Quote:
Originally Posted by berndbausch
tail -f /var/log/secure, probably followed by a grep to only see successful logins (or failed ones, as you prefer).
|
I'd go with this suggestion, and only look at failed logins, personally. Mainly because (if you have a good number of users), you'll see logins CONSTANTLY. The 'signal-to-noise' ratio there will make it easy to miss something suspicious. Logging only fails will be a shorter list, and let you see potential problems quicker.
For example, if you know user "Joe" is in the office, seeing multiple failed login attempts from the external WAN network is something to take note of. Seeing one or two from the internal LAN, from his workstation, means he probably fat-fingered the password, and is nothing to worry about. Tons of repeated "root" attempts from any address are worth seeing. While you CAN write scripts to do this, I'd suggest using a non-RHEL native tool, such as Nagios or Zabbix, which can watch log files for you, and incorporate any rules you want. Notifications are easier to see/manage, and you get a better comprehensive picture of what's going on.