Welcome to It-Slav.Net blog
Peter Andersson
peter@it-slav.net

I've already got a female to worry about. Her name is the Enterprise.
-- Kirk, "The Corbomite Maneuver", stardate 1514.0
25
Nov

Howto Integrate op5 Monitor with op5 Logserver

Posted by peter

This guide is a step by step guide howto integrate op5 Monitor with op5 Logserver.

Background

I would like to have an alert if root has logged into my firewall. I think this is very important to know fast and where ever I am so I want a SMS sent to my cellphone. I have op5 Monitor with a GSM modem.

Theory

When root login a message will show up in the syslog i.e. /var/log/authlog

Nov 19 15:55:58 pedro sshd[12180]: Accepted password for root from 192.168.0.153 port 35896 ssh2

So I want op5 Monitor to detect this message in syslog and send a SMS if it occours.

The steps are:

  • Send the message to op5 Logserver
  • Create a filter that filter out that message
  • Make op5 Monitor run this filter and send an alarm if it gets a hit.


Implementation

1-First step is to have a working op5 Logserver that get this message. I assume that a op5 Logserver is installed and configured in this guide.

In /etc/syslogd.conf I have the following line:

*.*                                                     @op5

It tells syslog to send every message to host op5, in this case it is my op5 Logserver, op5 Monitor and op5 Statistics machine. This is not recommended but my environment is very small.

2-Log in to op5 Logserver and verify that your login has been stored.

“Query builder”, enter in Host box, enter “Accepted password for root” in message.

3-Save the filter with a good name i.e. root_login_fw

4-Test that op5 Monitor can and detect the message

[root@op5 plugins]# ./check_ls_log -f root_login_fw -i 60 -c 0
CRITICAL - 1 matches for general filter 'root_login_fw':Accepted password for root from 192.168.0.153 port 35896 ssh2|query_time=0.05ms nr_matches=1;5;0

-f is filtername

-i is minutes back it should query the database

It works!

note:If you have your logserver running on an another host, which should be the normal case, use -H -l -p .

5-Create the op5 Monitor Service check on your firewall

Login to op5 Monitor

Click Configure

Pick the firewall in the list of hosts

Click Go

Click “Services for fw”

Pick “Add new service”, Click Go

Enter “Root Login” in Service Description

check_ls_log in check_command

check_command_args -f root_login_fw -i 60 -c 0

Enter the contact information.

Press Apply

Press “Test this service” to verify that it works

Press Save and you are done.

6-If you have logged in recently it should look something like this when looking att you service:

Hint: Before you login to your firewall, do not forget to schedule downtime for this service. Otherwise you will get an SMS alerts and your availability reports will get effected.

Links:


One Response to “Howto Integrate op5 Monitor with op5 Logserver”

  1. Mattias Ryrlén Says:
    November 25th, 2008 at 8:37 pm

    “note:If you have your logserver running on an another host, which should be the normal case, use -H -l -p .”

    -r -l -p is the correct switches 🙂

    /MR author of the how-to 😉

Leave a Reply

Filled Under: english, Hints, op5, op5 Logserver, op5 Monitor, sysadmin




Book reviews
FreePBX 2.5
Powerful Telephony Solutions





Asterisk 1.6
Build a feature rich telephony system with Asterisk





Learning NAGIOS 3.0





Cacti 0.8 Network Monitoring,
Monitor your network with ease!