One day, on the same server running Ubuntu 20.04, I noticed a lot of messages in /var/log/syslog:
Continue reading “Solution rsyslogd: action ‘action-6-builtin:omfile’ resumed (module ‘builtin:omfile’)”Tag Archives: syslog
Configuring Syslog on Juniper
I will give an example of setting up Juniper logging to the syslog server, for convenience, to view the logs of all devices in one place, and it will also be possible to disable logging to the device’s memory to save its memory.
Continue reading “Configuring Syslog on Juniper”Setting up Syslog on MikroTik (RouterOS)
In this article, I will show an example of how to set up sending MikroTik logs to the Syslog server.
Continue reading “Setting up Syslog on MikroTik (RouterOS)”Installing Rsyslog + Loganalyzer + MySQL
I will give an example of installing and configuring Rsyslog + Loganalyzer + MySQL.
Continue reading “Installing Rsyslog + Loganalyzer + MySQL”Logging activity using IPTables
Using iptables, you can write network activity to the log file, that is, which data is sent to and from where it comes from.
Continue reading “Logging activity using IPTables”Email notification about each SSH connection
Here are a few ways to receive e-mail notifications about someone connecting to the server via SSH.
FIRST METHOD:
With a text editor, for example nano, open the file /etc/ssh/sshrc (in the nano editor CTRL+X to exit, y/n and Enter to save or discard changes):
sudo nano /etc/ssh/sshrc
And add the following code to it:
ip=`echo $SSH_CONNECTION | cut -d " " -f 1` logger -t ssh-wrapper $USER login from $ip (echo "Subject:login($ip) on server"; echo "User $USER just logged in from $ip";) | sendmail -f server@example.com -t your-email@example.com &
You do not need to restart SSH, the notifications should already come in when connecting.
SECOND METHOD:
Add the specified lines to the config /etc/rsyslog.conf (before each line commented the essence, this code will send messages about failed connections):
# Connect the messaging module $ModLoad ommail # Specify the address of the mail server $ActionMailSMTPServer mail.domain.com # Specify the email from which messages will be sent $ActionMailFrom rsyslog@domain.com # Specify the email to which messages will be sent $ActionMailTo test@domain.com # Specify the subject of the message $template mailSubject,"SSH Invalid User %hostname%" # Specify the content of the message $template mailBody,"RSYSLOG\r\nmsg='%msg%'" $ActionMailSubject mailSubject # Specify in seconds how often messages can be sent $ActionExecOnlyOnceEveryInterval 10 # If the log contains the characters in parentheses, then we send a message if $msg contains 'Invalid user' then :ommail:;mailBody
The same way of sending via rsyslog, but notifications of successful connections are sent (code without comments as above):
$ActionMailSMTPServer mail.domain.com $ActionMailFrom rsyslog@domain.com $ActionMailTo test@domain.com $template mailSubject,"SSH Accepted pass %hostname%" $template mailBody,"RSYSLOG\r\nmsg='%msg%'" $ActionMailSubject mailSubject $ActionExecOnlyOnceEveryInterval 10 if $msg contains 'Accepted password' then :ommail:;mailBody
As a result, if the connection to the SSH server is successful or not successful, messages will be sent to the e-mail. In a similar way, you can announce to email and other events that are logged via rsyslog.