junovitch@
Developer
security/logcheck is a useful tool to help keep tabs on your system logs. Per the port's pkg-descr:
Logcheck is fairly easy to initially set up but can take some time to trim down the list of what you consider "normal" to reduce the amount of noise produced. The purpose of this little guide will be to cover that initial setup, provide a few examples of configuration, and hopefully be a small stash of good examples from others.
At this point, Logcheck is fully setup and will email you every hour.
Logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.
Logcheck is fairly easy to initially set up but can take some time to trim down the list of what you consider "normal" to reduce the amount of noise produced. The purpose of this little guide will be to cover that initial setup, provide a few examples of configuration, and hopefully be a small stash of good examples from others.
- Install security/logcheck
pkg install logcheck
- Monitoring /var/log/auth.log makes sense as a best practice, modify newsyslog.conf(5) to allow the logcheck group access to /var/log/auth.log and then fix permissions on the current file.
Code:perl -pwi -e 'if (/auth\.log/) {s/auth\.log\t\t/auth.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf chown root:logcheck /var/log/auth.log chmod 640 /var/log/auth.log
- Finally, copy the default file for crontab(1) from the installed example and fix permissions.
cp /usr/local/share/examples/logcheck/crontab.in /var/cron/tabs/logcheck
chmod 600 /var/cron/tabs/logcheck
At this point, Logcheck is fully setup and will email you every hour.
- Don't like the default interval? Change it.
crontab -u logcheck -e
- Don't like all the emails accumulating for the logcheck user? Add an entry to /etc/mail/aliases.
Code:logcheck: jason
- Not enough noise? Enable logging to /var/log/all.log to get even more detail.
Code:perl -pwi -e 'if (/all\.log/) {s/#\*\.\*/\*\.\*/;}' /etc/syslog.conf perl -pwi -e 'if (/all\.log/) {s/all\.log\t\t/all.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf touch /var/log/auth.log chown root:logcheck /var/log/all.log chmod 640 /var/log/all.log service syslogd restart
Now set Logcheck to check /var/log/all.log instead of /var/log/messages.
Code:cat > /usr/local/etc/logcheck/logcheck.logfiles << 'EOF' /var/log/all.log /var/log/auth.log 'EOF'