Let’s say you want to be notified every time someone connects to your Linux hosts via SSH. This article shows how to configure the Zabbix trigger to notify you when a user logs in to a Linux host using SSH.
On Linux, SSH connection logs are stored in a file:
- RHEL/Rocky/Oracle Linux:
/var/log/secure - Ubuntu/Debian:
/var/log/auth.log
By default, only the root user can read this file for security reasons. To allow the Zabbix agent to read the contents of this file, run:
$ sudo chgrp zabbix /var/log/auth.log
$ sudo chmod 640 /var/log/auth.logThe next step is to configure the Zabbix template for SSH log monitoring.
Create a new Zabbix item with the following settings
- Name:
SSH login - Type: Zabbix agent (active)
- Key:
log[/var/log/auth.log,"Accepted .*",,,skip,\0] - Type of information: Log
Configure a trigger for your item:
- Name:
Successful SSH authentication on {HOST.NAME} - Expression:
length(last(/SSH Login/log[/var/log/auth.log,"Accepted .*",,,skip,\0]))>0 and nodata(/SSH Login/log[/var/log/auth.log,"Accepted .*",,,skip,\0],5m)=0
If authentication with a password or SSH key is successful, you will receive a message containing the username and IP address from which the SSH connection was established.
You can enable and configure a trigger to send notifications from Zabbix to mail or Telegram (How to send Zabbix notification to Telegram).
Thank you for the instructions.
I found that changing the group for the /var/log/auth.log file does not persist across a reboot.
I modified group membership for the zabbix user as follows and it now works across reboots ‘sudo usermod -aG adm zabbix’