How do I keep an eye on my computer's logs without reading them?

From CLUG Wiki

Jump to: navigation, search

newpage icon WARNING: This is a new page.

This is a new page, and might contain technically incorrect information. Please use at your own risk. If you are able to correct any errors or expand this document, please do so.


Debian Logo Warning: This is a Debian-centric page

This page is written by a Debian user with Debian in mind. Thus, he liberally uses apt-get, and assumes that everything will work exactly the same for you.

If you don't run Debian (or something based on it like Ubuntu), it won't, so please find the differences and add them to this page.


Contents

Logcheck

Logcheck is a great program for keeping an eye on your server's logs.

Most *nix servers don't email you when something odd happens, they simply dump an error in syslog. Now, if you never read your syslog logs (and please, who does that ;-), you will never see this. Logcheck automatically reads them for you, and emails you anything out of the ordinary.

Installing

This is Debian ;-): 

apt-get install logcheck

Configuring

Logcheck is somthing that needs a lot of configuration. It only learns what is ok and what is the sign of impending doom if you tell it the difference. Thankfully, it comes with a pretty decent database of syslog messages. The database is divided into three levels of paranoia: workstation, server, and paranoid. I generally use server unless the machine is doing so much strange stuff that I can't keep up with the new log messages.

Edit /etc/logcheck/logcheck.conf: 

REPORTLEVEL="server"
SENDMAILTO="root"
FQDN=1

Be careful where you send the mail to. In the beginning, your logcheck emails can be truly massive (if you have a chatty system). If the machine is remote, you may want to have it go to a local address on that machine (which you can read over ssh / whatever) until you are confidnent that the emails are small enough to allow into your inbox.

What logcheck does

Now, we wait. While doing so, here is how logcheck works:

Each line in every log file listed in /etc/logcheck/logcheck.logfiles is inversely egrepped against everything in the ignore.d.REPORTLEVEL directory. This makes up the System Events section of the logcheck report.

For good measure, it is also egrepped against everything in the violations.d directory (which contains words like Failed, Error, Reject, Security, Illegal, etc.) and then inversly egrepped againsed violations.ignore.d. This makes up the Security Events section of the logcheck report.

Finally, there is the cracking.d directory. This one's ignore directory is disabled by default. I normally leave it like that. It doesn't have many entries listed in it, if you are paranoid, think up some and add them.

To keep log entries from appearing in the reports, we need to add them to the ignore files. (For security events, you will also need to add them to the violations.ignore.d directory.)

Ignoring entries

By now, logcheck should have mailed you it's first report. If it hasn't you can force it to, by running 

su -s /bin/bash -c "nice -n10 /usr/sbin/logcheck" logcheck

Don't be suprised if you get a >1MB email...

Ok. now you will probably notice that 80% of the report is dedicated to one or two daemons. You can either re-configure them (i.e. reconfigure smartd to ignore Temperature and Raw Error Rate), or get logcheck to ignore them. Here are some examples:

Security Example

Security Events
=-=-=-=-=-=-=-=
May 29 06:42:51 imago smartd[8521]: Device: /dev/hda, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 66 to 65
May 29 13:37:30 imago dhclient: receive_packet failed on eth0: Network is down
May 29 17:01:07 imago kernel: device eth0 entered promiscuous mode
May 29 17:01:08 imago kernel: bridge-eth0: enabled promiscuous mode
May 29 17:12:51 imago smartd[8521]: Device: /dev/hda, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 65 to 66
May 29 17:27:34 imago kernel: device eth0 left promiscuous mode
May 29 17:27:34 imago kernel: bridge-eth0: disabled promiscuous mode
May 29 20:56:50 imago sshd[28732]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser=  host=castle.owlsbarn.rivera.za.net  user=stefanor 
May 29 20:56:52 imago sshd[28732]: error: PAM: Authentication failure for stefanor from castle.owlsbarn.rivera.za.net
May 29 22:12:51 imago smartd[8521]: Device: /dev/hda, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 66 to 65

OK. I reconfigured smartd to forget about read error rates. I was messing around with networking, and I often do, so I'll ignore the promiscuous lines.

The Debain Logcheck package maintains the files in the ignore directories. It is good practice to put your own ignores into local-daemon-name files, so it won't touch them. 

# vi ignore.d.server/local-networking

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: .* entered promiscuous mode$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dhclient: receive_packet failed on eth[[:digit:]]: Network is down$
# cp ignore.d.server/local-networking violations.ignore.d

That should do the trick.

I made a mistake logging in from my laptop, but I don't mind being emailed about that. I'll leave it in.

General Example

System Events
=-=-=-=-=-=-=
May 29 22:48:38 imago sensord: Sensor alarm: Chip w83627hf-isa-0290: VCore 1: +1.70 V (min = +1.66 V, max = +1.84 V) [ALARM]
May 29 22:48:38 imago sensord: Sensor alarm: Chip w83627hf-isa-0290: temp1: 37 C (limit = 8 C, hysteresis = 40 C, sensors =  thermistor) [ALARM]
May 29 22:48:38 imago sensord: Sensor alarm: Chip w83627hf-isa-0290: alarms: Chassis intrusion detection [ALARM]
etc. etc.

Hmm. looks like a badly configured sensord. Well, I can't be bothered to reconfigure it, so lets just ignore it 

# vi ignore.d.server/local-sensord

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sensord: Sensor alarm:

OK done.

Sit back and relax. Your server will get in touch with you if anything odd happens...

Retrieved from "http://wiki.clug.org.za/wiki/How_do_I_keep_an_eye_on_my_computer%27s_logs_without_reading_them%3F"