in the nano editor CTRL+X to exit, y/n and Enter to save or discard changes):
sudo nano /etc/ssh/sshrc
And add the following code to it:
ip=`echo $SSH_CONNECTION | cut -d " " -f 1` logger -t ssh-wrapper $USER login from $ip (echo "Subject:login($ip) on server"; echo "User $USER just logged in from $ip";) | sendmail -f email@example.com -t firstname.lastname@example.org &
You do not need to restart SSH, the notifications should already come in when connecting.
Add the specified lines to the config /etc/rsyslog.conf (before each line commented the essence, this code will send messages about failed connections):
# Connect the messaging module $ModLoad ommail # Specify the address of the mail server $ActionMailSMTPServer mail.domain.com # Specify the email from which messages will be sent $ActionMailFrom email@example.com # Specify the email to which messages will be sent $ActionMailTo firstname.lastname@example.org # Specify the subject of the message $template mailSubject,"SSH Invalid User %hostname%" # Specify the content of the message $template mailBody,"RSYSLOG\r\nmsg='%msg%'" $ActionMailSubject mailSubject # Specify in seconds how often messages can be sent $ActionExecOnlyOnceEveryInterval 10 # If the log contains the characters in parentheses, then we send a message if $msg contains 'Invalid user' then :ommail:;mailBody
The same way of sending via rsyslog, but notifications of successful connections are sent (code without comments as above):
$ActionMailSMTPServer mail.domain.com $ActionMailFrom email@example.com $ActionMailTo firstname.lastname@example.org $template mailSubject,"SSH Accepted pass %hostname%" $template mailBody,"RSYSLOG\r\nmsg='%msg%'" $ActionMailSubject mailSubject $ActionExecOnlyOnceEveryInterval 10 if $msg contains 'Accepted password' then :ommail:;mailBody
As a result, if the connection to the SSH server is successful or not successful, messages will be sent to the e-mail. In a similar way, you can announce to email and other events that are logged via rsyslog.