LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 06-05-2009, 03:43 AM   #1
panoskan
LQ Newbie
 
Registered: Sep 2008
Posts: 10

Rep: Reputation: 0
bash script that checks authentication failures and sends mail


Hello all,

I have almost finished a bash script that checks /var/log/auth.log for authentication failures and sends a mail with the lines containing the failures. I want to put the script to /etc/cron.hourly so the script executes every hour, but the problem is that I don't want it to check the whole auth.log from start every time but rather continue the check from the last entry.

Code:
#/bin/bash

#Script to check auth.log for authentication failures from Internet and send mail

FileName=/home/user_name/scripts/loginfailures.log
FileSize=$(stat -c%s "$FileName")

chkLog=$(cat /var/log/auth.log | grep failure | grep -vw "192.168.1") #Failures from inside the LAN are excluded

if [ "$chkLog" != "" ]; then
  echo -e "$(date +%c)\n******\n$chkLog" >> "$FileName" #Formatting the file a little better adding time stamps for checks
  sendEmail -f "user@mail.com" -u "FailLog" -m "$chkLog" -s "smtp.mail.com" -t "address@mail.com"
  sleep 5 #Giving some time to sendEmail to send the mail
   if [ "$FileSize" -gt 10000000000 ]; then #archiving loginfailures.log when it gets big
      gunzip $FileName #TODO --- Creating more than one .gz file, adding sequential numbers before the extension, i.e loginfailures.1.gz
  fi
fi
Also, I would like to create more than one .gz files (last comment in code).

Thanks in advance.

Panos
 
Old 06-05-2009, 06:30 PM   #2
twantrd
Senior Member
 
Registered: Nov 2002
Location: CA
Distribution: redhat 7.3
Posts: 1,438

Rep: Reputation: 52
Quote:
but the problem is that I don't want it to check the whole auth.log from start every time but rather continue the check from the last entry.
Use grep/sed/awk. When you say last entry, you mean the very last entry in the log file? If so, use 'tail'.

Quote:
Also, I would like to create more than one .gz files
save the date (year/month/day) to a variable and append that to the filename. So, it would be something like "loginfailures.20090604.gz". If it's multiple compressed files per day, append the min/hour if you want.

-twantrd
 
Old 06-06-2009, 04:14 PM   #3
panoskan
LQ Newbie
 
Registered: Sep 2008
Posts: 10

Original Poster
Rep: Reputation: 0
Hi,

Let me explain better. Lets say the script runs for first time. In that case, all lines from auth.log containing "failure" will be appended to the loginfailures.log. All good. However, when the script runs for a second time, it will append again all the lines with "failure" (and possibly any new ones).

I think the only way to avoid refetching the same lines is with the comparison of the two files (maybe with cmp).

Anyway, I am working on it and will post any findings.

Thanks for you reply.


Quote:
Originally Posted by twantrd View Post
Use grep/sed/awk. When you say last entry, you mean the very last entry in the log file? If so, use 'tail'.


save the date (year/month/day) to a variable and append that to the filename. So, it would be something like "loginfailures.20090604.gz". If it's multiple compressed files per day, append the min/hour if you want.

-twantrd
 
Old 06-06-2009, 04:44 PM   #4
twantrd
Senior Member
 
Registered: Nov 2002
Location: CA
Distribution: redhat 7.3
Posts: 1,438

Rep: Reputation: 52
Why parse the entire log file again and again and then do a comparison later? That's inefficient. Since you're running it in cron every hour, just parse the log file searching on the previous hour and for your string.

-twantrd
 
Old 06-06-2009, 05:24 PM   #5
panoskan
LQ Newbie
 
Registered: Sep 2008
Posts: 10

Original Poster
Rep: Reputation: 0
Yes, you are absolutely right. I guess I was trying to complicate things for no apparent reason :-).

Thanks a lot.

Quote:
Originally Posted by twantrd View Post
Why parse the entire log file again and again and then do a comparison later? That's inefficient. Since you're running it in cron every hour, just parse the log file searching on the previous hour and for your string.

-twantrd
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Evolution mail with Exchange server only sends mail.(don't recieve/download) knockout_artist Linux - Newbie 5 05-03-2012 03:42 PM
Bash script thats checks for faild login attempts. k1piee Programming 4 02-11-2009 09:46 PM
root Authentication failures baldur2630 Linux - Security 8 11-25-2008 12:47 PM
How to get past websites authentication in a bash script? bruno buys Linux - Software 6 01-12-2006 09:46 AM
Mutt and IMAP new mail/mark read mail checks(plzzz help) rmanocha Linux - Software 0 09-15-2004 02:05 PM


All times are GMT -5. The time now is 05:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration