Team LiB
Previous Section Next Section

Hack 77. Send Email Alerts for System Events

Track log entries and send an email to yourself when something looks suspicious.

In [Hack #27] you used X11 On-Screen Display (XOSD) to make system alerts (such as possible attempts to break into the system) as visible as possible. As effective as that approach can be, it doesn't work very well if you're not looking at your monitor when the alert appears.

The next best thing is to have a program send you an email alert. This "hack" is simply an explanation of how you can configure two different log monitor programs, swatch and logsentry, to send you email alerts.

Fortunately, if you use swatch to monitor one of your logs for keywords, you don't have to settle for one method of notification. You can list several ways to have swatch notify you of an alert. For example, you can have swatch check to see if the word "failure" appears in your authentication log (that might indicate someone is trying to guess a password). Normally, it echoes the log entry to the screen where you started swatch. [Hack #27] explained how to make the log entry appear on-screen. The following entry in the .swatchrc file does both of these things and also sends you an email alert:

watchfor /failure/
        echo bold
        pipe "osd_cat -c magenta -p middle -f -*-helvetica-*-*-*-*-20-*-*-*-*-*-*-* 
-d 60 "
        mail person-to-alert@yourdomain.com, subject="Alert from swatch"

Assuming you are running swatch as root, all you have to do is edit your /root/.swatchrc file to include the previous lines, and then start swatch with this command:

# swatch -t /var/log/auth.log

9.9.1. The logsentry Difference

The logsentry program is similar to swatch in that it monitors logs for keywords and sends alerts. The difference is that swatch does it all in real time, but logsentry is usually set up to run as a cronjob every hour or so. Most packaged versions of logsentry place a file, such as logsentry.cron in /etc/cron.hourly, where programs are run every hour. Here is the simple logsentry.cron file:

#!/bin/sh

/bin/sh /etc/logcheck/logcheck.sh

The logsentry.cron file simply runs the /etc/logcheck/logcheck.sh program.

The /etc/logcheck directory contains more than the logcheck.sh program. It also includes these files:

  • logcheck.sh

  • logcheck.hacking

  • logcheck.ignore

  • logcheck.violations

  • logcheck.violations.ignore

The logcheck.sh file checks your logs according to the keywords and key phrases in the other files. The logcheck.hacking and logcheck.violations files contain many keywords and key phrases that might indicate trouble. The logcheck.ignore and logcheck.violations.ignore files include keywords and key phrases that either are false alarms or aren't useful. The default values in these lists are quite reliable, but you are free to modify the lists to trigger more alerts and/or ignore more events.

You need to configure the logcheck.sh file to have it send alerts by mail. The SYSADMIN enTRy should point to the email address where you want alerts sent:

SYSADMIN=person-to-alert@yourdomain.com

$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/auth.log >> $TMPDIR/check.$$
$LOGTAIL /var/log/syslog >> $TMPDIR/check.$$

The rest of the variables you want to customize for your system are the lines that point to the logs you want to monitor. Each Linux distribution uses different log names for different purposes. Make sure you're monitoring the right logs, or logsentry will be useless to you.

The only other entry you might need to change is the definition of the mail program on your system. logsentry assumes you have the mail program installed, and that your mail program accepts the -s argument for the Subject line. If you don't have mail installed, or your version of mail does not support the -s switch, you need to find a substitute that does and redefine the program name in your logsentry.sh file. The mailx program is a likely candidate:

# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail

    Team LiB
    Previous Section Next Section