Forum Discussion
Dec 09, 2019
Hi aaperson,
Can you add following lines in /config/user_alert.conf?
alert login_history "(.*)pam_audit(.*)" {
email toaddress="root@example.com"
fromaddress="f5root"
body="Your message."
}
Restart alertd service and try login.
tmsh restart sys service alertd
- aapersonDec 10, 2019Cirrus
This iworks great but it only caught the login failures. I'd like the successes, too. Is that possible?
Thanks in advance!
- Dec 10, 2019
I think, it send successful login emails. Both successful and failed logs contains "pam_audit" string.
Example login fail log:
Tue Dec 10 16:32:01 EET 2019 admin 0-0 httpd(pam_audit): User=admin tty=(unknown) host=172.16.11.135 failed to login after 1 attempts (start="Tue Dec 10 16:32:35 2019" end="Tue Dec 10 16:32:37 2019").:
Example login success log:
Tue Dec 10 16:32:37 EET 2019 admin 0-0 httpd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=(unknown) host=172.16.11.135 attempts=1 start="Tue Dec 10 16:32:01 2019" end="Tue Dec 10 16:32:01 2019".: