Matteo Mattei

Hello, my name is Matteo Mattei and this is my personal website. I am computer engineer with a long experience in Linux system administration and web software development.

linkedin rss twitter google+ github facebook

Monitor SSH access and send email when someone logins

In order to monitor SSH access we can rely on rsyslog given all SSH accesses are recorded in /var/log/auth.log. Start creating a custom rsyslog configuration /etc/rsyslog.d/90-ssh.conf with the following content:

Basically we are telling rsyslog to look for lines where the program name is sshd and the message contains the session opened for user. Every time the above condition is matched, rsyslog will call the script we are going to create passing the entire log line as parameter.

Assuming we want to receive an email with the user that have been logged, open your editor and create the file /usr/local/bin/log_access.py:

Make the file executable:

chmod +x /usr/local/bin/log_access.py

Remember to fill the SMTP data at the beginning of the script. As you can see the above script also logs all logins to /var/log/logins.log.

Feel free to do what you want in the python script, the above it’s only an example!

Now restart rsyslog and try if everything works as expected.

/etc/init.d/rsyslog restart

Let me know your work cases and if this article can help you!

comments powered by Disqus