ftp login email alert in linux

for once you can use logtool with retail.

Install the two programs and read the documentation here:
http://xjack.org/logtool/logtool.txt

You can do a lot of things, but what you want is basically:
* Configure logtool to filter the messages from vsftpd.log to get the successfull ftp logins.
* Combine it with retail in a cronjob to run every minute
* Send the eventually generated output via email

Samples of this are in the link provided above.

The retail command is like a tail, it tails text-files, but it has a memory, so if you run it again on the same file, it knows where it left of before and just delivers the new information.

With this you should be able to get near realtime information on the ftp logins!

best
Ray

Sir, thank you very much , you have mentioned two programs i downloaded compiled and installed logtool-1.2.8, and i think the other program you refer is retail , please let me know where to i get this for download, thanks in adavnce.

it's here:

http://xjack.org/retail/


best
Ray

Sir, thanks you very much , Iam extremely sorry to ask this as i have time limitation to setup this can you please help me how to do the following
Configure logtool to filter the messages from vsftpd.log to get the successfull ftp logins.
* Combine it with retail in a cronjob to run every minute
* Send the eventually generated output via email

Well, it's rather easy:

create a file which defines the log-pattern to match, like:
/usr/local/etc/logtail-ftpsuccess.inc

You have to put a regular expression in the above file which will match a successfull login in the vsftpd log, if you do not know how to do that post the vsftpd log with examples of sucessfull and not successfull logins and I can create it for you.


then create a bash script e.g. in /usr/local/sbin with the name logtool-ftpsuccess.sh

chmod the script to:
chmod a+x /usr/local/sbin/logtool-ftpsuccess.sh

and put this in:

#!/bin/bash

# mail a report to x@x.com
retail /var/log/vsftpd.log | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc > /tmp/mail.msg

if [ -s /tmp/mail.msg ] ; then
  cat /tmp/mail.msg | mail -s "Successfull FTP Login" Your@mail.address
fi

Select allOpen in new window

then add this report to the crontab of root like:
crontab -e

and add:
* * * * * /usr/local/sbin/logtool-ftpsuccess.sh


This is out of my head, but it should work, if you get spammed with mails just edit again the crontab file with crontab -e and put a # in from of the line to deactivate it so we can debug it.

the if with -s checks if the file has a size of 0, it could be that the if there is no output that it has a size of 1, if this is the case, we have to change the if a bit, but I guess it will work.

Add after the line #/bin/bash in the logtool-ftpsuccess.sh script:

rm /tmp/mail.msg

so it get's deleted before dumping new data into it.

best

Sir , thank you very much , in the log /var/log/vsftpd.log i do not see the reg expression entires like success or failure only the user names  are getting generated , attached /var/log/vsftpd.log for your reference please help me in this , please help
vsftpdlog.txt

I am not very familiar with redhat, what other files do you have in /var/log? On my debian system for example I get all security related (e.g. logins, login attempts, etc.) in a file called /var/log/auth.

Sir attached the log of /var/log/messages which has an entries of vsftpd logins, request you to please extract the regular expression from this file and request you to give the /usr/local/etc/logtail-ftpsuccess.inc
Thank you very very much.

vsftpdlog.txt

As an alternative, see:

http://linuxhostingsupport.net/blog/script-to-email-successful-ftp-logins

The script may need some minor customizations (it currently references Pure-ftpd).

Just cron it up to check as frequently as you like. See the associated comments for how to eliminate localhost logins, if necessary.

Ok, just put:

OK LOGIN:

in the file:
/usr/local/etc/logtail-ftpsuccess.inc


and you should be fine!

best

Sir , thanks for the great support. also the provided link http://linuxhostingsupport.net/blog/script-to-email-successful-ftp-logins , is for the pure-ftpd can you please help me for the vsftpd.

Thank you

well, you should have everything going with the help I gave you, is something not working?

Sir will check it tomorrow as i have reached home will update tomorrow for sure will trouble is anything goes wrong. Thank you very much for the great support.

no problem, you should be fine, if not, I'm here tomorrow too.

best

Sir , i took ssh and did as per your instructions , iam getting the alert mail iam really very much happy to see the email alert but the only problem is iam getting continous mail of ftp logins and all their transactions from past several days , it will be really great if i can get an alert on the real time login that is the moment anybody logins the alert mail should be generated, as the log files are huge hence attaced the part of the content of the first email request you to please check this and help such that only login succes is captured on real time and alert is sent.

