Hi Leeman24,

First, I would make sure that ssh login attempts are logged in your syslog (might be /var/log/messages, or /var/log/syslog, depends on your *nix flavor).

Once you find the appropriate file, I'd put in a log file item in Zabbix, and collect only those entries which are specific to SSH, to prevent filling up your database with information you're not interested in.

IMPORTANT:

1- Make sure that your Zabbix Agent user is able to read that log file. Sometimes only root is allowed to read the file.

2- Make sure that you're using the Zabbix Active Agent item, as log file monitoring is an "Active"-only item. So you need to correct item type (Zabbix Active) and the Zabbix Agent needs to have been configured to do active monitoring.


Once you confirm that your log file entries are being collected in Zabbix, you can then put the triggers on the keywords you'd like to match, ie: SSH Login Failed, or something.

Hope this helps!

G.

Thanks gleepwurp. That will definitely get me started. That is basically the explanation I was looking for. My experience is quite limited in Zabbix and it is cool to uncover the advanced capabilities of the product.

I should be able to figure this out. At this time, from what I can see is that active checks aren't configured correctly. As I never had any previously, I never noticed. I will fix that, and I assume the rest should be simple enough to configure.

Thanks again.

No Problem leeman24, holler if you need anything...

G.