Monit to monitor failed and sucessful logins

Started by deanfourie, December 11, 2024, 12:22:06 PM

Previous topic - Next topic
So, I am trying to use Monit to monitor for Failed and Successful login attempts. I am not sure why but I cannot get this to work.

Any ideas why this would not be working?

This is what I have,

Thanks

Hi deanfourie,

these instructions were taken from https://forum.opnsense.org/index.php?topic=43771.msg218097#msg218097 (pt-br).


2. CONFIGURE TO ALERT ON NEW SSH AND WebGUI LOGIN

2.1. Create the test New_Login_SSH

Access the Service Tests Settings screen.
Click Add a new Test.
Fill in the name with New_Login_SSH.
Set the condition to: content = "Accepted .* ssh2"
Select the action as: Alert.
Click Save.


2.2. Create the test New_Login_WebGui

Access the Service Tests Settings screen.
Click Add a new Test.
Fill in the name with New_Login_WebGui.
Set the condition to: content = "Successful login for user"
Select the action as: Alert.
Click Save.


2.3. Create the Service New_Firewall_Access_Detected

Access the Service Settings screen.
Click Add a new Service.
Check the box: Enable Service Checks.
Fill in the name with: New_Firewall_Access_Detected.
Set the Type to: File.
Set the path to: /var/log/audit/latest.log.
Select the tests created earlier: New_Login_SSH and New_Login_WebGui.
Fill in the description: Notifies new logins on the firewall (ssh/webgui).
Click Save.


hope it helps.
- nothing broken, nothing missing;

Yea this looks like exactly what I have,

However, this still does not work for me. I get the following error in the monit logs.

2024-12-12T09:11:33 Error monit 'New_Firewall_Access_Detected' content match:

Any more ideas?

Can you print or copy+paste the configuration? in special the service test match line.

or the raw configuration file at /usr/local/etc/monitrc.
- nothing broken, nothing missing;

Please, note, in the condition field, just put

content = "Successful login for user"


the "if" is not needed.
- nothing broken, nothing missing;

Yes, I know.

i originally was testing without IF but also it was not working.

I have directly copied and pasted the config from above.

Can you expand the log selection for what's surrounding the line:


2024-12-12T09:11:33 Error monit 'New_Firewall_Access_Detected' content match:

- nothing broken, nothing missing;

Sorry I cannot seem to expand it, It has a arrow to the right labelled Go To Page but that does not do anything.