Enable Zabbix Alert for SSH Login on Linux

PowerADM.com / Linux / Enable Zabbix Alert for SSH Login on Linux

Let’s say you want to be notified every time someone connects to your Linux hosts via SSH. This article shows how to configure the Zabbix trigger to notify you when a user logs in to a Linux host using SSH.

We showed you how to send an email notification when a user connects to Linux via SSH in the previous article.

On Linux, SSH connection logs are stored in a file:

  • RHEL/Rocky/Oracle Linux: /var/log/secure
  • Ubuntu/Debian: /var/log/auth.log

By default, only the root user can read this file for security reasons. To allow the Zabbix agent to read the contents of this file, run:

$ sudo chgrp zabbix /var/log/auth.log
$ sudo chmod 640 /var/log/auth.log

The next step is to configure the Zabbix template for SSH log monitoring.

Create a new Zabbix item with the following settings

  • Name: SSH login
  • Type: Zabbix agent (active)
  • Key: log[/var/log/auth.log,"Accepted .*",,,skip,\0]
  • Type of information: Log

Create SSH login item in Zabbix

Configure a trigger for your item:

  • Name: Successful SSH authentication on {HOST.NAME}
  • Expression: length(last(/SSH Login/log[/var/log/auth.log,"Accepted .*",,,skip,\0]))>0 and nodata(/SSH Login/log[/var/log/auth.log,"Accepted .*",,,skip,\0],5m)=0

Creaet zabbix trigger for ssh login

If authentication with a password or SSH key is successful, you will receive a message containing the username and IP address from which the SSH connection was established.

 Monitor SSH Login Attempts with Zabbiz

You can enable and configure a trigger to send notifications from Zabbix to mail or Telegram (How to send Zabbix notification to Telegram).

Leave a Reply

Your email address will not be published. Required fields are marked *