LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page INFO: configuring logcheck
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-25-2003, 05:33 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
INFO: configuring logcheck

As a side note: this is just a thread part of my main thread which is destinated at securing debian!

Well I assume you have adjusted your syslog configuration. Now you will install and configure logcheck. Logcheck works on the principle of notifying you with EVERYTHING that you told it not to ignore. I like that idea:
Code:
----------------------------------------------------------------------
installed logcheck
----------------------------------------------------------------------
	security level:	paranoid
	email address: 	linux-admins@example.com
	Do NOT create logcheck.logfiles from /etc/syslog.conf

	rm /etc/logcheck/ignore.d
	rm /etc/logcheck/logcheck.ignore

	mkdir /etc/logcheck/ignore.d
	touch /etc/logcheck/logcheck.ignore

	mkdir /var/lib/logcheck
----------------------------------------------------------------------




----------------------------------------------------------------------
configured logcheck
----------------------------------------------------------------------
	adjusted /etc/cron.d/logcheck to do a check every 15 mins
	rather than every hour so that it's possible to quickly act
	on security and other happenings


	created /etc/logcheck/ignore.d/cron:

		CRON.*CMD
		cron.*CMD
		cron.*RELOAD
		cron.*STARTUP


	created /etc/logcheck/ignore.d/ntpdate:
		ntpdate\[.*\]: step time server .* offset .* sec


	created /etc/logcheck/ignore.d/postfix:

		postfix/pickup\[.*\]: .*: uid=.* from=
		postfix/cleanup\[.*\]: .*: .*message-id=
		postfix/qmgr\[.*\]: .*: from=
		postfix/smtp\[.*\]: .*: to=.*, relay=
		postfix/smtpd\[.*\]: connect from
		postfix/smtpd\[.*\]: .*: client=
		postfix/smtpd\[.*\]: disconnect from
		postfix/local\[.*\]: .*: to=.*, relay=
		postfix.*User Unknown
		postfix.*alias database.*rebuilt
		postfix.*aliases.*longest
		postfix.*from=
		postfix.*lost input channel
		postfix.*message-id=
		postfix.*putoutmsg
		postfix.*return to sender
		postfix.*status=
		postfix.*timeout waiting


	created /etc/logcheck/ignore.d/ssh:

		sshd.*: (log: )?.* from localhost
		sshd.*: (fatal: )?Connection closed by remote host\.
		sshd.*(log: )?Closing connecting to
		sshd.*: Accepted publickey for .* from .* port .*
		sshd.*: Did not receive identification string from \
			192.168.0.82
		sshd.*: PAM pam_putenv: delete non-existent entry;


	created /etc/logcheck/ignore.d/sysklogd:
		syslogd.*: restart\.


	created /etc/logcheck/ignore.d/uptimed:
		uptimed: moving up to position
		uptimed: milestone:


	inserted into /etc/logcheck/logcheck.ignore:

		authsrv.*AUTHENTICATE
		login.*: ROOT LOGIN .*
		mail.local
		PAM-.*: Access granted to .* for .*
		PAM_.*: .* session opened for user .*
		PAM_.*: .* session closed for user .*
		pam.*: default limits skipped for 'root'
		su.*: \+ .*-root
		-- MARK --
		last message repeated .* times


	replaced /etc/logcheck/logcheck.logfiles with:

		# these files will be checked by logcheck
		/var/log/news/news.crit
		/var/log/news/news.err
		/var/log/news/news.notice
		/var/log/auth.log
		/var/log/critical.log
		/var/log/cron.log
		/var/log/daemon.log
		/var/log/emergency.log
		/var/log/error.log
		/var/log/info.log
		/var/log/kern.log
		/var/log/lpr.log
		/var/log/mail.log
		/var/log/user.log
		/var/log/uucp.log
----------------------------------------------------------------------
Last edited by markus1982; 05-25-2003 at 05:45 AM.
 
Old 05-26-2003, 11:54 AM   #2
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 271Reputation: 271Reputation: 271
Moved: User Request to move to Software forum.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
logcheck does not read logfiles! cyberpunx Linux - Software 16 04-06-2015 02:18 AM
[logcheck] ignore.d and logcheck.ignore cyberpunx Linux - Software 0 09-18-2005 05:07 PM
swatch vs. logcheck - impact on system resources? Donboy Linux - Security 1 09-27-2003 06:58 AM
INFO: installing, configuring and adjusting AIDE for Debian markus1982 Linux - Software 4 05-26-2003 12:18 PM
INFO: configuring monit (process monitoring) markus1982 Linux - Software 0 05-25-2003 05:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:52 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration