Overview

The Linux/SSH Login Event Monitor runs 'lastlog' on systems that support it and alerts based on user security events.

Use Cases

• Detecting logins
• Receiving alerts about the addition or removal of users

Monitoring Options

This event monitor provides the following options:

Alert with [Info/Warning/Error/Critical] if the SSH server is unreachable

Enable this option to receive alerts if the SSH server can't be reached.

Alert with [Info/Warning/Error/Critical] if a user logs in

Use this option to receive an alert if a user logs in.

Alert with [Info/Warning/Error/Critical] if a new user is detected

This option will let you know if a new user is detected.

Alert with [Info/Warning/Error/Critical] if a user has been removed

This option will alert you if a user has been removed since the last time the event monitor ran.

Include the list of users in all notifications

Check this box to add a list of all users and their last logins to the event text generated each time the event monitor runs.

Only alert about the specified users

Enter a comma-separated list of users you want to receive alerts on in the provided text box.

Ignore the specified users

Specify a comma-separated list of users to ignore in the text box provided.

Port Number

The default port for SSH connections is 22 but if your servers are using a non-standard port you can specify it here.

Timeout

Specify the time you want to wait for a connection before timing out.

Authentication and Security

The account used for authentication must have interactive login rights via SSH. It also must have permission to run the following command:

• lastlog

Protocols

Data Points

This event monitor doesn't generate any data points.

Sample Output

Tutorial

To view the tutorial for this event monitor, click here.