Skip to content

Menu

  • Home
  • Sysadmin
  • Debian
  • Security
  • Docker

Blog by Constantin Herold | Theme by ThemeinProgress | Proudly powered by WordPress

Spaaacesysadmin & dev stuff

Login Mail Alert Using Rsyslog

February 23, 2021Debian, Security, Sysadmin Standard
Read time < 1 minute

I wanted a way to know who authenticates on my servers. This is especially useful if you work in a team or want to have some additional security in place.

Rsyslogd is a service that ships with most distros which proceeds logs before they are written to disk.

We will create a simple script which will be executed whenever a user session gets opened.

This way we will be able to log any user logins whether it’s from terminal, ssh, su, cockpit, etc.

In my case I will send a mail with the login details which will look like this:

# Login Email Alert
# includes ssh / cockpit / any login
mkdir -p /root/scripts

cat << 'EOF' > /root/scripts/loginalert.sh
#!/bin/bash
recepient="user@example.com"
host="`hostname`"
subject="Rsyslogd: User session opened on $host"
# $@ = args passed to script, will be the log line by default e.g 
# Sep 30 13:08:51 <hostname> sshd[6536]: pam_unix(sshd:session): session opened for user <username> by (uid=0)
message="$@"
echo "$message" | mail -s "$subject" "$recepient"
EOF

chmod +x /root/scripts/loginalert.sh

cat << 'EOF' > /etc/rsyslog.d/loginalert.conf
$ModLoad omprog
$ActionExecOnlyOnceEveryInterval 2
if $msg contains 'session opened for user' and not ($msg contains 'cron') then {
    ^/root/scripts/loginalert.sh
}
EOF

systemctl restart rsyslog

Write a Reply or Comment Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Create SWAP on ZFS ZVOL
  • Raspberry Pi Grafana Kiosk
  • Proxmox Grafana Dashboard
  • Proxmox Full Disk Encryption with SSH Remote Unlock
  • Login Mail Alert Using Rsyslog

Categories

  • Debian
  • Docker
  • Monitoring
  • Personal
  • Proxmox
  • Raspberry Pi
  • Security
  • Sysadmin