Log Monitoring Daemon - agentsmith



agentsmith is a daemon that continuously monitors a log file for
break-in attempts by remote hosts.


Upon detection of a break-in attempt, it launches a user defined script or application, which can do virtually anything from sending mails to whatever you might think of, e.g: monitor

ºmail logs and block spammers right away
ºfirewall logs and block malicious hosts
ºlogs for brute-force login attempts using ssh and block them

The criteria what is considered a break-in attempt can be configured by means of a regular expression.


As of version 0.2, agentsmith is able to exchange host information with other agentsmith instances running on remote hosts and thus trigger actions on remote hosts. It uses OpenSSL to accomplish this in a secure manner. It runs on Solaris, *BSD, and Linux and requires the PCRE library and OpenSSL as external dependencies.


Log Monitoring Daemon: agentsmith Installation


The build and installation is pretty straight forward. First, call

$ ./configure
$ make
$ make install

By default, the pid file used by the daemon will live in $LOCALSTATEDIR/agentsmith/agentsmith.pid

The default location of the configuration file is $SYSCONFDIR/agentsmith/agentsmith.conf

Those location can be changed by either specifying –localstatedir=, –sysconfdir=, –with-pid=, or –with-config=.


If the PCRE or OpenSSL library cannot be found, make sure you set the proper CPPFLAGS, and LDFLAGS environment variable before calling configure, e.g.

$ export CPPFLAGS='-I/usr/local/include'
$ export LDFLAGS='-L/usr/local/lib'

Further, ensure that the development packages for PCRE and OpenSSL are installed, this is especially important if you build agentsmith on a Linux distribution.