root login via WHM notification email did not generate
Posted: 13 Apr 2017, 10:35
Greetings,
Why I don't get a notification for root accessing WHM ?
I have confirmed also via exim mail log , there is no alert for WHM root access.
Also I have contacted cPanel support team just to confirm if they can detect the issue, they replied:
---
This is indeed very strange. I'm seeing that no login alerts are even trying to be sent now. However, LFD is sending other alerts to root which are being forwarded correctly now:
~~~~
[05:44:07 server root@8294723 ~]cPs# exigrep 1cmWzW-0007Cs-F2 /var/log/exim_mainlog
2017-03-11 05:42:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cmWzW-0007Cs-F2
2017-03-11 05:42:46 1cmWzW-0007Cs-F2 <= root@server U=root P=local S=762 T="lfd on server: Excessive resource usage: tab3live (27206 (Parent PID:38842))" for root
2017-03-11 05:42:46 1cmWzW-0007Cs-F2 => mhgoz.report@gmail.com <root@server> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.140.27] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1489200166 r3si15237797wra.194 - gsmtp"
2017-03-11 05:42:46 1cmWzW-0007Cs-F2 Completed
~~~~
Therefore we can conclude that LFD is able to send emails and that Exim is able to correctly forward emails addressed to root, which means that it's just an issue with LFD not detecting WHM logins for some reason.
The cPanel/WHM login alerts are controlled by the UI_ALERT setting in csf.conf. Yours is currently set to 4:
~~~~
[05:16:21 server root@8294723 ~]cPs# grep ^UI_ALERT /etc/csf/csf.conf
UI_ALERT = "4"
~~~~
4 is the most verbose setting that they offer:
~~~~
This controls what email alerts are sent with regards to logins to the UI. It
uses the uialert.txt template
4 = login success + login failure/ban/block + login attempts
3 = login success + login failure/ban/block
2 = login failure/ban/block
1 = login ban/block
0 = disabled
~~~~
Please note this is not something that we would be able to do for you, though.
---
Waiting for your kind support.
Best Regards.
Why I don't get a notification for root accessing WHM ?
I have confirmed also via exim mail log , there is no alert for WHM root access.
Also I have contacted cPanel support team just to confirm if they can detect the issue, they replied:
---
This is indeed very strange. I'm seeing that no login alerts are even trying to be sent now. However, LFD is sending other alerts to root which are being forwarded correctly now:
~~~~
[05:44:07 server root@8294723 ~]cPs# exigrep 1cmWzW-0007Cs-F2 /var/log/exim_mainlog
2017-03-11 05:42:46 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cmWzW-0007Cs-F2
2017-03-11 05:42:46 1cmWzW-0007Cs-F2 <= root@server U=root P=local S=762 T="lfd on server: Excessive resource usage: tab3live (27206 (Parent PID:38842))" for root
2017-03-11 05:42:46 1cmWzW-0007Cs-F2 => mhgoz.report@gmail.com <root@server> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.140.27] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1489200166 r3si15237797wra.194 - gsmtp"
2017-03-11 05:42:46 1cmWzW-0007Cs-F2 Completed
~~~~
Therefore we can conclude that LFD is able to send emails and that Exim is able to correctly forward emails addressed to root, which means that it's just an issue with LFD not detecting WHM logins for some reason.
The cPanel/WHM login alerts are controlled by the UI_ALERT setting in csf.conf. Yours is currently set to 4:
~~~~
[05:16:21 server root@8294723 ~]cPs# grep ^UI_ALERT /etc/csf/csf.conf
UI_ALERT = "4"
~~~~
4 is the most verbose setting that they offer:
~~~~
This controls what email alerts are sent with regards to logins to the UI. It
uses the uialert.txt template
4 = login success + login failure/ban/block + login attempts
3 = login success + login failure/ban/block
2 = login failure/ban/block
1 = login ban/block
0 = disabled
~~~~
Please note this is not something that we would be able to do for you, though.
---
Waiting for your kind support.
Best Regards.