This site is now 100% read-only, and retired.

Keeping an eye upon logfiles

Posted by Steve on Tue 28 Sep 2004 at 15:17

When you look after a group of machines it becomes increasingly difficult to watch the logfiles to see if anything suspicious is happening.

Enter logwatch, a simple Perl script which will keep an eye on all the common logfiles syslog produces and mail you a summery.

The summaries are simple enough to read and are sent by email once a day - they show things like available disk space, logins, rejected logins, commands ran by users via sudo and more.

This is a much less intensive approach than installing logcheck and recieving numerous daily emails.

 

 


Re: Keeping an eye upon logfiles
Posted by jlps (62.3.xx.xx) on Wed 4 May 2005 at 01:41
I've no idea what you mean by "numerous daily emails", if you use the proper level (workstation, server or paranoid) for your environment you shouldn't receive any messages from logcheck unless something unusual happens.

If there are messages which are not ignored by logcheck that should be, you should submit bugs against logcheck-database and we'll ensure that they are ignored in the next release.

Don't knock something until you've tried it, properly..

-jamie

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by Steve (82.41.xx.xx) on Wed 4 May 2005 at 01:57
[ View Weblogs ]

Once upon a time I used to be the package maintainer for the logcheck package, so I'm happy I know it...

It's not so much that it sends lots of mails, more that if you're using it on lots of machine one mail from each is too many. Yes it can be tweaked, but it's a trickyish job.

Steve
-- Steve.org.uk

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by GoodTimes (65.247.xx.xx) on Mon 16 May 2005 at 17:25
[ View Weblogs ]
that logcheck package is excellent though

if you filter out all the known messages that the maintainers don't have in their filtering, then you won't get email from machines that have their logs completely filtered

it's pretty easy, though it did take me a couple of years of using the product before I finally got around to doing it on my machines, but since i've done it, i've found the already useful package more useful

however, there is a program out there called lc_consolidator, that i'd like see become a debian package. it takes logcheck messages from multiple machines and merges them into one email

aaron
Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by Anonymous (193.179.xx.xx) on Sun 26 Jun 2005 at 13:20
Where can by this "lc_consolidator" found? Google can't find anything.

mf

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by GoodTimes (65.247.xx.xx) on Mon 27 Jun 2005 at 14:07
[ View Weblogs ]
Sorry, I spelled it the same way as the username I use. But here is a link to it on freshmeat where I found it.
With this tool putting all your message together, and logchecks filters weeding out unnecessary lines, you can get it so that you only have one relatively small message.


http://freshmeat.net/projects/lc/





Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by chocoholic (203.23.xx.xx) on Wed 15 Jun 2005 at 02:59
While logwatch and logcheck are similar tools they have different roles.

Logwatch provides a summarized output of your log files on a, say, daily basis. This can be used to monitor activity and take preventive measures (eg when running low on disk space).

Logcheck is used for alarming purposes. You are only supposed to get output from it when there is something already wrong. It is used to notify the administrator as soon as possible if a fault or intrusion occurred.

Monitoring and alarming are two distinct tasks, both are part of a system administrator's toolkit however.

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by Anonymous (81.179.xx.xx) on Wed 26 Oct 2005 at 22:30
Huh?, logwatch sends you an email per machine per day, logcheck only emails you when something is wrong, so you may not get any emails for weeks.

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by Anonymous (213.208.xx.xx) on Fri 11 Nov 2005 at 13:48
Summary, not summery - unless you wish to describe it as a season ;)

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by Steve (82.41.xx.xx) on Fri 11 Nov 2005 at 13:53
[ View Weblogs ]

Thanks, corrected now.

Steve

[ Parent ]

Re: Keeping an eye upon logfiles
Posted by summitwulf (72.130.xx.xx) on Mon 20 Feb 2006 at 03:04
[ View Weblogs ]
Do you know of a good tutorial or explanation of how to set up this program? The official site doesn't have good documentation, and explanations on the web seem to be lacking.

SW

[ Parent ]