Thank you


alert-mail-1.txt

on the first run this is expacted, the retail command should start in the second run from the last parsed position, so you will have all logins within the last minute, if the cronjob will run every minute.

what worries me is the filtered text, can you please post the output of:

cat /var/log/vsftpd.log | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc

best

Sir , i had forgotten to add following after the #/bin/bash
rm /tmp/mail.msg

now added like rm -rf  /tmp/mail.msg

please let me know is it beause of this the continous email

It could be, but be so kind and paste the output of this command so I can be sure that the filter is working:

cat /var/log/vsftpd.log | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc

Sir, as required by you executed the command
cat /var/log/vsftpd.log | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc > logrpt.txt
and attached the logrpt.txt for your reference, please help


logrpt.txt

Sir ,sorry i did a mistake should have used /var/log/messages not the /var/log/vsftpd.log will for a while and get back

Sir , now iam getting the email log alert in the different format attached for your reference , please check and help me
varlogmessages.txt

hang on, I am testing it now, something is fishy

ok, I tested it on my system with the data from the file you pasted on comment id: 34155049 (the vfstpd.log). and it works fine.

can you show me your content of:
cat /usr/local/etc/logtool-ftpsuccess.inc

--- this is what I have on my test system:

what's in my incl file (which should be the your /usr/local/etc/logtool-ftpsuccess.inc):
ray@dev-01:~$ cat incl
OK LOGIN

Now what the logtool displays for your log and my ./incl file:
ray@dev-01:~$ cat test | logtool -o ascii -i ./incl
Nov 17 19:39:31 authserver vsftpd: Wed Nov 17 14:09:31 2010 [pid 14931] [bt_outsrc] OK LOGIN: Client "117.199.5.172"
Nov 17 19:40:21 authserver vsftpd: Wed Nov 17 14:10:21 2010 [pid 15039] [bt_outsrc] OK LOGIN: Client "117.200.114.85"
Nov 17 19:40:28 authserver vsftpd: Wed Nov 17 14:10:28 2010 [pid 15058] [vanishreeht] OK LOGIN: Client "117.192.169.146"
Nov 17 19:41:06 authserver vsftpd: Wed Nov 17 14:11:06 2010 [pid 15129] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:06 authserver vsftpd: Wed Nov 17 14:11:06 2010 [pid 15131] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:06 authserver vsftpd: Wed Nov 17 14:11:06 2010 [pid 15135] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:06 authserver vsftpd: Wed Nov 17 14:11:06 2010 [pid 15133] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:06 authserver vsftpd: Wed Nov 17 14:11:06 2010 [pid 15138] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:07 authserver vsftpd: Wed Nov 17 14:11:07 2010 [pid 15145] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:07 authserver vsftpd: Wed Nov 17 14:11:07 2010 [pid 15147] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:07 authserver vsftpd: Wed Nov 17 14:11:07 2010 [pid 15150] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:07 authserver vsftpd: Wed Nov 17 14:11:07 2010 [pid 15153] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:07 authserver vsftpd: Wed Nov 17 14:11:07 2010 [pid 15156] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:09 authserver vsftpd: Wed Nov 17 14:11:09 2010 [pid 15160] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:09 authserver vsftpd: Wed Nov 17 14:11:09 2010 [pid 15162] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:09 authserver vsftpd: Wed Nov 17 14:11:09 2010 [pid 15165] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:09 authserver vsftpd: Wed Nov 17 14:11:09 2010 [pid 15168] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:09 authserver vsftpd: Wed Nov 17 14:11:09 2010 [pid 15171] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:10 authserver vsftpd: Wed Nov 17 14:11:10 2010 [pid 15182] [vanishreeht] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:10 authserver vsftpd: Wed Nov 17 14:11:10 2010 [pid 15184] [vanishreeht] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:10 authserver vsftpd: Wed Nov 17 14:11:10 2010 [pid 15187] [vanishreeht] OK LOGIN: Client "192.168.1.3"
Nov 17 19:41:27 authserver vsftpd: Wed Nov 17 14:11:27 2010 [pid 15206] [bt_outsrc] OK LOGIN: Client "117.193.161.70"
Nov 17 19:41:34 authserver vsftpd: Wed Nov 17 14:11:34 2010 [pid 15220] [vanishreeht] OK LOGIN: Client "117.192.169.146"



this seems to be exactly what you are after, so something has to be wrong in your files.

best
Ray

Sir , as required posted below
 cat /usr/local/etc/logtail-ftpsuccess.inc
OK LOGIN:

ok, eliminate the ":" from this file, but I do not think this is the problem, but eliminate it anyway.

then try again this command as root:
cat /var/log/vsftpd.log | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc

what is the output?

If it is not working after eliminating the colon (":"), please paste:

cat -A /usr/local/etc/logtool-ftpsuccess.inc

and
ls -latrh /usr/local/etc/logtool-ftpsuccess.inc

best

Sir, also
cat /usr/local/sbin/logtool-ftpsuccess.sh

#!/bin/bash
rm -rf /tmp/mail.msg

# mail a report to x@x.com
retail /var/log/messages | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc > /tmp/mail.msg

if [ -s /tmp/mail.msg ] ; then
  cat /tmp/mail.msg | mail -s "Successfull FTP Login" indar@hotmail.com
fi
-----------------------------------
latest email alert is posted below for your reference:
Nov 17 22:40:01 authserver vsftpd: Wed Nov 17 17:10:01 2010 [pid 5943] [mellonbank] OK DOWNLOAD: Client "192.168.1.2", "/00033619_Caterpillar_20101117_1001353183_mail_4425.wav", 121405 bytes, 8025.97Kbyte/secNov 17 22:40:01 authserver vsftpd: Wed Nov 17 17:10:01 2010 [pid 5943] [mellonbank] OK DOWNLOAD: Client "192.168.1.2", "/00033620_Caterpillar_20101117_1001353186_mail_4425.wav", 180539 bytes, 10421.30Kbyte/secNov 17 22:40:03 authserver vsftpd: Wed Nov 17 17:10:03 2010 [pid 5943] [mellonbank] OK DOWNLOAD: Client "192.168.1.2", "/00033621_Caterpillar_20101117_1001353188_mail_4425.wav", 294116 bytes, 11014.83Kbyte/secNov 17 22:40:03 authserver vsftpd: Wed Nov 17 17:10:03 2010 [pid 16780] [bt_outsrc] OK DOWNLOAD: Client "192.168.1.15", "/Transcribed/November 2010/17/CBG/Dinil CBG 061 (50-100).doc", 25088 bytes, 7867.69Kbyte/secNov 17 22:40:04 authserver vsftpd: Wed Nov 17 17:10:04 2010 [pid 5943] [mellonbank] OK DOWNLOAD: Client "192.168.1.2", "/00033622_Hershey_20101117_1001353190_email_4425.wav", 209030 bytes, 10924.85Kbyte/secNov 17 22:40:05 authserver vsftpd: Wed Nov 17 17:10:05 2010 [pid 5943] [mellonbank] OK DOWNLOAD: Client "192.168.1.2", "/00033623_SouthernCompany_20101117_1001353177_mail_4425.wav", 26390 bytes, 8329.50Kbyte/secNov 17 22:40:07 authserver vsftpd: Wed Nov 17 17:10:07 2010 [pid 4597] [rupesh] OK DOWNLOAD: Client "115.242.70.213", "/Siddharth/November_2010/18/P1_C0264_U0008_D20101117100130_MPhone-20101117-100130.wav", 2233402 bytes, 12.02Kbyte/secNov 17 22:40:14 authserver vsftpd: Wed Nov 17 17:10:14 2010 [pid 5943] [mellonbank] OK DELETE: Client "192.168.1.2", "/00033623_SouthernCompany_20101117_1001353177_mail_4425.wav"Nov 17 22:40:14 authserver vsftpd: Wed Nov 17 17:10:14 2010 [pid 5943] [mellonbank] OK DELETE: Client "192.168.1.2", "/00033622_Hershey_20101117_1001353190_email_4425.wav"Nov 17 22:40:14 authserver vsftpd: Wed Nov 17 17:10:14 2010 [pid 5943] [mellonbank] OK DELETE: Client "192.168.1.2", "/00033621_Caterpillar_20101117_1001353188_mail_4425.wav"Nov 17 22:40:14 authserver vsftpd: Wed Nov 17 17:10:14 2010 [pid 5943] [mellonbank] OK DELETE: Client "192.168.1.2", "/00033620_Caterpillar_20101117_1001353186_mail_4425.wav"Nov 17 22:40:14 authserver vsftpd: Wed Nov 17 17:10:14 2010 [pid 5943] [mellonbank] OK DELETE: Client "192.168.1.2", "/00033619_Caterpillar_20101117_1001353183_mail_4425.wav"Nov 17 22:40:56 authserver smbd[26663]: [2010/11/17 22:40:56, 0] smbd/service.c:make_connection(1235) Nov 17 22:40:56 authserver smbd[26663]: computer54 (192.168.1.25) couldn't find service profiles Nov 17 22:40:56 authserver smbd[26663]: [2010/11/17 22:40:56, 0] smbd/service.c:make_connection(1235) Nov 17 22:40:56 authserver smbd[26663]: computer54 (192.168.1.25) couldn't find service profiles Nov 17 22:41:01 authserver vsftpd: Wed Nov 17 17:11:01 2010 [pid 6178] CONNECT: Client "69.20.57.27"

Sir , similar log even after eliminating ":"  also as required posted below

cat -A /usr/local/etc/logtool-ftpsuccess.inc
cat: /usr/local/etc/logtool-ftpsuccess.inc: No such file or directory

i think we are looking for

cat -A /usr/local/etc/logtail-ftpsuccess.inc
OK LOGIN$
$
$

and

ls -latrh /usr/local/etc/logtool-ftpsuccess.inc
ls: /usr/local/etc/logtool-ftpsuccess.inc: No such file or directory
i think we are looking for
ls -latrh /usr/local/etc/logtail-ftpsuccess.inc
-rw-r--r-- 1 root root 11 Nov 17 22:50 /usr/local/etc/logtail-ftpsuccess.inc

Ah, ok, than that seems to be the problem!

rename
/usr/local/etc/logtail-ftpsuccess.inc
to
/usr/local/etc/logtool-ftpsuccess.inc

(mv /usr/local/etc/logtail-ftpsuccess.inc /usr/local/etc/logtool-ftpsuccess.inc)


and try this again:
cat /var/log/vsftpd.log | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc

Sir, thanks for the reply, was really missing you,

did rename like
# mv /usr/local/etc/logtail-ftpsuccess.inc /usr/local/etc/logtool-ftpsuccess.inc and then executed the below below command :
# cat /var/log/messages | logtool -o ascii -i /usr/local/etc/logtool-ftpsuccess.inc # in my case it is /var/log/messages hence iam considering the /var/log/message.

sir not the output looks has the exact filter , posted below for your reference:
Nov 18 13:29:08 authserver vsftpd: Thu Nov 18 07:59:08 2010 [pid 23759] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:29:08 authserver vsftpd: Thu Nov 18 07:59:08 2010 [pid 23762] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:29:08 authserver vsftpd: Thu Nov 18 07:59:08 2010 [pid 23765] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:29:08 authserver vsftpd: Thu Nov 18 07:59:08 2010 [pid 23769] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:30:49 authserver vsftpd: Thu Nov 18 08:00:49 2010 [pid 24200] [sbs_mt] OK LOGIN: Client "218.248.84.84"
Nov 18 13:33:05 authserver vsftpd: Thu Nov 18 08:03:05 2010 [pid 24706] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:05 authserver vsftpd: Thu Nov 18 08:03:05 2010 [pid 24708] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:05 authserver vsftpd: Thu Nov 18 08:03:05 2010 [pid 24709] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:05 authserver vsftpd: Thu Nov 18 08:03:05 2010 [pid 24714] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:05 authserver vsftpd: Thu Nov 18 08:03:05 2010 [pid 24716] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:06 authserver vsftpd: Thu Nov 18 08:03:06 2010 [pid 24729] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:06 authserver vsftpd: Thu Nov 18 08:03:06 2010 [pid 24731] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:06 authserver vsftpd: Thu Nov 18 08:03:06 2010 [pid 24734] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:06 authserver vsftpd: Thu Nov 18 08:03:06 2010 [pid 24737] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:06 authserver vsftpd: Thu Nov 18 08:03:06 2010 [pid 24740] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:08 authserver vsftpd: Thu Nov 18 08:03:08 2010 [pid 24746] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:08 authserver vsftpd: Thu Nov 18 08:03:08 2010 [pid 24748] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:08 authserver vsftpd: Thu Nov 18 08:03:08 2010 [pid 24751] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:08 authserver vsftpd: Thu Nov 18 08:03:08 2010 [pid 24754] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:08 authserver vsftpd: Thu Nov 18 08:03:08 2010 [pid 24757] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:33:38 authserver vsftpd: Thu Nov 18 08:03:38 2010 [pid 24883] [opus2] OK LOGIN: Client "117.202.139.10"
Nov 18 13:33:53 authserver vsftpd: Thu Nov 18 08:03:53 2010 [pid 24932] [shubashree] OK LOGIN: Client "203.122.42.225"
Nov 18 13:35:06 authserver vsftpd: Thu Nov 18 08:05:06 2010 [pid 25231] [sbs_mt] OK LOGIN: Client "118.95.10.164"
Nov 18 13:36:05 authserver vsftpd: Thu Nov 18 08:06:05 2010 [pid 25436] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:05 authserver vsftpd: Thu Nov 18 08:06:05 2010 [pid 25438] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:05 authserver vsftpd: Thu Nov 18 08:06:05 2010 [pid 25442] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:05 authserver vsftpd: Thu Nov 18 08:06:05 2010 [pid 25441] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:06 authserver vsftpd: Thu Nov 18 08:06:06 2010 [pid 25452] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:06 authserver vsftpd: Thu Nov 18 08:06:06 2010 [pid 25454] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:06 authserver vsftpd: Thu Nov 18 08:06:06 2010 [pid 25457] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:06 authserver vsftpd: Thu Nov 18 08:06:06 2010 [pid 25461] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:08 authserver vsftpd: Thu Nov 18 08:06:08 2010 [pid 25480] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:08 authserver vsftpd: Thu Nov 18 08:06:08 2010 [pid 25483] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:08 authserver vsftpd: Thu Nov 18 08:06:08 2010 [pid 25485] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:08 authserver vsftpd: Thu Nov 18 08:06:08 2010 [pid 25491] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:08 authserver vsftpd: Thu Nov 18 08:06:08 2010 [pid 25494] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:08 authserver vsftpd: Thu Nov 18 08:06:08 2010 [pid 25500] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:36:09 authserver vsftpd: Thu Nov 18 08:06:09 2010 [pid 25507] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:05 authserver vsftpd: Thu Nov 18 08:09:05 2010 [pid 26122] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:05 authserver vsftpd: Thu Nov 18 08:09:05 2010 [pid 26124] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:05 authserver vsftpd: Thu Nov 18 08:09:05 2010 [pid 26128] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:05 authserver vsftpd: Thu Nov 18 08:09:05 2010 [pid 26126] [kalpanaa] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:05 authserver vsftpd: Thu Nov 18 08:09:05 2010 [pid 26131] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:06 authserver vsftpd: Thu Nov 18 08:09:06 2010 [pid 26140] [scriptacomahd] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:06 authserver vsftpd: Thu Nov 18 08:09:06 2010 [pid 26143] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:06 authserver vsftpd: Thu Nov 18 08:09:06 2010 [pid 26146] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:06 authserver vsftpd: Thu Nov 18 08:09:06 2010 [pid 26149] [scriptchennai] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:06 authserver vsftpd: Thu Nov 18 08:09:06 2010 [pid 26153] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:08 authserver vsftpd: Thu Nov 18 08:09:08 2010 [pid 26160] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:08 authserver vsftpd: Thu Nov 18 08:09:08 2010 [pid 26162] [shubashree] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:08 authserver vsftpd: Thu Nov 18 08:09:08 2010 [pid 26165] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:08 authserver vsftpd: Thu Nov 18 08:09:08 2010 [pid 26169] [sudha_s] OK LOGIN: Client "192.168.1.3"
Nov 18 13:39:08 authserver vsftpd: Thu Nov 18 08:09:08 2010 [pid 26171] [sudha_s] OK LOGIN: Client "192.168.1.3"







out put for your reference

ok, so this looks fine, now try again with the cron job, and it should send you an email every minute if there are OK LOGIN in the logs.

the retail should take care to only read from where it left of last time!

best
Ray

Yes sir , i have become you fan. iam really happy with the experts-exchange and special thanks for you , finally before closing how to setup the cron to send eamil alerts for every one hour i did like the below
@hourly /usr/local/sbin/logtool-ftpsuccess.sh

did not get any message for hourly. please do this one final help.

Sir

for hourly email alert i have done the following please correct me if iam wrong:
cp logtool-ftpsuccess.sh /etc/cron.hourly/

Sir, the output of  #cat /etc/crontab :
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

# this is for caching name server
*/10 * * * * root /usr/sbin/rndc dumpdb
# this is for sarg
01 00 * * * root /opt/safesquid/safesquid/scripts/sargscript.sh
# this is for webalizer
15 00 * * * root /usr/bin/webalizer
# this is for calamaris
#  this is not yet done
#30 00 * * * root /opt/safesquid/safesquid/scripts/calamaris.sh

Yes, that will be fine, /etc/cron.hourly is executed every hour with run-parts, so it will pickup the script.

just make sure it has execute permissions (should have them because of the chmod a+x).

Just wait a few hours and if the mails come in OK you'l be fine, if you need more help, just ask,

best

Ray

Sir, started getting mail hourly and also how i wanted in th same format , credit goes to none other than you, great support once again thank you very much. i would like to send a greeting and personal thanks if you do not mind can you please share your personal email account then one which you normally check on everday.

Thanks for expets exchange and thank you sir

You are very welcome! Glad i could help, you can reach me at rs@noplace.to

All the best,
Ray

great support