答案1
我假设您使用rsyslog作为日志守护进程。将以下配置片段保存为/etc/rsyslog.d/60-sudo-mails.conf。
# Load Mail output module
module(load="ommail")
# Template for the "Subject:" line to dynamically set the affected hostname
template(
name = "mailSubject"
type = "string"
string = "SECURITY information for %hostname%"
)
# If messages go to facility "authpriv" and have severity "warning" (or worse)
# and the program's name is "sudo", then perform the given action:
if ( prifilt("authpriv.warning") and ($programname == "sudo") ) then {
action(
type = "ommail"
server = "your_mail_server_here, e.g. mail.abc.com"
port = "25"
mailfrom = "[email protected]"
mailto = "[email protected]"
body.enable = "on"
subject.template = "mailSubject"
)
}
确保配置允许发送电子邮件而无需身份验证的邮件服务器。通常这将是您本地网络中的邮件服务器,但不是GMail 或类似的东西,因为rsyslog的输出模块
ommail目前无法配置身份验证(用户名/密码)。您可能还想添加参数
action.execOnlyOnceEveryInterval = "600"
采取行动,这样你只能得到一每 10 分钟发送一次电子邮件(其他的邮件将被丢弃)。这取决于您期望收到此类消息的频率。
完成后,重新启动rsyslog:
sudo systemctl restart rsyslog.service
sudo通过发出禁止命令或运行来尝试
logger -p authpriv.warning -t sudo "This should be sent as an email"
上述配置将把日志信息“按原样”到邮件正文中。如果您喜欢某些格式或不同的外观,则需要提供template电子邮件正文