Send an email alert when someone login on OPNSense (SSH or Web interface)

[ale]

Hi everybody,
I'm a new OPNSense user and I've been asked to configure our OPNSense firewall/proxy to send an email whenever someone login via SSH or web management interface to it.
My boss would like to know (at least):
username used to login (at the moment only root is defined, in future there will be more admin user profiles)
ip from login comes from (to better understand suspicious activity on the lan).
Any other useful info would be appreciated.

I've read Monit documentation and FAQ and searched on the forum but it does not seem to trigger logins, as far I know nobody in the forum has asked anything similar (correct me if wrong).
Any of you has never faced such a type of request?
Probably I need to install something to monitor logins but my knowledge on OPNSense is low, very low... so if something is already bult in is better (for me).

Thank in advance for your suggestions
Ale

[marjohn56]

You could do it using Monit for shell logins as described here.


https://www.elitmus.com/blog/technology/using-monit-to-get-email-alert-on-unauthorized-login/


You'd need to modify it a bit and look at the system.log I think but it could work.


And I can think of a way of hacking the system to send an email when a user logs in via the web interface, but it would be that, a hack. You could always request it as a feature on github.

[fabian]

Since it is logged to Syslog you could do that also from an external logging server like the ELK stack.