Enable Zabbix Alert for SSH Login on Linux

PowerADM.com / Linux / Enable Zabbix Alert for SSH Login on Linux

Let’s say you want to be notified every time someone connects to your Linux hosts via SSH. This article shows how to configure the Zabbix trigger to notify you when a user logs in to a Linux host using SSH.

We showed you how to send an email notification when a user connects to Linux via SSH in the previous article.

On Linux, SSH connection logs are stored in a file:

  • RHEL/Rocky/Oracle Linux: /var/log/secure
  • Ubuntu/Debian: /var/log/auth.log

By default, only the root user can read this file for security reasons. To allow the Zabbix agent to read the contents of this file, run:

$ sudo chgrp zabbix /var/log/auth.log
$ sudo chmod 640 /var/log/auth.log

The next step is to configure the Zabbix template for SSH log monitoring.

Create a new Zabbix item with the following settings

  • Name: SSH login
  • Type: Zabbix agent (active)
  • Key: log[/var/log/auth.log,"Accepted .*",,,skip,\0]
  • Type of information: Log

Create SSH login item in Zabbix

Configure a trigger for your item:

  • Name: Successful SSH authentication on {HOST.NAME}
  • Expression: length(last(/SSH Login/log[/var/log/auth.log,"Accepted .*",,,skip,\0]))>0 and nodata(/SSH Login/log[/var/log/auth.log,"Accepted .*",,,skip,\0],5m)=0

Creaet zabbix trigger for ssh login

If authentication with a password or SSH key is successful, you will receive a message containing the username and IP address from which the SSH connection was established.

 Monitor SSH Login Attempts with Zabbiz

You can enable and configure a trigger to send notifications from Zabbix to mail or Telegram (How to send Zabbix notification to Telegram).

One thought on “Enable Zabbix Alert for SSH Login on Linux”
  1. Thank you for the instructions.

    I found that changing the group for the /var/log/auth.log file does not persist across a reboot.

    I modified group membership for the zabbix user as follows and it now works across reboots ‘sudo usermod -aG adm zabbix’

Leave a Reply

Your email address will not be published. Required fields are marked *