Debian Resources

Hello all, here is a howto on Simple Event Correlator (SEC) monitoring utility, very powerful and yet simple to use.

Requirements:
You must have mail server setup!

Ref.: http://kodu.neti.ee/~risto/sec/

Here is an example...

first you download SEC from the repo

apt-get install sec

then you create a config file:

nano /root/root.conf

add this content to the file:


type=Single
ptype=RegExp
pattern=(^.+\d+ \d+:\d+:\d+)(.+)sshd\[\d+\]: Accepted password for root from (.+)
desc=direct ssh root login on $2 from $3 @ $1
action=pipe 'direct ssh root login on $2 from $3 @ $1' /usr/bin/mail -s "Direct root login on $2 from $3" name@email.com

Make sure you replace name@email.com by your e-mail
This configuration will alert you every time someone logs on with root...
Ain't that awsome!

To start the monitoring, simply issue this command:


sec -detach -conf=/root/root.conf -input=/var/log/auth.log


to autostart, refer to the Linux Autoexec.bat howto

For more info, refer to http://kodu.neti.ee/~risto/sec/
You can monitor any log files for anything...

Jack