Obviously, for this recipe you need the Unix/Linux Management Packs applied and properly configured, here is an old post concerning this topic.
There are at least two ways, via ACS or via Unix/Linux Log file monitoring to rise this type of alerts.
The quickest and easiest way is with Log file monitoring, but it is less accurate than ACS, for example ACS has a set of reports to get detailed login statistics, but in some scenarios, it could be noisy and complex to manage.
So, if you only need to know when root has login or not, you have to use the Unix/Linux Log file monitoring.
Anyway, here is a set of articles with information about how to setup the ACS on Linux machines:
Back to the main topic, the first step to setup the alert, is run the "Unix/Linux Log file monitoring" wizard and setup the name of the alert and the management pack.
After this, you have to select the file to monitor, in this case /var/log/audit.log and create a regexp to generate the alert, in this case root.*sshd, if you only want to match one word, just type the word in the textbox area.
Maybe you have doubts about the regexp, here is a good webpage to start with regexp http://regexone.com/ and nice place to test your own regexp http://refiddle.com/
As you can see it is very easy to setup an alert for a Linux log.
No comments:
Post a Comment