I have the following logs from my Linux /var/log/secure
15/03/2016 10:30:20 server1 session opened for user root by joe
...
15/03/2016 10:40:20 server1 session closed for user root
...
15/03/2016 10:50:25 server1 session opened for user root by dany
If we don't see any 'session closed for user root' for more than 30mins, we want to alert operations team. As 'session closed for user root' doesn't have 'joe' or 'dany', using evenstats ..... by 'user' doesn't count the closed session.
I want to be able to find out no.of open and closed session and alert providing, _time, host name, and user whose session is open for more than 30mins without any actions/activities on the server.
Any thoughts/suggestions please.
↧