Monitoring logfiles with logsentry

I manage a fair number of servers, and use several tools to monitor the health of my systems. One such tool is logsentry (formerly known as logcheck), which is a shell script that can be used to monitor logfiles for anomalies. Logsentry consists of a single shell script and one or more violation files, and installing it as simple as extracting the package and modifying the paths in the shell script. If your using OpenBSD, you can use the pkg_add utility to add the logsenty package to your system:

$ export PKG_PATH=”ftp://ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/”

$ pkg_add logsentry

logsentry-1.1.1p2: complete

--- logsentry-1.1.1p2 -------------------
The logsentry configuration files have been installed at
/etc/logsentry.
Please view these files and change the configuration to meet your needs.

Currently logsentry will check the following files:

/var/log/messages
/var/log/maillog
/var/log/authlog
/var/log/secure
/var/log/daemon
/var/log/xferlog

Edit /etc/logsentry/logsentry.sh
if you want to add more files.

Be sure to configure your crontab as indicated by
/usr/local/share/doc/logsentry/INSTALL
so that logsentry is run regularly.

After logsentry is installed, you can add a cron job similar to the following to enable it:

$ echo ”
# Check system logfiles
0 * * * * /bin/sh /etc/logsentry/logsentry.sh” >> /var/spool/cron/crontabs/root

Once logsentry is enabled, you will get email similar to the following each time an anomaly is detected:

from	     Charlie Root
to	 	     root
date		Nov 25, 2006 1:00 PM	 
subject		yappy 11/25/06:13.00 system check	 

Security Violations
=-=-=-=-=-=-=-=-=-=
Nov 25 16:25:57 yappy su: matty to root on /dev/ttyp0
Nov 26 05:18:40 yappy su: matty to root on /dev/ttyp0
Nov 26 05:22:10 yappy su: BAD SU matty to root on /dev/ttyp0
Nov 26 05:22:14 yappy su: matty to root on /dev/ttyp0

If logsentry emails you about an anomaly that your not interested in, you can add a string that matches the error to logsentry.ignore (this is used to filter out messages from the Unusual system events section) or logsentry.violations.ignore (this is used to filter out events from the security section). Logsentry works pretty well, and once the ignore files are adjusted to match the personality of the server, it can be a life saver (I like the fact that logsentry will send an email notifications when a hardware error is written to the system logfiles).

2 thoughts on “Monitoring logfiles with logsentry”

  1. Thanks so much for the article – I was looking for a way to consolidate some of my log-watching on OpenBSD, and logsentry was the perfect solution.

Leave a Reply

Your email address will not be published. Required fields are marked *