Logcheck: Difference between revisions

From miki
Jump to navigation Jump to search
(Created page with "'''logcheck''' is a program to scan system logs for interesting lines == Reference == * http://wiki.yobi.be/wiki/Logcheck == Install == <source lang=bash> apt-get install ...")
 
 
(One intermediate revision by the same user not shown)
Line 55: Line 55:
<source lang=bash>
<source lang=bash>
sudo -u logcheck logcheck -o -t
sudo -u logcheck logcheck -o -t
sudo -u logcheck logcheck -l /etc/logcheck/test.ignore.d.paranoid.log -o -t # /etc/logcheck/test.ignore.d.paranoid.log contains sample log file
</source>
</source>
We keep the test samples in {{file|/etc/logcheck/test.ignore.d.paranoid.log}}, that is kept persistently so that we can avoid regression when adding new rules, and we have a complete list of messages that are filtered out.


We prefix our local rules with {{file|local-}}, like {{file|local-ssh}}, {{file|local-systemd}}...
We prefix our local rules with {{file|local-}}, like {{file|local-ssh}}, {{file|local-systemd}}...

Latest revision as of 10:34, 20 June 2016

logcheck is a program to scan system logs for interesting lines

Reference

Install

apt-get install logcheck logcheck-database

Configuration

We choose to run in mode paranoid, and filter out noisy reports. Edit /etc/logcheck/logcheck.conf:

REPORTLEVEL="paranoid"
SENDMAILTO="root"
ADDTAG="yes"

This will send mail to root. Make sure that mails to root are forwarded to an external mailbox:

grep root: /etc/aliases 
# root: m.ovh@immie.org

Also, since we use logrotate, we make sure that logcheck runs one minute before:

find /etc -name logrotate | grep cron
# /etc/cron.daily/logrotate
grep daily /etc/crontab
# 25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

So we edit /etc/cron.d/logcheck as follows:

 # /etc/cron.d/logcheck: crontab entries for the logcheck package
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 MAILTO=root
 
 @reboot         logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
 # Run logcheck 1 min before logrotate (run from cron.daily, see /etc/crontab)
-2 * * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
+24 * * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
 
 # EOF

Custom filter rules

Add your filtering rules in /etc/logcheck/ignore.d.paranoid. Test your new rules with:

sudo -u logcheck logcheck -o -t
sudo -u logcheck logcheck -l /etc/logcheck/test.ignore.d.paranoid.log -o -t       # /etc/logcheck/test.ignore.d.paranoid.log contains sample log file

We keep the test samples in /etc/logcheck/test.ignore.d.paranoid.log, that is kept persistently so that we can avoid regression when adding new rules, and we have a complete list of messages that are filtered out.

We prefix our local rules with local-, like local-ssh, local-systemd...

My current set of rules:

local-postfix
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp(s)?|25|submission|587):([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
local-ssh
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: (disconnected by user|Closed due to user request\.)$
#Don't report known keys
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for (sshproxy) from [.[:digit:]]+ port [[:digit:]]+ ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for (immie) from [.[:digit:]]+ port [[:digit:]]+ ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b$
local-systemd
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Reached target|Stopping|Stopped target) (Paths|Timers|Sockets|Basic System|Default|Shutdown|Exit the Session\.\.)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Received SIGRTMIN+24 from PID [[:digit:]]+ (kill)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user (sshproxy)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:digit:]]+.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session opened for user (sshproxy) by \(uid=0\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session closed for user (sshproxy)$
# To disable later:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user (immie)\.$