Documentation on setting up this type of alert was sparse, and not very clear. This is what I did to get alerts whenever a user logs in from a source not explicitly identified. This took a little creativity since my original method ran into some issues. If I set the alert to go off only once, I would only be notified once (ever) that someone logged in from an unknown address. If I set it to unlimited notifications, every time the agent updates, I would get an email.
Overview
- Create a custom module
- Create a template with a regular expression criteria
- Then create an alert.
Steps to Follow:
- Log into your agent server via ssh.
- Edit the config:
nano /var/lib/pandorafms/agent/pandora_agent.conf
Or, if you have pandora_agent_daemon (do ls /etc/init.d/ to see if you have pandorafms-agent (above) or pandora_agent_daemon (below)
nano /etc/pandora/pandora_agent.conf
- This is my custom module:
#UnknownIP module_begin module_name LastLoginUnkIP module_type async_string module_exec last | grep -v 'host1\|192.168\|host2' | head -1 module_description Monitor last user login from Unk IP module_end
- Basically, the above is a modified version of Last Login
- It filters out known hosts, which is the grep -v part and any ip address with 192.168 as part of it.
- Restart the pandora agent, depending on your version, it’s either:
service pandorafms-agent restart service pandora_agenet_daemon restart
- Go to Administration->Manage Alerts->Templates
- Create a new template and name it something like LastLoginUnkIPChange
- I set the priority to Informational. I’m not sure the difference, except my guess is that it may affect the color of the alert when it fires.
- In Step 2, you can configure it like below:
- Default action is Mail to Ryan. If you don’t have that configured, see this article.
- Condition type is set to On Change, which means that whenever the value changes, it will send a notification.
- Check off Trigger When Matches.
- Press next to go to Advanced Fields. This is where we set the message information.
- Leave the first few fields blank (depending on how many your Mail To action uses). If you use Field1 and Mail To is set to use Field1, your text won’t be transmitted.Here’s what I have in Field 3:
Hello, this is an automated email coming from Pandora FMS This alert has been fired because the last user login is from an unknown address: Agent : _agent_ Module: _module_ Module description: _moduledescription_ Timestamp _timestamp_ Current value: _data_ Thanks for your time. Best regards Pandora FMS
- Press Finish and now we need to create an alert.
- Go back to Administration->Manage Alerts and press Create
- Fill out like below:
- Agent: Choose your agent you’d like to apply to.
- Module: Choose LastLoginUnkIP since that’s our custom module.
- Template: Choose your template you just made.
- Action: should be able to leave it at default action for the template.
- Press add alert and test to confirm.
- Everything should be done, if it’s working, you should get an email like so: