User Tools

Site Tools


build:logging

Logging

Log configuration, reports, etc. Note that as of version 5.0, Debian uses rsyslogd.

Configuration

/etc/sysctl.conf

Turn off console messages for lower priority messages.

sudo sed -i -e 's/kernel.printk.*$/kernel.printk = 4 4 1 7/' /etc/sysctl.conf

logrotate.conf

Edit /etc/logrotate.conf to change the rotate option for /var/log/wtmp from 1 to 49, and /var/log/btmp from 1 to 13.

Logcheck

We installed logcheck to monitor our log files, and report on any anomalous entries. The reports are emailed to root.

sudo apt-get install logcheck logcheck-database logtail

Processing runs from cron.d/logcheck, normally 2 minutes after the top of every hour. We've reduced that to every 4 hours instead of every hour:

sudo sed -e 's|^2 \*|2 */4|' -i /etc/cron.d/logcheck

The default filters are pretty good. They alert on critical events and ignore most "normal" events. However, we've added some filters to ignore a few more entry types:

sudo sh -c 'cat > /etc/logcheck/ignore.d.server/ntp-local' <<'EOF'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change [0-9]+$
EOF
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/shorewall-local' <<'EOF'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Shorewall:net2fw:DROP:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? Shorewall:logflags:DROP:.*$
EOF
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/fcheck-local' <<'EOF'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fcheck: .INFO: Rebuild of the fcheck database.*$
EOF
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/sudo-local' <<'EOF'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: .* : \(command continued\) .*$
EOF
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/ssh-local' <<'EOF'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because none of user's groups are listed in AllowGroups$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: User [-_.[:alnum:]]+ from [-_.[:alnum:]]+ not allowed because a group is listed in DenyGroups$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Timeout, client not responding\.$
EOF
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/syslog-local' <<'EOF'
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: imklog 3\.18\.6, log source = /proc/kmsg started\.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="3\.18\.6" x-pid="[[:alnum:]]+" x-info="http://www.rsyslog.com"\] restart$
EOF
sudo sh -c 'cat > /etc/logcheck/ignore.d.server/bind-local' <<'EOF'
^\w{3} [ :0-9]{11} [-._[:alnum:]]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: query \(cache\) '.*' denied$
^\w{3} [ :0-9]{11} [-._[:alnum:]]+ named\[[0-9]+\]: client [.:[:xdigit:]]+#[[:digit:]]+: bad zone transfer request: '.*': non-authoritative zone \(NOTAUTH\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: network unreachable resolving.*$
EOF

TODO

It'd be better to run this as a post-processing hook on logrotate. But logrotate doesn't get run on /var/log/syslog or /var/log/auth.log; they're rotated with savelog (from /etc/cron.daily/sysklogd) instead of logrotate.

We should probably be monitoring some other log files, in addition to syslog and auth.log.

See if logwatch or some other tool might be a better alternative.

Bugs

We probably miss any log entries that are added between log rotation and the next run of logcheck.

All of the above local ignore filters should probably be suggested as defaults in the Debian or upstream packages.

TODO

Check for rootkits regularly, with Root Kit Hunter or ckrootkit

Credits

build/logging.txt · Last modified: 2012/12/10 22:41 (external edit)