I want to create reports using rsyslog in linux,Can someone help me out here ? Report Format must be "Hostname" "Username" "Hostname logged from" "Date" "Time"
Regards,
Ahmed.
---------- Post updated at 05:24 PM ---------- Previous update was at 05:24 PM ----------
Sep 28 17:16:37 samplehostname sshd[32092]: subsystem request for sftp
Sep 28 18:21:30 samplehostname sshd[23278]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:27:31 samplehostname sshd[30298]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname sshd[21016]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:58:41 samplehostname sshd[32092]: pam_unix(sshd:session): session closed for user root
Sep 29 11:05:59 samplehostname sshd[4368]: Accepted password for oracle from 10.99.22.123 port 61494 ssh2
Sep 29 11:05:59 samplehostname sshd[4368]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Sep 29 11:09:59 samplehostname su: pam_unix(su:session): session opened for user root by oracle(uid=501)
Thanks a ton it is working,But the log file may vary it is not constant all the time you can see only two users logging here,But in real lot of users may log.
What's your concern? Yoda's suggestion would accommodate any arbitrary amount of login sessions reported in the rsyslog file you feed it. Any user will show as many times as the password is accepted.
Processing large volumes of text is exactly what awk is made for. Processing millions of records in a reasonably small amount of time is not difficult.
Can some one please help me this logic If i want to include in the code "Failed password" string,how to add that.
Sep 28 17:16:37 samplehostname sshd[32092]: subsystem request for sftp
Sep 28 18:21:30 samplehostname sshd[23278]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:27:31 samplehostname sshd[30298]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname sshd[21016]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:58:41 samplehostname sshd[32092]: pam_unix(sshd:session): session closed for user root
Sep 29 11:05:59 samplehostname sshd[4368]: Accepted password for oracle from 10.99.22.123 port 61494 ssh2
Sep 29 11:05:59 samplehostname sshd[4368]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Sep 29 11:09:59 samplehostname su: pam_unix(su:session): session opened for user root by oracle(uid=501)
Sep 29 12:24:36 samplehostname sshd[6855]: Failed password for oracle from 10.225.124.234 port 54622 ssh2
Sep 29 12:24:36 samplehostname sshd[6855]: Failed password for oracle from 10.225.124.234 port 54622 ssh2