Greetings!
Logcheck is installed on a Solaris sparc machine running Solaris 10. It
(Logcheck) is being driven by a scheduled cron job and it works as it is
supposed to.
However, I am having a problem getting it to work whenever I try to add a rule
to the /usr/local/etc/logcheck.violations file in order to cause the Logcheck
application to send an alert whenever an ssh login attempt failure occurs.
As of this writing, I have done the following:
(1) Made necessary entries in the /etc/syslog.conf to insure that ssh logging
is occuring. This has been verified.
(2) The cron job which instigates the Logcheck application is running
normally. This has been verified.
(3) I edited the /usr/local/etc/logcheck.sh script to look like this:
# SunOS, Sun Solaris 2.5
$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$
#$LOGTAIL /var/adm/auth >> $TMPDIR/check.$$
$LOGTAIL /var/log/ssh.log >> $TMPDIR/check.$$
(4) I have installed the following line in the
/usr/local/etc/logcheck.violations file:
"authentication failed" (minus the quotes, of course!)
The "authentication failed" line was added to cause the logcheck script to
alert on any failed ssh login attempts because the ssh.log file reports, in
part, "Authentication failed".
(5) When I try to test Logcheck to send an alert by purposefully failing an ssh
login attempt, the failed login attempt is reported in
/var/log/ssh.log but the Logcheck application fails to send an e-mail message
alert to the sysadmin.
Any ideas as to what I need to do to correct this problem so that Logcheck will
report the failed ssh login attempt?
Andy and all responses are very much appreciated! Thanks ahead of time!
Rob Sandifer
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
