Keeping an eye upon logfiles
Posted by Steve on Tue 28 Sep 2004 at 15:17
When you look after a group of machines it becomes increasingly difficult to watch the logfiles to see if anything suspicious is happening.
Enter logwatch, a simple Perl script which will keep an eye on all the common logfiles syslog produces and mail you a summery.
The summaries are simple enough to read and are sent by email once a day - they show things like available disk space, logins, rejected logins, commands ran by users via sudo and more.
This is a much less intensive approach than installing logcheck and recieving numerous daily emails.
If there are messages which are not ignored by logcheck that should be, you should submit bugs against logcheck-database and we'll ensure that they are ignored in the next release.
Don't knock something until you've tried it, properly..
-jamie
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Once upon a time I used to be the package maintainer for the logcheck package, so I'm happy I know it...
It's not so much that it sends lots of mails, more that if you're using it on lots of machine one mail from each is too many. Yes it can be tweaked, but it's a trickyish job.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
if you filter out all the known messages that the maintainers don't have in their filtering, then you won't get email from machines that have their logs completely filtered
it's pretty easy, though it did take me a couple of years of using the product before I finally got around to doing it on my machines, but since i've done it, i've found the already useful package more useful
however, there is a program out there called lc_consolidator, that i'd like see become a debian package. it takes logcheck messages from multiple machines and merges them into one email
aaron
Through correctness comes ease
-Chiun
-The Destroyer series
[ Parent | Reply to this comment ]
mf
[ Parent | Reply to this comment ]
With this tool putting all your message together, and logchecks filters weeding out unnecessary lines, you can get it so that you only have one relatively small message.
http://freshmeat.net/projects/lc/
Through correctness comes ease
-Chiun
-The Destroyer series
[ Parent | Reply to this comment ]
Logwatch provides a summarized output of your log files on a, say, daily basis. This can be used to monitor activity and take preventive measures (eg when running low on disk space).
Logcheck is used for alarming purposes. You are only supposed to get output from it when there is something already wrong. It is used to notify the administrator as soon as possible if a fault or intrusion occurred.
Monitoring and alarming are two distinct tasks, both are part of a system administrator's toolkit however.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Thanks, corrected now.
[ Parent | Reply to this comment ]
SW
[ Parent | Reply to this comment ]