Forum Discussion
Hi aaperson,
Can you add following lines in /config/user_alert.conf?
alert login_history "(.*)pam_audit(.*)" {
email toaddress="root@example.com"
fromaddress="f5root"
body="Your message."
}
Restart alertd service and try login.
tmsh restart sys service alertd
aaperson
Dec 10, 2019Cirrus
This iworks great but it only caught the login failures. I'd like the successes, too. Is that possible?
Thanks in advance!
- Dec 10, 2019
I think, it send successful login emails. Both successful and failed logs contains "pam_audit" string.
Example login fail log:
Tue Dec 10 16:32:01 EET 2019 admin 0-0 httpd(pam_audit): User=admin tty=(unknown) host=172.16.11.135 failed to login after 1 attempts (start="Tue Dec 10 16:32:35 2019" end="Tue Dec 10 16:32:37 2019").:
Example login success log:
Tue Dec 10 16:32:37 EET 2019 admin 0-0 httpd(pam_audit): user=admin(admin) partition=[All] level=Administrator tty=(unknown) host=172.16.11.135 attempts=1 start="Tue Dec 10 16:32:01 2019" end="Tue Dec 10 16:32:01 2019".: