Re: Notify alert when threshold reached with audit.d

Jorge Cocomess · ‎08-03-2006

Hi,

I am trying to figure how I can add an alert with the audit.conf file (/etc/audit.audit.conf) to send and e-mail when the threshold is reached.

I am new to Linux and not an expert in writing Linux scripts. Please help.

Attached, is the original audit.conf so you can see and help me when the threshold is reached.

Thank you in advance.

Jorge

Jorge Cocomess · ‎08-03-2006

I am going to include the script within this posting, since my attachment did not work on the first posting. Thanks, J

# kernel interface
device-file = "/dev/audit";

# filter config
filter-config = "/etc/audit/filter.conf";

# Standard output method is bin mode.
#
output {
mode = bin;
num-files = 4;
file-size = 20M;
file-name = "/var/log/audit.d/bin";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C";

# The following symlink is created whenever we switch to
# a new bin.
current = "/var/log/audit";

sync = yes;
error {
action {
type = suspend;
};
};
};

# Alternatively, write to /var/log/audit in normal
# append mode
# output {
# mode = append;
# file-name = "/var/log/audit";
# sync = yes;
# };

# Alternative output
# output {
# mode = stream;
# command = "/usr/local/sbin/send_to_syslog"
# };

# Disk usage thresholds.
# These thresholds are checked at regular intervals when
# append mode is used.
# (bin mode doesn't require these checks as the bin files
# are preallocated).
threshold disk-space-low {
space-left = 10M;
action {
type = syslog;
facility = security;
priority = warning;
};
action {
type = notify;
command = "/usr/local/bin/page-admin";
};
action {
type = audit;
event = AUDIT_disklow;
};
};
threshold disk-full {
space-left = 20K;
action {
type = syslog;
facility = security;
priority = crit;
};
action {
type = audit;
event = AUDIT_diskfull;
};
};

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Notify alert when threshold reached with audit.d

Notify alert when threshold reached with audit.d

Re: Notify alert when threshold reached with audit.d