I am looking for a tool that monitors my system and informs me when a user logs in... someone attempts to login, etc. I know I can create a cron job to check "who" or "w" every so often but I was wondering if anyone was aware of a more proactive approach and/or tool.

asked 10 Jun '10, 15:10

Andy's gravatar image

accept rate: 14%

Also discovered: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html

(10 Jun '10, 20:50) Andy

Depending on what kind of notification you're looking for, whowatch should accomplish what you'd like:

Whowatch is an console, interactive users and process monitoring tool. It displays information about the users currently logged on to the machine, in real-time. Besides standard informations (login name, tty, host, user's process), the type of the connection (ie. telnet or ssh) is shown.



answered 10 Jun '10, 15:17

jeremy's gravatar image

jeremy ♦♦
accept rate: 37%

Jeremy, this is an excellent tool! Thanks for sharing this! - Andy

(10 Jun '10, 15:26) Andy

does this tool provide any notification facility other than staring at the screen?

(11 Jun '10, 09:08) pmarini

It does not provide any notification facility. If that's a requirement, I'd recommend something like logwatch.

(11 Jun '10, 13:13) jeremy ♦♦

You can put the following script into .bashrc of the user you intend to monitor. It alerts via email only on a successful attempt. This is especially useful for the root account.

echo 'ALERT - Shell Access on:' date who | mail -s "Alert: Access from who | cut -d"(" -f2 | cut -d")" -f1" admin@domain

Replace admin@domain with the email address of user who is to receive the update.

Alternatively, you can use logwatch which parses through your system's logs and creates a report analyzing areas that you specify.


answered 11 Jun '10, 01:35

Ricky%20Wee's gravatar image

Ricky Wee
accept rate: 0%


Description: The GNU Accounting utilities for process and login accounting GNU Accounting Utilities is a set of utilities which reports and summarizes data about user connect times and process execution statistics.

"Login accounting" provides summaries of system resource usage based on connect time, and "process accounting" provides summaries based on the commands executed on the system.

The 'last' command is provided by the sysvinit package and not included here. Homepage: http://www.gnu.org/software/acct/


answered 12 Aug '10, 01:46

craigevil's gravatar image

accept rate: 6%

You can have a script tail the secure log file, and take action based on that info.

Not sure how proactive you're looking for.


answered 10 Jun '10, 20:43

rfelsburg's gravatar image

rfelsburg ♦
accept rate: 25%

you might want to check-out a proper auditing system, like Linux Audit & IDS (http://people.redhat.com/sgrubb/audit/), these kind of solutions might take a little more to configure but they are definitely the most complete and precise ones. the above link refers to the Fedora contributed package, but I've read that it's based on features found in Kernel 2.6 anyway


answered 11 Jun '10, 09:06

pmarini's gravatar image

accept rate: 28%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 10 Jun '10, 15:10

Seen: 3,538 times

Last updated: 12 Aug '10, 01:46

powered by OSQA