bash script that checks authentication failures and sends mail

panoskan · 06-05-2009, 03:43 AM

Hello all,

I have almost finished a bash script that checks /var/log/auth.log for authentication failures and sends a mail with the lines containing the failures. I want to put the script to /etc/cron.hourly so the script executes every hour, but the problem is that I don't want it to check the whole auth.log from start every time but rather continue the check from the last entry.

Code:

#/bin/bash

#Script to check auth.log for authentication failures from Internet and send mail

FileName=/home/user_name/scripts/loginfailures.log
FileSize=$(stat -c%s "$FileName")

chkLog=$(cat /var/log/auth.log | grep failure | grep -vw "192.168.1") #Failures from inside the LAN are excluded

if [ "$chkLog" != "" ]; then
  echo -e "$(date +%c)\n******\n$chkLog" >> "$FileName" #Formatting the file a little better adding time stamps for checks
  sendEmail -f "user@mail.com" -u "FailLog" -m "$chkLog" -s "smtp.mail.com" -t "address@mail.com"
  sleep 5 #Giving some time to sendEmail to send the mail
   if [ "$FileSize" -gt 10000000000 ]; then #archiving loginfailures.log when it gets big
      gunzip $FileName #TODO --- Creating more than one .gz file, adding sequential numbers before the extension, i.e loginfailures.1.gz
  fi
fi

Also, I would like to create more than one .gz files (last comment in code).

Thanks in advance.

Panos

twantrd · 06-05-2009, 06:30 PM

Quote:

but the problem is that I don't want it to check the whole auth.log from start every time but rather continue the check from the last entry.

Use grep/sed/awk. When you say last entry, you mean the very last entry in the log file? If so, use 'tail'.

Quote:

Also, I would like to create more than one .gz files

save the date (year/month/day) to a variable and append that to the filename. So, it would be something like "loginfailures.20090604.gz". If it's multiple compressed files per day, append the min/hour if you want.

-twantrd

panoskan · 06-06-2009, 04:14 PM

Hi,

Let me explain better. Lets say the script runs for first time. In that case, all lines from auth.log containing "failure" will be appended to the loginfailures.log. All good. However, when the script runs for a second time, it will append again all the lines with "failure" (and possibly any new ones).

I think the only way to avoid refetching the same lines is with the comparison of the two files (maybe with cmp).

Anyway, I am working on it and will post any findings.

Thanks for you reply.

Quote:

Originally Posted by twantrd

Use grep/sed/awk. When you say last entry, you mean the very last entry in the log file? If so, use 'tail'.

save the date (year/month/day) to a variable and append that to the filename. So, it would be something like "loginfailures.20090604.gz". If it's multiple compressed files per day, append the min/hour if you want.

-twantrd

twantrd · 06-06-2009, 04:44 PM

Why parse the entire log file again and again and then do a comparison later? That's inefficient. Since you're running it in cron every hour, just parse the log file searching on the previous hour and for your string.

-twantrd

panoskan · 06-06-2009, 05:24 PM

Yes, you are absolutely right. I guess I was trying to complicate things for no apparent reason :-).

Thanks a lot.

Quote:

Originally Posted by twantrd

Why parse the entire log file again and again and then do a comparison later? That's inefficient. Since you're running it in cron every hour, just parse the log file searching on the previous hour and for your string.

-twantrd