Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: deanfourie on December 11, 2024, 12:22:06 PM

Title: Monit to monitor failed and sucessful logins
Post by: deanfourie on December 11, 2024, 12:22:06 PM
So, I am trying to use Monit to monitor for Failed and Successful login attempts. I am not sure why but I cannot get this to work.

Any ideas why this would not be working?

This is what I have,

Thanks
Title: Re: Monit to monitor failed and sucessful logins
Post by: ludarkstar99 on December 11, 2024, 05:00:42 PM
Hi deanfourie,

these instructions were taken from https://forum.opnsense.org/index.php?topic=43771.msg218097#msg218097 (pt-br).


2. CONFIGURE TO ALERT ON NEW SSH AND WebGUI LOGIN

2.1. Create the test New_Login_SSH

Access the Service Tests Settings screen.
Click Add a new Test.
Fill in the name with New_Login_SSH.
Set the condition to: content = "Accepted .* ssh2"
Select the action as: Alert.
Click Save.


2.2. Create the test New_Login_WebGui

Access the Service Tests Settings screen.
Click Add a new Test.
Fill in the name with New_Login_WebGui.
Set the condition to: content = "Successful login for user"
Select the action as: Alert.
Click Save.


2.3. Create the Service New_Firewall_Access_Detected

Access the Service Settings screen.
Click Add a new Service.
Check the box: Enable Service Checks.
Fill in the name with: New_Firewall_Access_Detected.
Set the Type to: File.
Set the path to: /var/log/audit/latest.log.
Select the tests created earlier: New_Login_SSH and New_Login_WebGui.
Fill in the description: Notifies new logins on the firewall (ssh/webgui).
Click Save.


hope it helps.
Title: Re: Monit to monitor failed and sucessful logins
Post by: deanfourie on December 11, 2024, 09:13:17 PM
Yea this looks like exactly what I have,

However, this still does not work for me. I get the following error in the monit logs.

Code Select
2024-12-12T09:11:33 Error monit 'New_Firewall_Access_Detected' content match:

Any more ideas?
Title: Re: Monit to monitor failed and sucessful logins
Post by: ludarkstar99 on December 11, 2024, 10:19:05 PM
Can you print or copy+paste the configuration? in special the service test match line.

or the raw configuration file at /usr/local/etc/monitrc.
Title: Re: Monit to monitor failed and sucessful logins
Post by: ludarkstar99 on December 11, 2024, 10:21:06 PM
Please, note, in the condition field, just put
Code Select

content = "Successful login for user"


the "if" is not needed.
Title: Re: Monit to monitor failed and sucessful logins
Post by: deanfourie on December 11, 2024, 10:51:28 PM
Yes, I know.

i originally was testing without IF but also it was not working.

I have directly copied and pasted the config from above.
Title: Re: Monit to monitor failed and sucessful logins
Post by: ludarkstar99 on December 12, 2024, 02:47:49 AM
Can you expand the log selection for what's surrounding the line:

Code Select

2024-12-12T09:11:33 Error monit 'New_Firewall_Access_Detected' content match:

Title: Re: Monit to monitor failed and sucessful logins
Post by: deanfourie on December 12, 2024, 09:50:46 AM
Sorry I cannot seem to expand it, It has a arrow to the right labelled Go To Page but that does not do anything.
Text only | Text with Images