Simple Log Alerting with Systemd/Journald
This post provides a super simple example script for alerting using Systemd/Journald.
With this script using journalctl
’s --since
flag for 1 minutes ago
, I would recommend setting a cron job for every minute to run the script so as to not miss events:
*/1 * * * * /path/to/sshd-alert.sh
Here’s the script:
#!/usr/bin/env bash
### Super simple systemd alerting
### Service name
service="sshd.service"
### Journalctl time frame (look at `man systemd.time` and `man journalctl`)
timeframe="1 minutes ago"
### Pattern to match with `grep -E ...`
grep_regex_pattern='Failed password|Invalid verification code|Invalid user|Accepted publickey|Accepted password'
### Command to pipe logs to if match
notify_command='ntfy send "${logs}"'
logs=$(journalctl -u ${service} --since "${timeframe}" | grep -iE "${grep_regex_pattern}")
if [[ -n ${logs} ]]
then
eval "${notify_command}"
fi
With the grep_regex_pattern
in the script, there will be an alert generated for every failed login as well as every successful login. Change as needed.
Written on August 9, 2021
linux security logging logs log