Setting up and managing logs?

Contribute

Setting up and managing logs?

Posted by summitwulf on Tue 28 Feb 2006 at 10:16

Tags: logfiles, monitoring, questions

What good advice do you have for setting up and managing logging on a Debian box? I come from a Red Hat 9.0 environment, where there was a rather convenient integrated GUI that let you browse the various logfiles - very useful to see all the failed logins to your SSH account as people tried to break in, for example.

Is there something similar for managing all the logfiles generated by your programs in Debian? How about if you have a text-only environment?

Descriptions of your current logging setup would be great - along with things to definitely do, and to absolutely avoid... =)

#1

Re: Setting up and managing logs?

Posted by Anonymous (80.28.xx.xx) on Tue 28 Feb 2006 at 11:31

I'm using moodss and pymoodss, an addon to manage multiple machines as one.

[ Parent | Reply to this comment ]

#2

Posted by Anonymous (85.76.xx.xx) on Tue 28 Feb 2006 at 11:31

apt-get install logcheck

It's a script that will parse your logs and mail all the interesting bits for you to look at. It is also easy to customize. Cheers! -Mattias

[ Parent | Reply to this comment ]

#6

Posted by Steve (217.207.xx.xx) on Tue 28 Feb 2006 at 12:29
[ Send Message | View Steve's Scratchpad | View Weblogs ]

I admit I prefer 'logwatch'.

[ Parent | Reply to this comment ]

#8

Posted by GoodTimes (146.180.xx.xx) on Tue 28 Feb 2006 at 14:15
[ Send Message | View Weblogs ]

Why?

Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent | Reply to this comment ]

#10

Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 18:45
[ Send Message | View Steve's Scratchpad | View Weblogs ]

One daily mail is easier to digest than several arriving at different times.

[ Parent | Reply to this comment ]

#11

Posted by GoodTimes (146.180.xx.xx) on Tue 28 Feb 2006 at 18:52
[ Send Message | View Weblogs ]

that's a good point

curious

can you have logwatch scan multiple times a day? the man2html is broken on the logwatch.org site.

aaron

[ Parent | Reply to this comment ]

#14

Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 21:03
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Sure you can.

By default a file is placed at /etc/cron.daily/00logwatch to make it run once a day.

I suspect that you'd get the earlier entries from a previous run duplicated though.

[ Parent | Reply to this comment ]

#12

Posted by Anonymous (85.76.xx.xx) on Tue 28 Feb 2006 at 21:00

Maybe. But if something is wrong, is it not better to know about it at once instead of next morning?

I have never seen it as a problem that the reports can arrive at any time during the day. As logcheck reports only anomalies in the logs I can be reasonably certain that everything is OK if I have no reports waiting in my INBOX.

Another good reason for using logcheck is that many Debian packages come with pre-configured conf-files for logcheck (so that it knows what not to report as an error).

[ Parent | Reply to this comment ]

#15

Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 21:04
[ Send Message | View Steve's Scratchpad | View Weblogs ]

Unless your mailer is broken and you just don't get mails sent ;)

Sure everything you say is valid, but for me with a whole load of internal only machines which are setup in a fairly secure manner running minimal external services and few local users it is better to have only a few mails to scan.

[ Parent | Reply to this comment ]

#19

Posted by Anonymous (195.76.xx.xx) on Wed 1 Mar 2006 at 08:43

Well I use logcheck running each 5 minutes!

Most of the times, it runs and founds nothing interesting (i.e.: all messages are known to logcheck and "normal" for the system). But when I have a problem, I get on it ASAP.

Surely there has a problem. When you're out for some days you'll end up with zillions of emails. ;)

But if you have a decent number of monitored servers you'll probably be in a company with more than one IT admin, so the logs could be (should be) redirected to a common account, so at any time there's someone watching at them.

[ Parent | Reply to this comment ]

#21

Posted by Anonymous (213.164.xx.xx) on Thu 2 Mar 2006 at 11:46

You could use Nagios for very "service up/failing" regular checks (every x minutes) as well as logwatch for more detailed information.

[ Parent | Reply to this comment ]

#22

Posted by impact24 (210.5.xx.xx) on Fri 3 Mar 2006 at 00:58
[ Send Message ]

I'd like to add that I rely on this approach as well. As others do, I like logwatch in the sense that it makes and sends "summaries" once a day so that you don't get overwhelmed. Nagios complements this by sending you immediate problems that are sensed by it's monitoring.

I have to admit though, I haven't set up Nagios to alert me for immediate security warnings. I know that's possible though, I'll just read on it when I have time I guess.

[ Parent | Reply to this comment ]

#13

Posted by jeld (64.90.xx.xx) on Tue 28 Feb 2006 at 21:02
[ Send Message ]

I would preferred logwatch, but it has an inherent flaw. It only notifies you about things it knows about, which means that there is always a chance it will miss something important. Logcheck on the other hand notifies you about anything it doesn't know about. And it is easy to make logcheck only email you once a day, all you have to do is change /etc/cron.d/logcheck.

