Example => How to monitor(by e-mail) auth log

I need to monitor everyone login server [assume -> linux OS] and "opened" status:


How?

use "root" user =>

1. Modify /etc/syslog.conf file (retrive information about authen... to /var/log/auth.log file)

.
.
.
auth,authpriv.* /var/log/auth.log


2. create /var/log/auth.log file and restart syslog service:

# touch /var/log/auth.log
# chmod 600 /var/log/auth.log
# /etc/init.d/syslog restart
...

3. write program (assume: /root/sbin/getauth.pl file):

#!/usr/bin/perl


my $LOCAL_TIME;
my $LOG_FILE='/var/log/auth.log';
my $TMP_FILE='/root/sbin/.auth.log';
my $smail='sender@domain';
my $rmail='to@domain';
my $content='opened';
my $chk=0;
my $host=`hostname`;

system ("/bin/cat /dev/null > $TMP_FILE");
system ("/usr/bin/tail -0f $LOG_FILE | /usr/bin/tee -a $TMP_FILE &");
while ( 1 ) {

$chk=`/bin/cat $TMP_FILE | /bin/grep $content |/usr/bin/wc -l` ;

if ($chk > 0){
unless(open (MAIL, "|/usr/sbin/sendmail -t")) {
print "error.\n";
warn "Error starting sendmail: $!";
}else{
print MAIL "From: $smail\n";
print MAIL "To: $rmail\n";
print MAIL "Subject: [Info] Session opened on $host\n\n";
print MAIL "------------------------------------------\n";
print MAIL `/bin/cat $TMP_FILE | /bin/grep $content`;
print MAIL "\n";
print MAIL "------------------------------------------\n";
close(MAIL) || warn "Error closing mail: $!";
print "Mail sent.\n";
}
system ("/bin/cat /dev/null > $TMP_FILE");
}
sleep 5;
}

4. start program to background process...

# /root/sbin/getauth.pl > /dev/null 2>&1 &

# ps -aef | grep getauth.pl

root 24933 1 0 Apr25 ? 00:00:38 /usr/bin/perl /root/sbin/getauth.pl

5. Test login to server and check e-mail


.
.
.

Enjoy...