| sneakyimp |
06-15-2017 05:58 PM |
samhain reporting and rotated logs
I'm getting too many notifications from samhain -- it's generating so much email. I'm hoping someone might help me solve two problems:
Problem 1 - mysql log notifications
I received a notification email today with these two entries:
Code:
<log sev="CRIT" tstamp="2017-06-15T08:17:19+0000" msg="POLICY [GrowingLogs] ---I------" path="/var/log/mysql/error.log" inode_old="12146" inode_new="2400" />
<log sev="CRIT" tstamp="2017-06-15T08:17:03+0000" msg="POLICY [GrowingLogs] ---I------" path="/var/log/mysql.log" inode_old="1004" inode_new="330" />
The GrowingLogs policy seems like a logical place for these, but the logs do get rotated occasionally by the logrotate daemon -- as far as I can tell, it is this totally normal rotation of log files that is causing the notification. There is a note to this effect in the default samhainrc file:
Code:
[GrowingLogFiles]
##
## For these files, changes in signature, timestamps, and increase in size
## are ignored. Logfile rotation will cause a report because of shrinking
## size and different inode.
##
dir = 99/var/log
I'm tempted to just change GrowingLogFiles to LogFiles which, according to samhain docs is a valid "monitoring policy" but I'm pretty confused by the structure of the samhainrc document and don't want to break what looks like a pretty fundamental directive.
Seems fairly safe to me to just change /var/log to LogFiles instead of GrowingLogFiles. I hope that someone more experienced might help me do the right thing here.
Problem 2 - automated apt cron job notifications
I received some other notifications today too:
Code:
<log sev="CRIT" tstamp="2017-06-15T08:17:02+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt-xapian-index/update-timestamp" ctime_old="2017-06-14T06:37:11" ctime_new="2017-06-15T06:49:54" mtime_old="2017-06-14T06:36:54" mtime_new="2017-06-15T06:49:36" />
<log sev="CRIT" tstamp="2017-06-15T08:17:02+0000" msg="POLICY [ReadOnly] C--I----TS" path="/var/lib/apt-xapian-index/cataloged_times.p" inode_old="964" inode_new="780" size_old="2314158" size_new="2316071" ctime_old="2017-06-14T06:37:10" ctime_new="2017-06-15T06:49:51" mtime_old="2017-06-14T06:37:10" mtime_new="2017-06-15T06:49:51" chksum_old="6E7218D37CC0849E4D6997779BF7B1C90B9F51E9A4E11EFE" chksum_new="08F83DF8C9316099BA9A182894331B8911668C58C6A4D339" />
<log sev="CRIT" tstamp="2017-06-15T08:17:02+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt-xapian-index" ctime_old="2017-06-14T06:37:11" ctime_new="2017-06-15T06:49:54" mtime_old="2017-06-14T06:37:11" mtime_new="2017-06-15T06:49:54" />
<log sev="CRIT" tstamp="2017-06-15T08:17:00+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt/periodic/update-stamp" ctime_old="2017-06-14T06:36:54" ctime_new="2017-06-15T06:49:36" mtime_old="2017-06-14T06:36:54" mtime_new="2017-06-15T06:49:36" />
<log sev="CRIT" tstamp="2017-06-15T08:17:00+0000" msg="POLICY [ReadOnly] --------T-" path="/var/lib/apt/periodic/update-success-stamp" ctime_old="2017-06-14T06:36:50" ctime_new="2017-06-15T06:49:33" mtime_old="2017-06-14T06:36:50" mtime_new="2017-06-15T06:49:33" />
I don't know what process affects these files or what this might mean. In this case, I don't think modifying the samhainrc file would do the trick. Seems like I should disable this cron job?
Thoughts? Any advice much appreciated. |
