send mail on an audit alert


I'm running this commands on a script to send to /var/syslog/auditalerts.log file  these audit's events, but I want at the same time to send me an email.. question:

How can I insert in my code to send me en email using 'mail' command?
nohup /usr/sbin/auditstream | /usr/sbin/auditselect -m -e "event== USER_Create || event== USER_Remove || event== USER_Change |
| event== GROUP_Create || event== GROUP_Remove || event== GROUP_Change || event== PASSWORD_Change " | /usr/sbin/auditpr -h elr
tRc -t2 -v >> /var/syslog/auditalerts.log &

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi again,
please try this -
nohup ... ... | /usr/sbin/auditpr -h elrtRc -t2 -v | tee -a /var/syslog/auditalerts.log | mail -s "USER Manipulation!" sminfo@domain.tld &

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sminfoAuthor Commented:
I forgot tee command... :-)

work prerfectly

thanks wmp
sminfoAuthor Commented:

everytime I run for the first time the script it sends me an empty email.. how can I avoid this?
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Well, not quite easy.
We could use an intermediate file ...
nohup ... ... | /usr/sbin/auditpr -h elrtRc -t2 -v | tee -a /var/syslog/auditalerts.log  >/tmp/auditout  ; [ -s /tmp/auditout ] && mail -s "USER Manipulation!" sminfo@domain.tld </tmp/auditout &
Not sure how that nohup and backgrounding stuff will work in this scenario, however.
sminfoAuthor Commented:
well wmp,

I thouht I solved my issue but I couldn't.. first, it's difficult to use all commands on a nohup &, also, the command mail only run one time or the first time I run the script..
I need to send to a log file all audit's events and send an email whenever an alert comes.

another brilliant idea from your brain? :-)

seems I've been too eager to solve your email issue so that I didn't see the real thing!
In one of our former cases I already wrote that the streamcmds never close their stdout - so you simply can't expect an EOF to arrive at the end of all the pipes - so mail will not find and end-of-input - and will wait for it forever.
Try it - shutdown audit and all output will arrive at once, because now finally an EOF is sent. (The first mail seems to come from the initial OPEN - no idea what auditpr exactly does here).  The logifle gets filled because auditpr flushes its stdout buffer regularly, but without a real CLOSE, see above.
We discussed all this here -
particularly here - http:#a33847980
I suggested to use an intermediate file - filled using ">" (no append) which is checked and cleared regularly. You can create this file in parallel to the file /var/syslog/auditalerts.log mentioned in this question - just use a second auditstream command in streamcmds.
Sorry that I didn't notice this earlier!
sminfoAuthor Commented:
auditpr is  to give the output format like this:

event           login    real     time                     status      command                      
--------------- -------- -------- ------------------------ ----------- -------------------------------
USER_Remove     s03     s03  Tue Oct 19 17:57:19 2010 OK          rmuser                        

If I don't put auditpr I can see the full event because I can see only the header.  Let begin from the beginning and test all above.
Sorry, I didn't understand your last comment.

What you posted is what appears in the logfile. This has nothing to do with mail or any other program being able to get an end-of-file from auditpr.
sminfoAuthor Commented:
Hi wmp,

I posted the same question on a forum and get this code, but does not work either. Could you please take a look, maybe give you some hints :-)


while [ 1 ] # or crontab

/usr/sbin/auditstream |\
 /usr/sbin/auditselect -m -e "\
  event== USER_Create ||\
  event== USER_Remove ||\
  event== USER_Change ||\
  event== GROUP_Create ||\
  event== GROUP_Remove ||\
  event== GROUP_Change ||\
  event== PASSWORD_Change\
  " |\
 /usr/sbin/auditpr -h elrtRc -t2 -v

if [ "$zmsg" != "" ]
 echo "$zmsg"  | tee -a /var/syslog/auditalerts.log | mail -s "AUDITALERT: Alert on `hostname`" user@domain

sleep 9


Could this code help?

Thanks once more
I keep telling you - auditstream never comes to an end (unless audit is shutdown), it just flushes stdout regularly.
The script you posted will wait forever, just as the one in my first suggestion.
And it's not good (although allowed) running auditstream as a separate script. This tool is meant to be started via /etc/security/audit/streamcmds.
OK, I'll repeat the suggestion from this thread - - hope you're going to believe me some time.
1) Add to /etc/security/audit/streamcmds (similar to the thing in this Q)
 /usr/sbin/auditstream | /usr/sbin/auditselect -m -e "event== USER_Create || event== USER_Remove || event== USER_Change |
| event== GROUP_Create || event== GROUP_Remove || event== GROUP_Change || event== PASSWORD_Change " | /usr/sbin/auditpr -h elr
tRc -t2 -v > /var/syslog/audit.workfile &
2) Create a script
if [ -s /var/syslog/audit.workfile ]
   sed "s/\\0//g" /var/syslog/audit.workfile | mail -s "User manipulation Alert!" sminfo@domain.tld
   cat /dev/null > /var/syslog/audit.workfile
 ( The "sed ..." part is important, because auditpr records the last used character position in the output file and continues writing there, so that a growing part from top-of-file is filled with 0x0. OK, could be that this is hard to understand, but believe me!)
3) Schedule it via cron to run regularly, as desired.
Attention! The above does not create a permanent log! That's why I wrote "1) Add to ..."! In order to create a non-volatile log you need the same entry twice in /etc/security/audit/streamcmds, but the second one with your ">> /var/syslog/auditalerts.log" at the end.
sminfoAuthor Commented:
jee, wmp, If I don't believe you I wouldn't  ask you... trust me..... the fact is I don't understand what you say so I ask again, sorry... :-).. I'll be off until monday, I will read again and do what you said..ok? I need this alerts ASAP.. thanks again wmp...have a nice week!
Have a nice time (and weekend) too, wherever you are!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Shell Scripting

From novice to tech pro — start learning today.