Log file monitoring and alerting..
I am in need of some insight as to what I am doing wrong here.. I have read until I can't read anymore and still it's just not clicking for me. I have also google-fooed and stalked the forums and still haven't found anything that fits what I am trying to so.
Background :
Zabbix server : 3.0.7 (local mariaDB)
Zabbix Agent : 3.0.7
O/S : RHEL 7 on both ends
I created a template named : Template Linux OS Logging Extras
I created a few items in that template that all work in regard to capturing the expected events in the history for /var/log/secure but I will lay out one for the sake of this post
Name "Secure log SSHD AUTHENTICATION FAILURES (/var/log/secure)"
Type "Zabbix Agent(Active)"
Key: "log[/var/log/secure,"pam_unix\(sshd:auth\): authentication failure;"]"
Type of information : Log
Update interval: 10
History storage period (in days): 90
yy-MM-ddThh:mm:ss
Description : Tracks /var/log/secure for failed logins or the word failure.
Note: ** I kind of thing that the time stamp should be yyyy instead of yy because it starts out "2017-".. I will look at that later.. But it's working...
I then created the following regexp...
Name: "loginfail"
Expression type: "Result is TRUE" Expression: "Authentication failure for"
** Note: I am not sure I needed a regexp here looking at it again.. But it also works. Or it worked anyway..
I then created the following trigger...
Name: "Log: Failed logins"
Expression:"{Template OS Linux Logging Extras:log[/var/log/secure,"pam_unix\(sshd:auth\): authentication failure;"].regexp(loginfail)}=0"
(Multiple problem event generation is not checked)
Description: Throws an alert using the log file watch for /var/log/secure to detect root logins. This includes sudo to root
(There are no dependencies)
So... This works... However, once it threw once, it won't throw again and it keeps the alert on the dashboard for basically ever.. I did some how manage to make it go away once and then sudoed to root and boom it picked it up agian. That has been on the dashboard for basically 13 hours now and won't go away and will not pick up anymore failed logins. It picks them up as items, but not does not trigger on them. I am just stuck with the previously triggered items and it won't pick up anymore triggers.
So the capturing of events is working correctly everytime..
2017-04-23 22:01:25 somehostname: Secure log SSHD AUTHENTICATION FAILURES (/var/log/secure) : 2017-04-24T03:00:35.979317+00:00 somehostname sshd[29084]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1
Just no triggering anymore.. Please ...---...
Thanks,
J
Background :
Zabbix server : 3.0.7 (local mariaDB)
Zabbix Agent : 3.0.7
O/S : RHEL 7 on both ends
I created a template named : Template Linux OS Logging Extras
I created a few items in that template that all work in regard to capturing the expected events in the history for /var/log/secure but I will lay out one for the sake of this post
Name "Secure log SSHD AUTHENTICATION FAILURES (/var/log/secure)"
Type "Zabbix Agent(Active)"
Key: "log[/var/log/secure,"pam_unix\(sshd:auth\): authentication failure;"]"
Type of information : Log
Update interval: 10
History storage period (in days): 90
yy-MM-ddThh:mm:ss
Description : Tracks /var/log/secure for failed logins or the word failure.
Note: ** I kind of thing that the time stamp should be yyyy instead of yy because it starts out "2017-".. I will look at that later.. But it's working...
I then created the following regexp...
Name: "loginfail"
Expression type: "Result is TRUE" Expression: "Authentication failure for"
** Note: I am not sure I needed a regexp here looking at it again.. But it also works. Or it worked anyway..
I then created the following trigger...
Name: "Log: Failed logins"
Expression:"{Template OS Linux Logging Extras:log[/var/log/secure,"pam_unix\(sshd:auth\): authentication failure;"].regexp(loginfail)}=0"
(Multiple problem event generation is not checked)
Description: Throws an alert using the log file watch for /var/log/secure to detect root logins. This includes sudo to root
(There are no dependencies)
So... This works... However, once it threw once, it won't throw again and it keeps the alert on the dashboard for basically ever.. I did some how manage to make it go away once and then sudoed to root and boom it picked it up agian. That has been on the dashboard for basically 13 hours now and won't go away and will not pick up anymore failed logins. It picks them up as items, but not does not trigger on them. I am just stuck with the previously triggered items and it won't pick up anymore triggers.
So the capturing of events is working correctly everytime..
2017-04-23 22:01:25 somehostname: Secure log SSHD AUTHENTICATION FAILURES (/var/log/secure) : 2017-04-24T03:00:35.979317+00:00 somehostname sshd[29084]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1
Just no triggering anymore.. Please ...---...
Thanks,
J
Comment