logcheck – who is checking your logs?
This article describes how I installed and configure logcheck. logcheck
is a program which helps the processing of system logfiles.
[Ed. note: it was originally produced by Psionic Software which has since
been acquired by Cisco.]
NOTE: Logcheck has changed. This article no longer describes it well.
Use this post instead
logcheck is now a port
and can be found in
Any system generates log files. And do you read them? You should.
Often it is the only want you are going to detect a problem. logcheck helps with
that process. As the website says:
Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.
You can set up logcheck to run at any given interval. Every day.
Every hour. Just put it in your crontab and you’re set.
The key thing about logfiles is people forget to read them. But logcheck
will scan the logfiles frequently and report any problem immediately. That’s what I
like about it. You find out about a problem the next time you read your mail, not
when you remember to check the logs.
The install – port
Remember, I have the entire ports tree installed. So
I did this:
cd /usr/ports/security/logcheck make make install
The install – non-port
This is not a port. So I did this:
cd /usr/local mkdir psionic chdir psionic fetch -P http://www.psionic.org/downloads/logsentry-1.1.1.tar.gz tar xvfz logcheck-1.1.1.tar.gz cd logcheck-1.1.1
Your first step should be to read the INSTALL file. I already had syslogd
configured to log what I needed. So my first step was to configure Makefile.
The default location for the files is /usr/local/etc. I changed that to /usr/local/psionic/logcheck.
Just my preference.
Then I typed:
Read the README and and INSTALL files supplied with the application.
I run logcheck every 15 minutes. You decide how often is right for you.
Here is my entry from /etc/crontab. Note there are tabs between the columns
before and after each *, not spaces.
0,15,30,45 * * * * root /bin/sh /usr/local/psionic/logcheck/logcheck.sh
Or, if you used the port, you’d want this:
0,15,30,45 * * * * root /bin/sh /usr/local/etc/logcheck.sh
The only problem I found was conflicts between LogCheck and newsyslog.
I was getting this in my LogCheck output.
Unusual System Events =-=-=-=-=-=-=-=-=-=-= File /var/log/messages cannot be read.
I think this occurs because newsyslog has been started at the same time as LogCheck.
The way I choose to deal with it was to change the time at which LogCheck ran.
1,16,31,46 * * * * root ...etc
If you installed from the ports, you’ll want /usr/local/etc/logcheck.sh in
the line above. If you didn’t, the above will work fine, based on the changes made
during the install.
This should make sure that syslogd is stopped by the time logcheck.sh
NOTE: I think the above may cause some problems in missed log scans. If the logs
are rolled over on the hour, then the logcheck at 1 minute after the hour will miss the
last part of the log which was just rolled over. I’ll talk to the author about this.
Also, if you run logcheck 1 minute before newsyslog, you might miss messages, but
only only one minute in that case. Still not ideal.