[TCLUG] Security Logging

[Michael Kellen]

On Tue, 2002-02-26 Jay Kline <list at slushpupie.com> wrote:

>  Is there some way I can get an "instant" notification via 
> email when someone trys to log in via ssh/ftp/etc (that logs to the 
> security log) that ISNT annonymous?


Quick and dirty, cause I have to leave now ...

#!/usr/bin/perl

$logfile = "/var/log/auth.log";

open(LOG, "tail -f $logfile|");
while (<LOG>)
{
	chomp;
	@logline=split(/ /, $_, 6);

	next if ($logline[5] =~ /anonymous/);
	alert (@logline) if (($logline[5] =~ /illegal user/)
                         ||  ($logline[5] =~ /some ftp failure pattern/)
                             # etc etc
	                    );
}
close(LOG);
exit 0;
# Needs to be restarted when logs get rotated

sub
alert()
{
	open(MAIL,"|mailx -s 'Security Alert' $ALERT_LIST');
	print MAIL "$_[4] $_[5]\n.\n";
	close(MAIL);
}


-- 
$ fortune -m Kellen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020226/bb663c4c/attachment.pgp