I got a task to figure out how we can integrate Zabbix and monitoring of OpenVPN connections that are initiated and failed because of wrong credentials(Brute Force attack or just a regular dummy user).

Before we look into the script, I have to point out that I redirected all of the messages coming from the systemd-journal via rsyslog related to OpenVPN into the separate log file, that is done by appending below line to /etc/rsyslog.conf

:msg, contains, “openvpn” /var/log/openvpn.log

So, I wrote a bash script with some smart logic that is going to perform this action continuously, the code is right below and I will explain the logic in the further part of this blog post.

#!/bin/bash
FILE="/var/log/openvpn.log"
DIR="/etc/zabbix/openvpn_monitor"
DUMP="$DIR/openvpn_dump.txt"
START="$DIR/openvpn_start.txt"
END=$"$DIR/openvpn_end.txt"
OUTPUT="$DIR/openvpn_fails.txt"
NUMBEROFLINES=$(grep '' -n "$FILE" | cut -f1 -d: | tail -n 1)
FINDSTART=$(cat "$DIR/openvpn_start.txt")
echo $NUMBEROFLINES > $END
FINDEND=$(cat "$DIR/openvpn_end.txt")
sed -n "$FINDSTART,"$FINDEND"p" $FILE > $DUMP
echo $FINDEND > $START
FAILS=$(grep -i 'authentication failure' $DUMP | grep 'pam_unix(openvpn:auth)' | awk '{print $1" "$2" "$3" "$NF}')
printf '%s\n' "${FAILS[@]}" > $OUTPUT
TOPRINT=$(cat $OUTPUT)
if [ -z "$TOPRINT" ]; then
        echo GOOD
else
        echo $TOPRINT
fi

The script will calculate a number of lines that exist in the log file, I have to point out that you should insert number 1 into openvpn_start.txt before you run the script for the first time, after calculating the number of lines, it will make the start and the ending point from where to where sed utility will read the file and grep for specific events.

Ending line will also become a starting position for the next run, so there is no overlapping whatsoever, in case it does not find any failed events, it will print out statement GOOD, this is done in the purpose of integrating it with Zabbix.