salt.beacons.wtmp

Beacon to fire events at login of users as registered in the wtmp file

New in version 2015.5.0.

Example Configuration

# Fire events on all logins
beacons:
  wtmp: []

# Matching on user name, using a default time range
beacons:
  wtmp:
    - users:
        gareth:
    - defaults:
        time_range:
            start: '8am'
            end: '4pm'

# Matching on user name, overriding the default time range
beacons:
  wtmp:
    - users:
        gareth:
            time_range:
                start: '7am'
                end: '3pm'
    - defaults:
        time_range:
            start: '8am'
            end: '4pm'

# Matching on group name, overriding the default time range
beacons:
  wtmp:
    - groups:
        users:
            time_range:
                start: '7am'
                end: '3pm'
    - defaults:
        time_range:
            start: '8am'
            end: '4pm'

How to Tell What An Event Means

In the events that this beacon fires, a type of 7 denotes a login, while a type of 8 denotes a logout. These values correspond to the ut_type value from a wtmp/utmp event (see the wtmp manpage for more information). In the extremely unlikely case that your platform uses different values, they can be overridden using a ut_type key in the beacon configuration:

beacons:
  wtmp:
    - ut_type:
        login: 9
        logout: 10

This beacon's events include an action key which will be either login or logout depending on the event type.

Changed in version 2019.2.0: action key added to beacon event, and ut_type config parameter added.

Use Case: Posting Login/Logout Events to Slack

This can be done using the following reactor SLS:

report-wtmp:
  runner.salt.cmd:
    - args:
      - fun: slack.post_message
      - channel: mychannel      # Slack channel
      - from_name: someuser     # Slack user
      - message: "{{ data.get('action', 'Unknown event') | capitalize }} from `{{ data.get('user', '') or 'unknown user' }}` on `{{ data['id'] }}`"

Match the event like so in the master config file:

reactor:

  - 'salt/beacon/*/wtmp/':
    - salt://reactor/wtmp.sls

Note

This approach uses the slack execution module directly on the master, and therefore requires that the master has a slack API key in its configuration:

slack:
  api_key: xoxb-XXXXXXXXXXXX-XXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXX

See the slack execution module documentation for more information. While you can use an individual user's API key to post to Slack, a bot user is likely better suited for this. The slack engine documentation has information on how to set up a bot user.

salt.beacons.wtmp.beacon(config)

Read the last wtmp file and return information on the logins

salt.beacons.wtmp.validate(config)

Validate the beacon configuration