You are off the edge of the map, mate. Here there be monsters!

[ Parent | Reply to this comment ]

#16

Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 21:06
[ Send Message | View Steve's Scratchpad | View Weblogs ]

This is definitely something to be aware of in high-risk environments, yes.

But I think that Logwatch will highlight unknown entries in at least /var/log/messages.

I'm happy enough with logwatch for my low-risk machines.

[ Parent | Reply to this comment ]

#17

Posted by jeld (64.90.xx.xx) on Tue 28 Feb 2006 at 21:17
[ Send Message ]

Well, this depends on your definition of low-risk. What are you monitoring your logs for? Break-in attempts? Hardware failure signs? Something else? For me a low risk system is one which is not providing public service on the internet and is not critical to be up 24/7. But even on such a system I would want to know if something out of the ordinary is happening. And logcheck does precisely that. I think that maybe, logwatch and logcheck should both be used, where logwatch would give you some stats on regular system goings and logcheck would warn you if something funny starts happening.

You are off the edge of the map, mate. Here there be monsters!

[ Parent | Reply to this comment ]

#18

Posted by summitwulf (72.130.xx.xx) on Wed 1 Mar 2006 at 05:55
[ Send Message | View Weblogs ]

I think I'll try logcheck. The webpage for that has somewhat decent documentation. The logwatch page, by comparison, doesn't seem to have intro-level documentation, and some of the documentation that is there is broken (at least one link). That doesn't look too good from a beginner standpoint...

Now I just need to find out how to configure exim4 to mail me log reports... that should probably be a separate question.

[ Parent | Reply to this comment ]

#3

Re: Setting up and managing logs?

Posted by oxtan (195.86.xx.xx) on Tue 28 Feb 2006 at 11:36
[ Send Message | View Weblogs ]

what we do at work, and it works great, is log to a mysql database with syslog-ng (well, in fact we log both to mysql and to logfiles).

a very useful link:
http://gentoo-wiki.com/HOWTO_setup_PHP-Syslog-NG

Apart from the beautiful interface, using a db gives you loads of flexibility. In fact you can decide whay you want to see. If not afraid of scripting, then this is the way to go.

[ Parent | Reply to this comment ]

#4

Re: Setting up and managing logs?

Posted by Anonymous (194.126.xx.xx) on Tue 28 Feb 2006 at 12:07

If its a small server i do this in /etc/syslog.conf:

#put EVERYTHING on 12th console, very nifty to press alt-F12 and see all that happens
*.* /dev/tty12

#put EVERYTHING except postfix log to one log file, so you only have to check one
*.*;local0.none /var/log/system.log

# postfix logs here
local0.* /var/log/postfix.log

# Emergencies are sent to everybody logged in.
*.emerg *

---
it think the default setup to log in 1233 gazillion files is quite unwieldy.

[ Parent | Reply to this comment ]

#5

Re: Setting up and managing logs?

Posted by Anonymous (194.126.xx.xx) on Tue 28 Feb 2006 at 12:08

oh, and in postfix main.conf:
syslog_facility = local0

[ Parent | Reply to this comment ]

#7

Re: Setting up and managing logs?

Posted by shufla (83.16.xx.xx) on Tue 28 Feb 2006 at 13:17
[ Send Message ]

Hello,

To have nice, colorized logs on 12th console install ccze package and put something like this to /etc/inittab:

C:12345:wait:/usr/bin/tail -n30 -f /var/log/messages | /usr/bin/ccze > /dev/tty12

Also, set up your logging system to send all logs to /var/log/messages. Then kill -HUP 1 to make init reread inittab.

Best Regards,
Luke

[ Parent | Reply to this comment ]

#20

Re: Setting up and managing logs?

Posted by lpenz (200.102.xx.xx) on Wed 1 Mar 2006 at 19:19
[ Send Message ]

You can also use root-tail to get the log written to the X background.

[ Parent | Reply to this comment ]

#23

Re: Setting up and managing logs?

Posted by ychaouche (81.52.xx.xx) on Tue 1 Feb 2011 at 08:59
[ Send Message ]

Wow, impressive !

[ Parent | Reply to this comment ]

#9

Re: Setting up and managing logs?

Posted by sno (62.254.xx.xx) on Tue 28 Feb 2006 at 18:09
[ Send Message | View Weblogs ]

hey there, i use logwatch, gives me output of common /var/log/* files on the system, output like:

sshd:
Authentication Failures:
sno (127.0.0.1): 1 Time(s)
Sessions Opened:
sno: 3 Time(s)
user: 1 Time(s)

[ Parent | Reply to this comment ]

Flattr

Articles and comments are the property of their respective posters.

Trademarks are the property of their respective owners.
Debian is a registered trademark of Software in the Public Interest, Inc.

This site is copyright © 2004-2011 Steve Kemp.
Site hosting provided by Bytemark Hosting.

Article Feeds in Atom, RSS, & RDF formats