Analyzing Your Logs with logcheck

Once your applications are logging to specific files, and the logs are being rotated, you can then manage and view your system statistics daily. If you would like to automate analysis of your log files for major occurrences, logcheck is here for you.

logcheck scans through your log files and searches for telltale security and error messages and emails you its findings at predefined times through cron. The logcheck process uses a bookmark feature to send you only its findings since the last logcheck run so that you do not receive the same errors for the same log file time and again.

logcheck is not included in the SUSE distribution, so the authors have created an RPM for SUSE 9.1 at See Chapter 12 for more information on installing RPM packages. You can also find the logcheck RPM at the book's companion Web site at

Once installed, the logcheck RPM creates an entry in /etc/cron.hourly. Any executable scripts in /etc/cron.hourly will be run every hour. This is appropriate for most busy systems as one logcheck run per day would produce a very large email sent to the root user.

Once logcheck runs, it will email the root user to tell him or her of any problems it has come across. It is up to the administrator to act upon the email and either fix or investigate the logcheck reports.

The /etc/logcheck directory contains four files. Two of these files are used to search through log files in the file and identify specific types of log messages to report, while the other two are used as lists of messages to ignore in the log files specified in the file. If a line in an ignore file is found, its appearance will not be reported. If on the other hand a line contains an entry in the logcheck.hacking or logcheck.violations, its appearance is reported to the administrator.

logcheck does not actually use a configuration file, but is controlled by the script, located in /usr/sbin/ By default, the script will scan /var/log/ messages, /var/log/warn, and /var/log/mail. To add or remove entries in the file, open the script and find the $LOGTAIL entries in the middle of the file. Listing 7-9 shows an example.

Listing 7-9: Entry for logcheck Log File to Monitor

$LOGTAIL /var/log/messages > $TMPDIR/check.$$ $LOGTAIL /var/log/warn >> $TMPDIR/check.$$ $LOGTAIL /var/log/mail >> $TMPDIR/check.$$

These entries direct logcheck to append messages from various system log files to a temporary file for later analysis. It is important to realize that the first $LOGTAIL entry copies the log file since the last read and the last two concatenate /var/log/warn and /var/log/mail into the temporary file. The $LOGTAIL environment variable is used to call the logtail application, which will read in a text file and output only new data since it was last passed through logtail. This stops you from receiving old warnings about log activity.

When the temporary file has been created, the whole file is compared against the hacking and violation files we talked about before.

It is a relatively involved process to get logcheck customized, and we have done the hard work for you to get it working with the SUSE RPM we build in the Chapter 12. We recommend you use this RPM as opposed to using the source distribution available unless you know what you are doing.

Listing 7-10 displays an example of mail sent to the root user by the logcheck script. Take note that under the heading Security Violations are two entries referring to failed login attempts via SSH.

Listing 7-10: logcheck Example Mail

From [email protected] Thu May 27 23:23:41 2004

X-Original-To: root

Delivered-To: [email protected]

Date: Thu, 27 May 2004 23:23:39 +0100

To: [email protected]

Subject: bible 05/27/04:23.23 system check

User-Agent: nail 10.6 11/15/03

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: [email protected] (root)

Security Violations

May 27 23:23:35 bible sshd[5019]: error: PAM: Authentication failure May 27 23:23:35 bible sshd[5019]: error: PAM: Authentication failure

Unusual System Events

May 27 23:23:35 bible sshd[5019]: error: PAM: Authentication failure

May 27 23:23:35 bible sshd[5019]: error: PAM: Authentication failure

May 27 23:23:10 bible postfix/pickup[3881]: E47F918D21: uid=0 from=<root>

May 27 23:23:10 bible postfix/cleanup[4941]: E47F918D21: message-

id=<[email protected]>

May 27 23:23:11 bible postfix/qmgr[3882]: E47F918D21:

from=<[email protected]>, size=1161, nrcpt=1 (queue active)

May 27 23:23:11 bible postfix/local[4944]: E47F918D21: to=<[email protected]>, orig_to=<root>, relay=local, delay=1, status=sent (delivered to mailbox)

May 27 23:23:11 bible postfix/qmgr[3882]: E47F918D21: removed

How often you set logcheck to run will depend on how much data you receive in the email. If you have an active system, we recommend that you increase the frequency of the logcheck runs. If you have a relatively small system, running logcheck once a day will produce a manageable email that can be handled when things are quiet.

Was this article helpful?

0 0

Post a comment