You are here: start / hardware / bv4511 / linux_event_monitor

Table of Contents

Shortnote

This project uses the simple event correlator to display critical messages from system log-files.

Requirements

It thus relies on an installation of the following software packages and performs the following reporting:

  • displays on the screen new incoming e-mail notifications (requires dovecot).
  • prints a mark every 6 hours onto the screen.
  • displays newly accepted DHCP leases (requires isc-dhcpd).
  • displays a welcome message whenever a user logs onto the system (requires openssh).
  • shows when attackers are blocked or blacklisted (requires sshguard).

Configuration

The /etc/default/sec configuration file is responsible on a Debian system for launching the simple event correlator. The defaults have to be changed in the following way: 

#Defaults for sec
RUN_DAEMON="yes"
DAEMON_ARGS="-conf=/etc/sec.conf -input=/var/log/messages -input=/var/log/auth.log -input=/var/log/mail.log -pid=/var/run/sec.pid -detach -syslog=daemon"

in order to monitor the necessary logs for the requirements above.

Code

The following file is the /etc/sec.conf configuration file where the regex hooks are placed that post to the terminal screen.

sec.conf
# E-mails.
type=Single
ptype=RegExp
pattern=to=<([a-z@\.]+?)>.*status=sent \(delivered to command: \/usr\/lib\/dovecot\/deliver\)
desc=$0
action=shellcmd /bin/echo "[e-mail: $1]" | /usr/bin/bv4511ctl.pl
 
# Hour.
type=Calendar
time=0 */6 * * *
desc=$0
action=shellcmd /bin/echo "[UTC: "`/bin/date +%H`"]" | /usr/bin/bv4511ctl.pl
 
# DHCP
type=Single
ptype=RegExp
pattern=DHCPACK on ([0-9\.]+?) to .+? \((.+?)\) via
desc=$0
action=shellcmd /bin/echo -e "[DHCP: $1\n  to $2]" | /usr/bin/bv4511ctl.pl
 
# Login.
type=Single
ptype=RegExp
pattern=Accepted password for (.+?) from
desc=$0
action=shellcmd /bin/echo "[Welcome $1!]" | /usr/bin/bv4511ctl.pl
 
# SSH Guard Block.
type=Single
ptype=RegExp
pattern=Blocking (.+?) for
desc=$0
action=shellcmd /bin/echo "[Block: $1]" | /usr/bin/bv4511ctl.pl
 
# SSH Guard Blacklist.
type=Single
ptype=RegExp
pattern=Offender '(.+?)' scored .+? blacklisted
desc=$0
action=shellcmd /bin/echo "[Black: $1]" | /usr/bin/bv4511ctl.pl
hardware/bv4511/linux_event_monitor.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / hardware / bv4511 / linux_event_monitor

Wizardry and Steamworks

© 2025 Wizardry and Steamworks

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.