The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

logcheck - who is checking your logs? 19 December 1999
Share
Need more help on this topic? Click here
This article has no comments
Show me similar articles
This article describes how I installed and configure logchecklogcheck is a program which helps the processing of system logfiles. [Ed. note: it was originally produced by Psionic Software which has since been acquired by Cisco.]

NOTE: Logcheck has changed. This article no longer describes it well. Use this post instead

NOTE: Logcheck has changed so very much. I recommend reading my more recent article.

NOTE: logcheck is now a port and can be found in security/logcheck.

Why bother?
Any system generates log files.  And do you read them?  You should.   Often it is the only want you are going to detect a problem.  logcheck helps with that process.  As the website says:
Logcheck helps spot problems and security violations in your logfiles 
automatically and will send the results to you in e-mail.

You can set up logcheck to run at any given interval.  Every day.   Every hour.  Just put it in your crontab and you're set.

The key thing about logfiles is people forget to read them.  But logcheck will scan the logfiles frequently and report any problem immediately.  That's what I like about it.  You find out about a problem the next time you read your mail, not when you remember to check the logs.

The install - port
Remember, I have the entire ports tree installed.  So I did this:
cd /usr/ports/security/logcheck
make
make install
The install - non-port
This is not a port.  So I did this:
cd /usr/local
mkdir psionic
chdir psionic
fetch -P http://www.psionic.org/downloads/logsentry-1.1.1.tar.gz
tar xvfz logcheck-1.1.1.tar.gz
cd logcheck-1.1.1

Your first step should be to read the INSTALL file.  I already had syslogd configured to log what I needed.  So my first step was to configure Makefile.   The default location for the files is /usr/local/etc.  I changed that to /usr/local/psionic/logcheck.  Just my preference.

Then I typed:

make freebsd

Read the README and and INSTALL files supplied with the application.

Running logcheck
I run logcheck every 15 minutes.  You decide how often is right for you.   Here is my entry from /etc/crontab.  Note there are tabs between the columns before and after each *, not spaces.
0,15,30,45 * * * * root /bin/sh /usr/local/psionic/logcheck/logcheck.sh

Or, if you used the port, you'd want this:

0,15,30,45 * * * * root /bin/sh /usr/local/etc/logcheck.sh
Problems
The only problem I found was conflicts between LogCheck and newsyslog.  I was getting this in my LogCheck output.
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
File /var/log/messages cannot be read.

I think this occurs because newsyslog has been started at the same time as LogCheck.   The way I choose to deal with it was to change the time at which LogCheck ran.

1,16,31,46 * * * * root ...etc

If you installed from the ports, you'll want /usr/local/etc/logcheck.sh in the line above.  If you didn't, the above will work fine, based on the changes made during the install.

This should make sure that syslogd is stopped by the time logcheck.sh runs.

NOTE: I think the above may cause some problems in missed log scans.  If the logs are rolled over on the hour, then the logcheck at 1 minute after the hour will miss the last part of the log which was just rolled over.  I'll talk to the author about this.   Also, if you run logcheck 1 minute before newsyslog, you might miss messages, but only only one minute in that case.  Still not ideal.

Share
Need more help on this topic? Click here
This article has no comments
Show me similar articles