I will give an example of setting up Juniper logging to the syslog server, for convenience, to view the logs of all devices in one place, and it will also be possible to disable logging to the device’s memory to save its memory.Continue reading “Configuring Syslog on Juniper”
In this article, I will show an example of how to set up sending MikroTik logs to the Syslog server.Continue reading “Setting up Syslog on MikroTik (RouterOS)”
I will give an example of installing and configuring Rsyslog + Loganalyzer + MySQL.Continue reading “Installing Rsyslog + Loganalyzer + MySQL”
Using iptables, you can write network activity to the log file, that is, which data is sent to and from where it comes from.Continue reading “Logging activity using IPTables”
Here are a few ways to receive e-mail notifications about someone connecting to the server via SSH.
With a text editor, for example nano, open the file /etc/ssh/sshrc (in the nano editor CTRL+X to exit, y/n and Enter to save or discard changes):
sudo nano /etc/ssh/sshrc
And add the following code to it:
ip=`echo $SSH_CONNECTION | cut -d " " -f 1` logger -t ssh-wrapper $USER login from $ip (echo "Subject:login($ip) on server"; echo "User $USER just logged in from $ip";) | sendmail -f firstname.lastname@example.org -t email@example.com &
You do not need to restart SSH, the notifications should already come in when connecting.
Add the specified lines to the config /etc/rsyslog.conf (before each line commented the essence, this code will send messages about failed connections):
# Connect the messaging module $ModLoad ommail # Specify the address of the mail server $ActionMailSMTPServer mail.domain.com # Specify the email from which messages will be sent $ActionMailFrom firstname.lastname@example.org # Specify the email to which messages will be sent $ActionMailTo email@example.com # Specify the subject of the message $template mailSubject,"SSH Invalid User %hostname%" # Specify the content of the message $template mailBody,"RSYSLOG\r\nmsg='%msg%'" $ActionMailSubject mailSubject # Specify in seconds how often messages can be sent $ActionExecOnlyOnceEveryInterval 10 # If the log contains the characters in parentheses, then we send a message if $msg contains 'Invalid user' then :ommail:;mailBody
The same way of sending via rsyslog, but notifications of successful connections are sent (code without comments as above):
$ActionMailSMTPServer mail.domain.com $ActionMailFrom firstname.lastname@example.org $ActionMailTo email@example.com $template mailSubject,"SSH Accepted pass %hostname%" $template mailBody,"RSYSLOG\r\nmsg='%msg%'" $ActionMailSubject mailSubject $ActionExecOnlyOnceEveryInterval 10 if $msg contains 'Accepted password' then :ommail:;mailBody
As a result, if the connection to the SSH server is successful or not successful, messages will be sent to the e-mail. In a similar way, you can announce to email and other events that are logged via rsyslog.