Topic: How do you monitor your logs?

[milaweb]

I have created a simple cron-daily-job that looks for errors,SSH attacks and raid-degraded-errors in messages.

What do you scan for in you logs?

Code: [Select]

#/bin/sh
DATE=`date -d yesterday +"%b %e"`
echo "Getting count"
countError=`grep "$DATE" /var/log/messages | grep -i 'error' | wc -l`
countSshd=`grep "$DATE" /var/log/messages | grep -i 'sshd:' | wc -l`
countRaid=`grep "$DATE" /var/log/messages | grep -i 'degraded' | wc -l`

echo "Errors: $countError for $DATE"
echo "Ssh refused: $countSshd for $DATE"

if [ $countError -ge 1 -o $countSshd -ge 1 ]; then
mail -s "There are $countError errors in Messages" mail@adress.dk <<EOF

Der er følgende fejl i Messages-loggen:
`grep "$DATE" /var/log/messages | grep -i 'error'`

Foelgende er afvist af sshd ($countSshd):
`grep "$DATE" /var/log/messages | grep -i 'sshd: '`

EOF
fi

if [ $countRaid -ge 1 ]; then
mail -s "RAID-ERRORs ON THE SERVER" mail@adress.dk <<EOF

Der er følgende RAID-errors i Messages-loggen:
`grep "$DATE" /var/log/messages | grep -i 'degraded'`
EOF
fi



[brianr]

SME8 has logwatch which scans the logs every night and summarises anything it "thinks" is worth noting, see here:

http://www2.logwatch.org:81/

I think there was a logwatch contrib at one time - anyone know if it is still extant?

[Teviot]

I guess this won't be available for SME Server v7.3

Teviot

[slords]

http://mirror.contribs.org/releases/7/smeos/i386/repodata/repoview/logwatch-0-7.3.2-3.el4.sme.html
http://mirror.contribs.org/releases/testing/8/smeos/i386/repodata/repoview/logwatch-0-7.3.2-3.el5.sme.html

[Teviot]

Is there any SME specific documentation available for version 7.3?

Thanks for you help too.

Regards
Teviot

[brianr]

just tried

yum install logwatch

on 7.3, seems to be installed and working fine, runs daily, try

/etc/cron.daily/0logwatch

for a test, results sent to admin email.

[milaweb]

Thanks...

I'll just install logwatch and give it a try.

[okepc]

Im using logcheck and logwatch.
Logcheck is an old utility but still working like a charm.
It wil send you a mail report every hour to the admin account.

ftp://ftp.funet.fi/pub/mirrors/archive.redhat.com/contrib/libc6/i386/logcheck-1.1.1-1.i386.rpm
ftp://ftp.icm.edu.pl/vol/rzm1/linux-redhat-contrib/libc6/i386/logcheck-1.1.1-1.i386.rpm

Regards

Dirk

[milaweb]

Code: [Select]

yum install logwatch
on 7.3, seems to be installed and working fine, runs daily, try
/etc/cron.daily/0logwatch
for a test, results sent to admin email.
It installs fine,but it doesn't send any mail if i run the /etc/cron.daily/0logwatch.
Did you setup anything after install?
My testserver is a VMware and i have had some problems with mails in that setup earlier. Maybe thats why....

[brianr]

It works out of the box for me.

[haymann]

Very nice! Worked for me as well w/ no other configuration needed.

[geoff]

All good and it works well, but floods me with emails.

Sorry to be a klutz, but how do I uninstal it, please?

[geoff]

Google is my Friend.

yum remove .......

[raem]

geoff

yum remove .......

That's OK if there are no other dependencies.

Until
yum remove packagename
is fixed, a safer removal method that only removes the specifc package is
rpm -e logwatch
and this is the currently recommended method to use.

[geoff]

Thank you, Ray, much appreciated. I'll do that in future.

In the meantime 'yum remove logwatch' did the trick.

Thanks for your help.

[raem]

geoff

People have inadvertantly removed a lot more than just one package using the yum remove package command, and left their server in a non functional state, that was quite difficult to fix.

[geoff]

Thanks, Ray.

I appreciate your concern and now understand the peril involved with 'Yum remove packagename'. Dumb luck this time as everything is OK but 'yum remove' is out of the vocabulary now, replaced by 'rpm -e'.

Thanks for your input, concern, and ongoing assistance, Ray.