0

What I want: automatic emails every time someone successfully logs into my Ubuntu 14.04 LTS server. /var/log/auth.log gets 2 lines written to it every time I login. Example:

Jul 22 13:55:49 server sshd[1234]: Accepted publickey for me from 12.34.56.78 port 12345 ssh2: RSA <<key signature elided>>
Jul 22 13:55:49 server sshd[1234]: pam_unix(sshd:session): session opened for user me by (uid=0)

I would like 1 email detailing this event, instead of the 2 I am currently receiving.

What I have installed: 

[me@server ~]$ dpkg -l | grep syslog
ii  syslog-ng                             3.5.3-1          
ii  syslog-ng-core                        3.5.3-1
ii  syslog-ng-mod-geoip                   3.5.3-1
ii  syslog-ng-mod-json                    3.5.3-1
ii  syslog-ng-mod-mongodb                 3.5.3-1
ii  syslog-ng-mod-smtp                    3.5.3-1
ii  syslog-ng-mod-sql                     3.5.3-1
[me@server ~]$ dpkg -l | grep exim
ii  exim4                                 4.82-3ubuntu2
ii  exim4-base                            4.82-3ubuntu2
ii  exim4-config                          4.82-3ubuntu2
ii  exim4-daemon-light                    4.82-3ubuntu2

What I've added:

[me@server ~]$ cat /etc/syslog-ng/conf.d/smtp_for_ssh.conf 
filter f_ssh_login {
    host("server") and filter(f_auth) and not filter(f_cron);
};

destination d_smtp {
    smtp(
        host("localhost")
        port(25)
        from("Syslog-NG Alert Service" "syslog-ng@mydomain.com")
        to("Me" "me@mydomain.com")
        subject("[ALERT] Important log message of $LEVEL condition received from $HOST/$PROGRAM!")
        body("Hi!\nThe syslog-ng alerting service detected the following important log message:\n $MSG\n-- \nSyslog-NG\n")
        log_fifo_size(5)
    );
};

log {
    source(s_src);
    filter(f_ssh_login);
    destination(d_smtp);
};

This has been cobbled together from reading http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html/configuring-destinations-smtp.html and http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.4-guides/en/syslog-ng-ose-v3.4-guide-admin/html/reference-destination-smtp.html.

What I've also changed:

[me@server syslog-ng]$ cat syslog-ng.conf 
@version: 3.5
@include "scl.conf"
@include "`scl-root`/system/tty10.conf"

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(5); use_dns(no); use_fqdn(no);
      owner("root"); group("adm"); perm(0640); stats_freq(0);
      bad_hostname("^gconfd$");
};

The change from the default syslog-ng.conf file is that I changed flush_lines(0); to flush_lines(5) in an attempt to batch up some of the information together. This might be working for normal logging (I haven't verified if syslog-ng is writing 5 lines at a time to disk-based log files), but it is not working when sending email to me.

syslog-ng has been restarted after each of the above changes.

The documentation in the second link seems to imply that log_fifo_size(5) in my destination d_smtp will collect 5 lines of log messages into one email. Thus, when I login using SSH and it logs the 2 lines above to /var/log/auth.log, I should get 1 email. Instead, I receive 2.

What is the magic incantation to make syslog-ng only send one email per login?

Mike
  • 190
  • 1
  • 9

1 Answers1

0

I would add a filter on session opened for user (using match()), that limits it to that particular log line, and the ssh one will not trigger the e-mail.

(The flush-lines() functionality is not implemented for the SMTP destination in syslog-ng)

algernon
  • 31
  • 3