logcheck – who is checking your logs?This article describes how I installed and configure logcheck. logcheck is a program which helps the processing of system logfiles. [Ed. note: it was originally produced by Psionic Software which has since been acquired by Cisco.] NOTE: Logcheck has changed. This article no longer describes it well. Use this post instead NOTE:
logcheckis now a port and can be found in
Why bother?Any system generates log files. And do you read them? You should. Often it is the only want you are going to detect a problem. logcheck helps with that process. As the website says:
Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.
You can set up logcheck to run at any given interval. Every day. Every hour. Just put it in your crontab and you’re set.
The key thing about logfiles is people forget to read them. But logcheck will scan the logfiles frequently and report any problem immediately. That’s what I like about it. You find out about a problem the next time you read your mail, not when you remember to check the logs.
The install – portRemember, I have the entire ports tree installed. So I did this:
cd /usr/ports/security/logcheck make make install
The install – non-portThis is not a port. So I did this:
cd /usr/local mkdir psionic chdir psionic fetch -P http://www.psionic.org/downloads/logsentry-1.1.1.tar.gz tar xvfz logcheck-1.1.1.tar.gz cd logcheck-1.1.1
Your first step should be to read the INSTALL file. I already had syslogd configured to log what I needed. So my first step was to configure Makefile. The default location for the files is /usr/local/etc. I changed that to /usr/local/psionic/logcheck. Just my preference.
Then I typed:
Read the README and and INSTALL files supplied with the application.
Running logcheckI run logcheck every 15 minutes. You decide how often is right for you. Here is my entry from /etc/crontab. Note there are tabs between the columns before and after each *, not spaces.
0,15,30,45 * * * * root /bin/sh /usr/local/psionic/logcheck/logcheck.sh
Or, if you used the port, you’d want this:
0,15,30,45 * * * * root /bin/sh /usr/local/etc/logcheck.sh
ProblemsThe only problem I found was conflicts between LogCheck and newsyslog. I was getting this in my LogCheck output.
Unusual System Events =-=-=-=-=-=-=-=-=-=-= File /var/log/messages cannot be read.
I think this occurs because newsyslog has been started at the same time as LogCheck. The way I choose to deal with it was to change the time at which LogCheck ran.
1,16,31,46 * * * * root ...etc
If you installed from the ports, you’ll want /usr/local/etc/logcheck.sh in the line above. If you didn’t, the above will work fine, based on the changes made during the install.
This should make sure that syslogd is stopped by the time logcheck.sh runs.
NOTE: I think the above may cause some problems in missed log scans. If the logs are rolled over on the hour, then the logcheck at 1 minute after the hour will miss the last part of the log which was just rolled over. I’ll talk to the author about this. Also, if you run logcheck 1 minute before newsyslog, you might miss messages, but only only one minute in that case. Still not ideal.