HOWTO: Use security/logcheck to keep tabs on your system

junovitch@

Daemon
Developer

Reaction score: 617
Messages: 1,773

security/logcheck is a useful tool to help keep tabs on your system logs. Per the port's pkg-descr:
Logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.
Logcheck is fairly easy to initially set up but can take some time to trim down the list of what you consider "normal" to reduce the amount of noise produced. The purpose of this little guide will be to cover that initial setup, provide a few examples of configuration, and hopefully be a small stash of good examples from others.

  1. Install security/logcheck
    pkg install logcheck

  2. Monitoring /var/log/auth.log makes sense as a best practice, modify newsyslog.conf(5) to allow the logcheck group access to /var/log/auth.log and then fix permissions on the current file.
    Code:
    perl -pwi -e 'if (/auth\.log/) {s/auth\.log\t\t/auth.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf
    chown root:logcheck /var/log/auth.log
    chmod 640  /var/log/auth.log
  3. Finally, copy the default file for crontab(1) from the installed example and fix permissions.
    cp /usr/local/share/examples/logcheck/crontab.in /var/cron/tabs/logcheck
    chmod 600 /var/cron/tabs/logcheck

At this point, Logcheck is fully setup and will email you every hour.

  • Don't like the default interval? Change it.
    crontab -u logcheck -e

  • Don't like all the emails accumulating for the logcheck user? Add an entry to /etc/mail/aliases.
    Code:
    logcheck:  jason
  • Not enough noise? Enable logging to /var/log/all.log to get even more detail.
    Code:
    perl -pwi -e 'if (/all\.log/)  {s/#\*\.\*/\*\.\*/;}' /etc/syslog.conf
    perl -pwi -e 'if (/all\.log/)  {s/all\.log\t\t/all.log\troot:logcheck/;   s/600/640/; }' /etc/newsyslog.conf
    touch /var/log/auth.log
    chown root:logcheck /var/log/all.log
    chmod 640 /var/log/all.log
    service syslogd restart
    Now set Logcheck to check /var/log/all.log instead of /var/log/messages.
    Code:
    cat > /usr/local/etc/logcheck/logcheck.logfiles << 'EOF'
    /var/log/all.log
    /var/log/auth.log
    'EOF'
 
OP
OP
J

junovitch@

Daemon
Developer

Reaction score: 617
Messages: 1,773

Examples of pattern matches for ignoring services. This assumes monitoring all the details in /var/log/all.log.

Please feel free to post up any of yours.

For sysutils/smartmontools:
/usr/local/etc/logcheck/ignore.d.server/local-smartd
Code:
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], starting scheduled (Short|Long) Self-Test\.
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], self-test in progress, [0-9]+% remaining
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], previous self-test completed without error
For cron(8):
/usr/local/etc/logcheck/ignore.d.server/local-cron
Code:
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(root\) CMD
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ crontab\[[0-9]+\]: \(root\) LIST \(root\)
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(operator\) CMD \(/usr/libexec/save-entropy\)
For sysutils/puppet:
/usr/local/etc/logcheck/ignore.d.server/local-puppet
Code:
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-master\[[0-9]+\]: Compiled catalog for [._[:alnum:]-]+ in environment production
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-master\[[0-9]+\]: Starting Puppet master version
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-agent\[[0-9]+\]: Finished catalog run
 
  • Thanks
Reactions: Oko
Top