This site is now 100% read-only, and retired.

Setting up and managing logs?

Posted by summitwulf on Tue 28 Feb 2006 at 10:16

What good advice do you have for setting up and managing logging on a Debian box? I come from a Red Hat 9.0 environment, where there was a rather convenient integrated GUI that let you browse the various logfiles - very useful to see all the failed logins to your SSH account as people tried to break in, for example.

Is there something similar for managing all the logfiles generated by your programs in Debian? How about if you have a text-only environment?

Descriptions of your current logging setup would be great - along with things to definitely do, and to absolutely avoid... =)

 

 


Re: Setting up and managing logs?
Posted by Anonymous (80.28.xx.xx) on Tue 28 Feb 2006 at 11:31
I'm using moodss and pymoodss, an addon to manage multiple machines as one.

[ Parent ]

Logcheck
Posted by Anonymous (85.76.xx.xx) on Tue 28 Feb 2006 at 11:31
apt-get install logcheck
It's a script that will parse your logs and mail all the interesting bits for you to look at. It is also easy to customize. Cheers! -Mattias

[ Parent ]

Re: Logcheck
Posted by Steve (217.207.xx.xx) on Tue 28 Feb 2006 at 12:29
[ View Weblogs ]

I admit I prefer 'logwatch'.

Steve

[ Parent ]

Re: Logcheck
Posted by GoodTimes (146.180.xx.xx) on Tue 28 Feb 2006 at 14:15
[ View Weblogs ]
Why?

Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent ]

Re: Logcheck
Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 18:45
[ View Weblogs ]

One daily mail is easier to digest than several arriving at different times.

Steve

[ Parent ]

Re: Logcheck
Posted by GoodTimes (146.180.xx.xx) on Tue 28 Feb 2006 at 18:52
[ View Weblogs ]
that's a good point

curious

can you have logwatch scan multiple times a day? the man2html is broken on the logwatch.org site.

aaron

[ Parent ]

Re: Logcheck
Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 21:03
[ View Weblogs ]

Sure you can.

By default a file is placed at /etc/cron.daily/00logwatch to make it run once a day.

I suspect that you'd get the earlier entries from a previous run duplicated though.

Steve

[ Parent ]

Re: Logcheck
Posted by Anonymous (85.76.xx.xx) on Tue 28 Feb 2006 at 21:00
Maybe. But if something is wrong, is it not better to know about it at once instead of next morning?

I have never seen it as a problem that the reports can arrive at any time during the day. As logcheck reports only anomalies in the logs I can be reasonably certain that everything is OK if I have no reports waiting in my INBOX.

Another good reason for using logcheck is that many Debian packages come with pre-configured conf-files for logcheck (so that it knows what not to report as an error).

[ Parent ]

Re: Logcheck
Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 21:04
[ View Weblogs ]

Unless your mailer is broken and you just don't get mails sent ;)

Sure everything you say is valid, but for me with a whole load of internal only machines which are setup in a fairly secure manner running minimal external services and few local users it is better to have only a few mails to scan.

Steve

[ Parent ]

Re: Logcheck
Posted by Anonymous (195.76.xx.xx) on Wed 1 Mar 2006 at 08:43
Well I use logcheck running each 5 minutes!

Most of the times, it runs and founds nothing interesting (i.e.: all messages are known to logcheck and "normal" for the system). But when I have a problem, I get on it ASAP.

Surely there has a problem. When you're out for some days you'll end up with zillions of emails. ;)

But if you have a decent number of monitored servers you'll probably be in a company with more than one IT admin, so the logs could be (should be) redirected to a common account, so at any time there's someone watching at them.

[ Parent ]

Re: Logcheck
Posted by Anonymous (213.164.xx.xx) on Thu 2 Mar 2006 at 11:46
You could use Nagios for very "service up/failing" regular checks (every x minutes) as well as logwatch for more detailed information.

[ Parent ]

Re: Logcheck
Posted by impact24 (210.5.xx.xx) on Fri 3 Mar 2006 at 00:58
I'd like to add that I rely on this approach as well. As others do, I like logwatch in the sense that it makes and sends "summaries" once a day so that you don't get overwhelmed. Nagios complements this by sending you immediate problems that are sensed by it's monitoring.

I have to admit though, I haven't set up Nagios to alert me for immediate security warnings. I know that's possible though, I'll just read on it when I have time I guess.

[ Parent ]

Re: Logcheck
Posted by jeld (64.90.xx.xx) on Tue 28 Feb 2006 at 21:02
I would preferred logwatch, but it has an inherent flaw. It only notifies you about things it knows about, which means that there is always a chance it will miss something important. Logcheck on the other hand notifies you about anything it doesn't know about. And it is easy to make logcheck only email you once a day, all you have to do is change /etc/cron.d/logcheck.

You are off the edge of the map, mate. Here there be monsters!

[ Parent ]

Re: Logcheck
Posted by Steve (82.41.xx.xx) on Tue 28 Feb 2006 at 21:06
[ View Weblogs ]

This is definitely something to be aware of in high-risk environments, yes.

But I think that Logwatch will highlight unknown entries in at least /var/log/messages.

I'm happy enough with logwatch for my low-risk machines.

Steve

[ Parent ]

Re: Logcheck
Posted by jeld (64.90.xx.xx) on Tue 28 Feb 2006 at 21:17
Well, this depends on your definition of low-risk. What are you monitoring your logs for? Break-in attempts? Hardware failure signs? Something else? For me a low risk system is one which is not providing public service on the internet and is not critical to be up 24/7. But even on such a system I would want to know if something out of the ordinary is happening. And logcheck does precisely that. I think that maybe, logwatch and logcheck should both be used, where logwatch would give you some stats on regular system goings and logcheck would warn you if something funny starts happening.

You are off the edge of the map, mate. Here there be monsters!

[ Parent ]

Re: Logcheck
Posted by summitwulf (72.130.xx.xx) on Wed 1 Mar 2006 at 05:55
[ View Weblogs ]
I think I'll try logcheck. The webpage for that has somewhat decent documentation. The logwatch page, by comparison, doesn't seem to have intro-level documentation, and some of the documentation that is there is broken (at least one link). That doesn't look too good from a beginner standpoint...

Now I just need to find out how to configure exim4 to mail me log reports... that should probably be a separate question.

[ Parent ]

Re: Setting up and managing logs?
Posted by oxtan (195.86.xx.xx) on Tue 28 Feb 2006 at 11:36
[ View Weblogs ]
what we do at work, and it works great, is log to a mysql database with syslog-ng (well, in fact we log both to mysql and to logfiles).

a very useful link:
http://gentoo-wiki.com/HOWTO_setup_PHP-Syslog-NG

Apart from the beautiful interface, using a db gives you loads of flexibility. In fact you can decide whay you want to see. If not afraid of scripting, then this is the way to go.

[ Parent ]

Re: Setting up and managing logs?
Posted by Anonymous (194.126.xx.xx) on Tue 28 Feb 2006 at 12:07
If its a small server i do this in /etc/syslog.conf:

#put EVERYTHING on 12th console, very nifty to press alt-F12 and see all that happens
*.* /dev/tty12

#put EVERYTHING except postfix log to one log file, so you only have to check one
*.*;local0.none /var/log/system.log

# postfix logs here
local0.* /var/log/postfix.log

# Emergencies are sent to everybody logged in.
*.emerg *

---
it think the default setup to log in 1233 gazillion files is quite unwieldy.

[ Parent ]

Re: Setting up and managing logs?
Posted by Anonymous (194.126.xx.xx) on Tue 28 Feb 2006 at 12:08
oh, and in postfix main.conf:
syslog_facility = local0

[ Parent ]

Re: Setting up and managing logs?
Posted by shufla (83.16.xx.xx) on Tue 28 Feb 2006 at 13:17
Hello,

To have nice, colorized logs on 12th console install ccze package and put something like this to /etc/inittab:

C:12345:wait:/usr/bin/tail -n30 -f /var/log/messages | /usr/bin/ccze > /dev/tty12

Also, set up your logging system to send all logs to /var/log/messages. Then kill -HUP 1 to make init reread inittab.

Best Regards,
Luke

[ Parent ]

Re: Setting up and managing logs?
Posted by lpenz (200.102.xx.xx) on Wed 1 Mar 2006 at 19:19
You can also use root-tail to get the log written to the X background.

[ Parent ]

Re: Setting up and managing logs?
Posted by suspended user ychaouche (81.52.xx.xx) on Tue 1 Feb 2011 at 08:59
Wow, impressive !

[ Parent ]