Logcheck
This installation is done based on the proposed setup in Syslog.
Install
apt-get install logcheck logcheck-database
In /etc/logcheck/logcheck.conf:
INTRO=0 REPORTLEVEL="paranoid" ADDTAG="yes"
In /etc/logcheck/logcheck.logfiles
/var/log/remote/MAIN/auth.log /var/log/remote/MAIN/syslog.log /var/log/remote/MAIN/kern.log /var/log/remote/mx/auth.log /var/log/remote/mx/syslog.log /var/log/remote/public/auth.log /var/log/remote/public/syslog.log /var/log/remote/private/auth.log /var/log/remote/private/syslog.log /var/log/remote/ns0/auth.log /var/log/remote/ns0/syslog.log /var/log/remote/sql/auth.log /var/log/remote/sql/syslog.log /var/log/remote/devel/auth.log /var/log/remote/devel/syslog.log #/var/log/remote/MAIN/NF/ethr_in.log /var/log/remote/MAIN/NF/ethr_out.log /var/log/remote/MAIN/NF/others.log
Because logrotate runs as cron.daily, e.g. 03:25 every day, we want logcheck to have run once just before (e.g. at xx:24) so I edit /etc/cron.d/logcheck:
24 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
Tuning logcheck filters
Solving the issue at the source
I have many such messages in the vserver:
pam_limits[863]: setrlimit limit #6 to soft=-1, hard=-1 failed: Operation not permitted; uid=0 euid=0
Not sure why, probably because vserver max limits are reduced.
To get rid of it, comment the line in /etc/pam.d/cron and /etc/pam.d/ssh:
#session required pam_limits.so
Writing and testing new rules
Add your rules into files prepend by "local-" to distinguish your own rules.
Be sure to tune ownership and rights of those new files so that user logcheck can read them.
e.g. rw-r----- root:logcheck
To test logcheck filtering rules:
sed -e 's/[[:space:]]*$//' <logfile> | egrep '<regexp>'
Then you can dry run logcheck on the command line:
su logcheck -s /bin/bash -c "/usr/sbin/logcheck -l <logfile> -o -t"
This is easier if you have sudo installed...
Examples of home-made rules
As I run in paranoid mode, I take some rules from server mode:
- /etc/logcheck/ignore.d.paranoid/local-sa-exim -> /etc/logcheck/ignore.d.server/sa-exim
- /etc/logcheck/ignore.d.paranoid/local-fetchmail -> /etc/logcheck/ignore.d.server/fetchmail
For imapd sessions:
/etc/logcheck/ignore.d.paranoid/local-imap: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: Connection, ip=\[[:.0-9a-f]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGIN, user=[a-z]+, ip=\[[:.0-9a-f]+\], protocol=IMAP$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: (TIMEOUT|LOGOUT), (user=[a-z]+, )?ip=\[[:.0-9a-f]+\], (headers=[0-9]+, body=[0-9]+, )?rcvd=[0-9]+, sent=[0-9]+(, time=[0-9]+)?(, starttls=1)?$
For imapproxy sessions:
Probably because of the templates in syslog-ng we have to change a bit the rules of ignore.d.server/imapproxy
/etc/logcheck/ignore.d.paranoid/local-imapproxy: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGOUT: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' from server sd \[[0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: LOGIN: \\?'\\?"[_[:alnum:]-]+(@[-_.[:alnum:]]+)?\\?"\\?' \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+\) on (existing|new) sd \[[0-9]+\]$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ in.imapproxyd\[[0-9]+\]: Expiring server sd \[[0-9]+\]$
For ssh just an excerpt from the ignore.d.server/ssh:
/etc/logcheck/ignore.d.paranoid/local-ssh: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi(-with-mic)?|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+( (ssh|ssh2))?$