topic Notify alert when threshold reached with audit.d in Operating System - Linux https://community.hpe.com/t5/operating-system-linux/notify-alert-when-threshold-reached-with-audit-d/m-p/3837026#M24546 Hi,<BR /><BR />I am trying to figure how I can add an alert with the audit.conf file (/etc/audit.audit.conf) to send and e-mail when the threshold is reached.<BR /><BR />I am new to Linux and not an expert in writing Linux scripts. Please help.<BR /><BR />Attached, is the original audit.conf so you can see and help me when the threshold is reached.<BR /><BR />Thank you in advance.<BR /><BR />Jorge Thu, 03 Aug 2006 22:39:15 GMT Jorge Cocomess 2006-08-03T22:39:15Z Notify alert when threshold reached with audit.d https://community.hpe.com/t5/operating-system-linux/notify-alert-when-threshold-reached-with-audit-d/m-p/3837026#M24546 Hi,<BR /><BR />I am trying to figure how I can add an alert with the audit.conf file (/etc/audit.audit.conf) to send and e-mail when the threshold is reached.<BR /><BR />I am new to Linux and not an expert in writing Linux scripts. Please help.<BR /><BR />Attached, is the original audit.conf so you can see and help me when the threshold is reached.<BR /><BR />Thank you in advance.<BR /><BR />Jorge Thu, 03 Aug 2006 22:39:15 GMT https://community.hpe.com/t5/operating-system-linux/notify-alert-when-threshold-reached-with-audit-d/m-p/3837026#M24546 Jorge Cocomess 2006-08-03T22:39:15Z Re: Notify alert when threshold reached with audit.d https://community.hpe.com/t5/operating-system-linux/notify-alert-when-threshold-reached-with-audit-d/m-p/3837027#M24547 I am going to include the script within this posting, since my attachment did not work on the first posting. Thanks, J<BR /><BR /><BR /># kernel interface<BR />device-file = "/dev/audit";<BR /> <BR /># filter config<BR />filter-config = "/etc/audit/filter.conf";<BR /> <BR /># Standard output method is bin mode.<BR />#<BR />output {<BR /> mode = bin;<BR /> num-files = 4;<BR /> file-size = 20M;<BR /> file-name = "/var/log/audit.d/bin";<BR /> notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C";<BR /> <BR /> # The following symlink is created whenever we switch to<BR /> # a new bin.<BR /> current = "/var/log/audit";<BR /> <BR /> sync = yes;<BR /> error {<BR /> action {<BR /> type = suspend;<BR /> };<BR /> };<BR />};<BR /> <BR /># Alternatively, write to /var/log/audit in normal<BR /># append mode<BR /># output {<BR /># mode = append;<BR /># file-name = "/var/log/audit";<BR /># sync = yes;<BR /># };<BR /> <BR /># Alternative output<BR /># output {<BR /># mode = stream;<BR /># command = "/usr/local/sbin/send_to_syslog"<BR /># };<BR /> <BR /># Disk usage thresholds.<BR /># These thresholds are checked at regular intervals when<BR /># append mode is used.<BR /># (bin mode doesn't require these checks as the bin files<BR /># are preallocated).<BR />threshold disk-space-low {<BR /> space-left = 10M;<BR /> action {<BR /> type = syslog;<BR /> facility = security;<BR /> priority = warning;<BR /> };<BR /> action {<BR /> type = notify;<BR /> command = "/usr/local/bin/page-admin";<BR /> };<BR /> action {<BR /> type = audit;<BR /> event = AUDIT_disklow;<BR /> };<BR />};<BR />threshold disk-full {<BR /> space-left = 20K;<BR /> action {<BR /> type = syslog;<BR /> facility = security;<BR /> priority = crit;<BR /> };<BR /> action {<BR /> type = audit;<BR /> event = AUDIT_diskfull;<BR /> };<BR />};<BR /><BR /> Thu, 03 Aug 2006 23:22:55 GMT https://community.hpe.com/t5/operating-system-linux/notify-alert-when-threshold-reached-with-audit-d/m-p/3837027#M24547 Jorge Cocomess 2006-08-03T23:22:55Z