HOWTO: Use security/logcheck to keep tabs on your system

[junovitch@]

security/logcheck is a useful tool to help keep tabs on your system logs. Per the port's pkg-descr:

Logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.

Logcheck is fairly easy to initially set up but can take some time to trim down the list of what you consider "normal" to reduce the amount of noise produced. The purpose of this little guide will be to cover that initial setup, provide a few examples of configuration, and hopefully be a small stash of good examples from others.

1. Install security/logcheck
   pkg install logcheck
   
   
2. Monitoring /var/log/auth.log makes sense as a best practice, modify newsyslog.conf(5) to allow the logcheck group access to /var/log/auth.log and then fix permissions on the current file.
   

   perl -pwi -e 'if (/auth\.log/) {s/auth\.log\t\t/auth.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf
   chown root:logcheck /var/log/auth.log
   chmod 640  /var/log/auth.log

3. Finally, copy the default file for crontab(1) from the installed example and fix permissions.
   cp /usr/local/share/examples/logcheck/crontab.in /var/cron/tabs/logcheck
chmod 600 /var/cron/tabs/logcheck

At this point, Logcheck is fully setup and will email you every hour.

• Don't like the default interval? Change it.
  crontab -u logcheck -e
  
  
• Don't like all the emails accumulating for the logcheck user? Add an entry to /etc/mail/aliases.
  

  logcheck:  jason

• Not enough noise? Enable logging to /var/log/all.log to get even more detail.
  

  perl -pwi -e 'if (/all\.log/)  {s/#\*\.\*/\*\.\*/;}' /etc/syslog.conf
  perl -pwi -e 'if (/all\.log/)  {s/all\.log\t\t/all.log\troot:logcheck/;   s/600/640/; }' /etc/newsyslog.conf
  touch /var/log/auth.log
  chown root:logcheck /var/log/all.log
  chmod 640 /var/log/all.log
  service syslogd restart

  
  Now set Logcheck to check /var/log/all.log instead of /var/log/messages.
  

  cat > /usr/local/etc/logcheck/logcheck.logfiles << 'EOF'
  /var/log/all.log
  /var/log/auth.log
  'EOF'

 

[junovitch@]

Examples of pattern matches for ignoring services. This assumes monitoring all the details in /var/log/all.log.

Please feel free to post up any of yours.

For sysutils/smartmontools:
/usr/local/etc/logcheck/ignore.d.server/local-smartd

^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], starting scheduled (Short|Long) Self-Test\.
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], self-test in progress, [0-9]+% remaining
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], previous self-test completed without error

For cron(8):
/usr/local/etc/logcheck/ignore.d.server/local-cron

^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(root\) CMD
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ crontab\[[0-9]+\]: \(root\) LIST \(root\)
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(operator\) CMD \(/usr/libexec/save-entropy\)

For sysutils/puppet:
/usr/local/etc/logcheck/ignore.d.server/local-puppet

^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-master\[[0-9]+\]: Compiled catalog for [._[:alnum:]-]+ in environment production
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-master\[[0-9]+\]: Starting Puppet master version
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-agent\[[0-9]+\]: Finished catalog run