(Uninstall the logsentry package) # emerge -C logsentry(Remove leftover files) # rm -rf /etc/logcheck
Now you can proceed with the installation of logcheck.
# emerge -av app-admin/logcheck
options {
owner(root);
(Make log files group-readable by logcheck)
group(logcheck);
perm(0640);
};
Now reload the configuration and make sure the changes work as expected.
# /etc/init.d/syslog-ng reload(Make sure /var/log/messages has correct permissions) # ls -l /var/log/messages -rw-r----- 1 root logcheck 1694438 Feb 12 12:18 /var/log/messages
You should now adjust some basic
# Controls the level of filtering: # Can be Set to "workstation", "server" or "paranoid" for different # levels of filtering. Defaults to server if not set.(The workstation level includes server, and server includes paranoid. The paranoid level filters almost no messages) REPORTLEVEL="server" # Controls the address mail goes to: # *NOTE* the script does not set a default value for this variable! # Should be set to an offsite "emailaddress@some.domain.tld"(Make sure you can receive the logcheck e-mails. Testing is strongly recommended) SENDMAILTO="root" # Controls if syslog-summary is run over each section. # Alternatively, set to "1" to enable extra summary. # HINT: syslog-summary needs to be installed.(If you get a lot of similar messages in the logs, you may want to install app-admin/syslog-summary and enable this setting) SYSLOGSUMMARY=0
You also have to tell
(This is an example for syslog-ng) /var/log/messages
Finally, enable the logcheck cron job.
(Edit the cron file and follow the instructions inside) # nano -w /etc/cron.hourly/logcheck.cron
Congratulations! Now you will be regularly getting important log messages by email. An example message looks like this:
System Events =-=-=-=-=-=-= Feb 10 17:13:53 localhost kernel: [30233.238342] conftest[25838]: segfault at 40 ip 40061403 sp bfc443c4 error 4 in libc-2.10.1.so[4003e000+142000] Feb 11 12:31:21 localhost postfix/pickup[18704]: fatal: could not find any active network interfaces Feb 11 12:31:22 localhost postfix/master[3776]: warning: process //usr/lib/postfix/pickup pid 18704 exit status 1 Feb 11 12:31:22 localhost postfix/master[3776]: warning: //usr/lib/postfix/pickup: bad command startup -- throttling
You can use the logcheck's
# su -s /bin/bash -c '/usr/sbin/logcheck -d' logcheck D: [1281318818] Turning debug mode on D: [1281318818] Sourcing - /etc/logcheck/logcheck.conf D: [1281318818] Finished getopts c:dhH:l:L:m:opr:RsS:tTuvw D: [1281318818] Trying to get lockfile: /var/lock/logcheck/logcheck.lock D: [1281318818] Running lockfile-touch /var/lock/logcheck/logcheck.lock D: [1281318818] cleanrules: /etc/logcheck/cracking.d/kernel ... D: [1281318818] cleanrules: /etc/logcheck/violations.d/su D: [1281318818] cleanrules: /etc/logcheck/violations.d/sudo ... D: [1281318825] logoutput called with file: /var/log/messages D: [1281318825] Running /usr/sbin/logtail2 on /var/log/messages D: [1281318825] Sorting logs D: [1281318825] Setting the Intro D: [1281318825] Checking for security alerts D: [1281318825] greplogoutput: kernel ... D: [1281318825] greplogoutput: returning 1 D: [1281318825] Checking for security events ... D: [1281318825] greplogoutput: su D: [1281318825] greplogoutput: Entries in checked D: [1281318825] cleanchecked - file: /tmp/logcheck.uIFLqU/violations-ignore/logcheck-su D: [1281318825] report: cat'ing - Security Events for su ... D: [1281318835] report: cat'ing - System Events D: [1281318835] Setting the footer text D: [1281318835] Sending report: 'localhost 2010-08-09 03:53 Security Events' to root D: [1281318835] cleanup: Killing lockfile-touch - 17979 D: [1281318835] cleanup: Removing lockfile: /var/lock/logcheck/logcheck.lock D: [1281318835] cleanup: Removing - /tmp/logcheck.uIFLqU