Logcheck
Jump to navigation
Jump to search
logcheck is a program to scan system logs for interesting lines
Reference
Install
apt-get install logcheck logcheck-database
Configuration
We choose to run in mode paranoid, and filter out noisy reports. Edit /etc/logcheck/logcheck.conf:
REPORTLEVEL="paranoid"
SENDMAILTO="root"
ADDTAG="yes"
This will send mail to root. Make sure that mails to root are forwarded to an external mailbox:
grep root: /etc/aliases
# root: m.ovh@immie.org
Also, since we use logrotate, we make sure that logcheck runs one minute before:
find /etc -name logrotate | grep cron
# /etc/cron.daily/logrotate
grep daily /etc/crontab
# 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
So we edit /etc/cron.d/logcheck as follows:
# /etc/cron.d/logcheck: crontab entries for the logcheck package
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
@reboot logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
# Run logcheck 1 min before logrotate (run from cron.daily, see /etc/crontab)
-2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
+24 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
# EOF
Custom filter rules
Add your filtering rules in /etc/logcheck/ignore.d.paranoid. Test your new rules with:
sudo -u logcheck logcheck -o -t
sudo -u logcheck logcheck -l /etc/logcheck/test.ignore.d.paranoid.log -o -t # /etc/logcheck/test.ignore.d.paranoid.log contains sample log file
We keep the test samples in /etc/logcheck/test.ignore.d.paranoid.log, that is kept persistently so that we can avoid regression when adding new rules, and we have a complete list of messages that are filtered out.
We prefix our local rules with local-, like local-ssh, local-systemd...
My current set of rules:
- local-postfix
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max (message|recipient|connection) (count|rate) [/[:digit:]s]+ for \(([.:[:xdigit:]]+)?(smtp(s)?|25|submission|587):([.:[:xdigit:]]+|unknown)\) at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max cache size [[:digit:]]+ at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
- local-ssh
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from ([:[:xdigit:].]+|UNKNOWN)+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:.[:xdigit:]]+: 11: (disconnected by user|Closed due to user request\.)$
#Don't report known keys
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for (sshproxy) from [.[:digit:]]+ port [[:digit:]]+ ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for (immie) from [.[:digit:]]+ port [[:digit:]]+ ssh2: RSA ed:81:b9:c5:5b:43:b5:0b:f2:00:6d:c0:b3:08:4e:8b$
- local-systemd
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Reached target|Stopping|Stopped target) (Paths|Timers|Sockets|Basic System|Default|Shutdown|Exit the Session\.\.)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Startup finished in [[:digit:]]+ms\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Received SIGRTMIN+24 from PID [[:digit:]]+ (kill)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user (sshproxy)\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:digit:]]+.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session opened for user (sshproxy) by \(uid=0\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd: pam_unix\(systemd-user:session\): session closed for user (sshproxy)$
# To disable later:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user (immie)\.$