Documentation on setting up this type of alert was sparse, and not very clear. This is what I did to get alerts whenever a user logs in from a source not explicitly identified. This took a little creativity since my original method ran into some issues. If I set the alert to go off only once, I would only be notified once (ever) that someone logged in from an unknown address. If I set it to unlimited notifications, every time the agent updates, I would get an email.

Overview

1. Create a custom module
2. Create a template with a regular expression criteria
3. Then create an alert.

Steps to Follow:

1. Log into your agent server via ssh.
2. Edit the config:

   nano /var/lib/pandorafms/agent/pandora_agent.conf

   Or, if you have pandora_agent_daemon (do ls /etc/init.d/ to see if you have pandorafms-agent (above) or pandora_agent_daemon (below)

   nano /etc/pandora/pandora_agent.conf

3. This is my custom module:

   #UnknownIP
   module_begin
   module_name LastLoginUnkIP
   module_type async_string
   module_exec last | grep -v 'host1\|192.168\|host2' | head -1
   module_description Monitor last user login from Unk IP
   module_end

   1. Basically, the above is a modified version of Last Login
   2. It filters out known hosts, which is the grep -v part and any ip address with 192.168 as part of it.
4. Restart the pandora agent, depending on your version, it’s either:

   service pandorafms-agent restart
   service pandora_agenet_daemon restart

5. Go to Administration->Manage Alerts->Templates
6. Create a new template and name it something like LastLoginUnkIPChange
7. I set the priority to Informational. I’m not sure the difference, except my guess is that it may affect the color of the alert when it fires.
8. In Step 2, you can configure it like below:
   1. Default action is Mail to Ryan. If you don’t have that configured, see this article.
   2. Condition type is set to On Change, which means that whenever the value changes, it will send a notification.
   3. Check off Trigger When Matches.
   4. Press next to go to Advanced Fields. This is where we set the message information.
9. Leave the first few fields blank (depending on how many your Mail To action uses). If you use Field1 and Mail To is set to use Field1, your text won’t be transmitted.Here’s what I have in Field 3:

   Hello, this is an automated email coming from Pandora FMS
   
   This alert has been fired because the last user login is from an unknown address:
   
   Agent : _agent_
   Module: _module_
   Module description: _moduledescription_
   Timestamp _timestamp_
   Current value: _data_
   
   Thanks for your time.
   
   Best regards
   Pandora FMS
   

10. Press Finish and now we need to create an alert.
11. Go back to Administration->Manage Alerts and press Create
12. Fill out like below:
    1. Agent: Choose your agent you’d like to apply to.
    2. Module: Choose LastLoginUnkIP since that’s our custom module.
    3. Template: Choose your template you just made.
    4. Action: should be able to leave it at default action for the template.
13. Press add alert and test to confirm.
14. Everything should be done, if it’s working, you should get an email like so: