From:
To: ,
Date: 11.04.2014 04:33
Subject: SECURITY information for server1
server1 : Apr 11 10:33:19 : test : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/test ; USER=root ; COMMAND=/bin/su -1 Answer
I assume you use rsyslog as logging daemon. Save the following
configuration snippet as /etc/rsyslog.d/60-sudo-mails.conf.
# Load Mail output module
module(load="ommail")
# Template for the "Subject:" line to dynamically set the affected hostname
template( name = "mailSubject" type = "string" string = "SECURITY information for %hostname%"
)
# If messages go to facility "authpriv" and have severity "warning" (or worse)
# and the program's name is "sudo", then perform the given action:
if ( prifilt("authpriv.warning") and ($programname == "sudo") ) then { action( type = "ommail" server = "your_mail_server_here, e.g. mail.abc.com" port = "25" mailfrom = "" mailto = "" body.enable = "on" subject.template = "mailSubject" )
}Make sure you configure a mail server that allows to send emails without
authentication. Usually this will be a mailserver in your local network
but not GMail or something like that because rsyslog's output moduleommail can currently not be configured for authentication
(username/password). You may also want to add the parameter
action.execOnlyOnceEveryInterval = "600"to the action so you get only one email every 10 minutes (the others are simply discarded). It depends on how often you expect such a message.
When done, restart rsyslog:
sudo systemctl restart rsyslog.serviceTry out by either issueing a prohibited sudo command or by running
logger -p authpriv.warning -t sudo "This should be sent as an email"The above configuration will put the logmessage "as is" into the mail body.
If you prefer some formatting or different appearance then you need to supply
a template for the email's body
