[Xymon] Log/file monitoring based on occurrence?

Adam Goryachev mailinglists at websitemanagers.com.au
Thu Jan 10 18:31:33 CET 2013


On 11/01/13 01:25, Mike Burger wrote:
>> On 11/01/13 00:19, Mike Burger wrote:
>>> That's what I figured, after having looked at the analysis.cfg man page
>>> multiple times.
>>>
>>> If I want to do this, then, I'm going to have to script something to
>>> analyze X amount of time and do something if it sees occurrences>=Y and
>>> then feed that to Xymon somehow.
>>>
>>> Thanks.
>> You might be able to use something like fail2ban, and configure it to
>> simply add some text to a logfile instead of adding a iptables entry....
>> Then let xymon monitor this fail2ban logfile....
>>
>> Possibly overkill, but just thought I'd mention it... better to re-use
>> something that already exists...
> 
> At home, I use DenyHosts to do something similar on my publicly connected
> systems.
> 
> At work, I've got two issues preventing this:
> 
> A) No iptables in use on the internally networked Linux systems.
> B) The system where I'm looking to implement this approach is an AIX
> system, so there's no iptables or any other onboard firewall.
> 
> The real reason we're looking at this, at all, is for security auditing
> purposes. We can't keep an active eye on failed logins, all day, so we're
> looking for something that can be used to alert us if an arbitrary number
> of failed logins occurs within an arbitrary amount of time, based on the
> audit logger's stream.
> 

Right, and fail2ban (which uses python and I'm assuming is portable to
AIX) can be configured to do anything you ask it, by default, it adds a
firewall rule to iptables. There is nothing stopping you from disabling
the iptables calls, and simply using the fail2ban log itself, or
changing the iptables command to instead add some log entry somewhere
which is then fed into xymon.

Regards,
Adam

-- 
Adam Goryachev
Website Managers
www.websitemanagers.com.au



More information about the Xymon mailing list