Monitoring logfiles with logsentry
I manage a fair number of servers, and use several tools to monitor the health of my systems. One such tool is logsentry (formerly known as logcheck), which is a shell script that can be used to monitor logfiles for anomalies. Logsentry consists of a single shell script and one or more violation files, and installing it as simple as extracting the package and modifying the paths in the shell script. If your using OpenBSD, you can use the pkg_add utility to add the logsenty package to your system:$ export PKG_PATH=”ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/”
$ pkg_add logsentry
logsentry-1.1.1p2: complete
--- logsentry-1.1.1p2 -------------------
The logsentry configuration files have been installed at
/etc/logsentry.
Please view these files and change the configuration to meet your needs.
Currently logsentry will check the following files:
/var/log/messages
/var/log/maillog
/var/log/authlog
/var/log/secure
/var/log/daemon
/var/log/xferlog
Edit /etc/logsentry/logsentry.sh
if you want to add more files.
Be sure to configure your crontab as indicated by
/usr/local/share/doc/logsentry/INSTALL
so that logsentry is run regularly.
After logsentry is installed, you can add a cron job similar to the following to enable it:
$ echo ”
# Check system logfiles
0 * * * * /bin/sh /etc/logsentry/logsentry.sh” >> /var/spool/cron/crontabs/root
Once logsentry is enabled, you will get email similar to the following each time an anomaly is detected:
from Charlie Root to root date Nov 25, 2006 1:00 PM subject yappy 11/25/06:13.00 system check Security Violations =-=-=-=-=-=-=-=-=-= Nov 25 16:25:57 yappy su: matty to root on /dev/ttyp0 Nov 26 05:18:40 yappy su: matty to root on /dev/ttyp0 Nov 26 05:22:10 yappy su: BAD SU matty to root on /dev/ttyp0 Nov 26 05:22:14 yappy su: matty to root on /dev/ttyp0If logsentry emails you about an anomaly that your not interested in, you can add a string that matches the error to logsentry.ignore (this is used to filter out messages from the Unusual system events section) or logsentry.violations.ignore (this is used to filter out events from the security section). Logsentry works pretty well, and once the ignore files are adjusted to match the personality of the server, it can be a life saver (I like the fact that logsentry will send an email notifications when a hardware error is written to the system logfiles)
No comments:
Post a Comment