Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
logcheck - who is checking your logs?19 December 1999
This article describes how I installed and configure logcheck. logcheck
is a program which helps the processing of system logfiles.
[Ed. note: it was originally produced by Psionic Software which has since
been acquired by Cisco.]
NOTE: Logcheck has changed. This article no longer describes it well.
Use this post instead
NOTE: Logcheck has changed so very much. I recommend reading my more recent article.
NOTE: logcheck is now a port
and can be found in security/logcheck.
Why bother?
Any system generates log files. And do you read them? You should.
Often it is the only want you are going to detect a problem. logcheck helps with
that process. As the website says:
Logcheck helps spot problems and security violations in your logfiles
automatically and will send the results to you in e-mail.
You can set up logcheck to run at any given interval. Every day.
Every hour. Just put it in your crontab and you're set.
The key thing about logfiles is people forget to read them. But logcheck
will scan the logfiles frequently and report any problem immediately. That's what I
like about it. You find out about a problem the next time you read your mail, not
when you remember to check the logs.
cd /usr/local
mkdir psionic
chdir psionic
fetch -P http://www.psionic.org/downloads/logsentry-1.1.1.tar.gz
tar xvfz logcheck-1.1.1.tar.gz
cd logcheck-1.1.1
Your first step should be to read the INSTALL file. I already had syslogd
configured to log what I needed. So my first step was to configure Makefile.
The default location for the files is /usr/local/etc. I changed that to /usr/local/psionic/logcheck.
Just my preference.
Then I typed:
make freebsd
Read the README and and INSTALL files supplied with the application.
Running logcheck
I run logcheck every 15 minutes. You decide how often is right for you.
Here is my entry from /etc/crontab. Note there are tabs between the columns
before and after each *, not spaces.
The only problem I found was conflicts between LogCheck and newsyslog.
I was getting this in my LogCheck output.
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
File /var/log/messages cannot be read.
I think this occurs because newsyslog has been started at the same time as LogCheck.
The way I choose to deal with it was to change the time at which LogCheck ran.
1,16,31,46 * * * * root ...etc
If you installed from the ports, you'll want /usr/local/etc/logcheck.sh in
the line above. If you didn't, the above will work fine, based on the changes made
during the install.
This should make sure that syslogd is stopped by the time logcheck.sh
runs.
NOTE: I think the above may cause some problems in missed log scans. If the logs
are rolled over on the hour, then the logcheck at 1 minute after the hour will miss the
last part of the log which was just rolled over. I'll talk to the author about this.
Also, if you run logcheck 1 minute before newsyslog, you might miss messages, but
only only one minute in that case. Still not ideal.
