Topic: How do you monitor your logs?

[milaweb]

I have created a simple cron-daily-job that looks for errors,SSH attacks and raid-degraded-errors in messages.

What do you scan for in you logs?

Code: [Select]

#/bin/sh
DATE=`date -d yesterday +"%b %e"`
echo "Getting count"
countError=`grep "$DATE" /var/log/messages | grep -i 'error' | wc -l`
countSshd=`grep "$DATE" /var/log/messages | grep -i 'sshd:' | wc -l`
countRaid=`grep "$DATE" /var/log/messages | grep -i 'degraded' | wc -l`

echo "Errors: $countError for $DATE"
echo "Ssh refused: $countSshd for $DATE"

if [ $countError -ge 1 -o $countSshd -ge 1 ]; then
mail -s "There are $countError errors in Messages" mail@adress.dk <<EOF

Der er følgende fejl i Messages-loggen:
`grep "$DATE" /var/log/messages | grep -i 'error'`

Foelgende er afvist af sshd ($countSshd):
`grep "$DATE" /var/log/messages | grep -i 'sshd: '`

EOF
fi

if [ $countRaid -ge 1 ]; then
mail -s "RAID-ERRORs ON THE SERVER" mail@adress.dk <<EOF

Der er følgende RAID-errors i Messages-loggen:
`grep "$DATE" /var/log/messages | grep -i 'degraded'`
EOF
fi



[brianr]

SME8 has logwatch which scans the logs every night and summarises anything it "thinks" is worth noting, see here:

http://www2.logwatch.org:81/

I think there was a logwatch contrib at one time - anyone know if it is still extant?

[Teviot]

I guess this won't be available for SME Server v7.3

Teviot

[slords]

http://mirror.contribs.org/releases/7/smeos/i386/repodata/repoview/logwatch-0-7.3.2-3.el4.sme.html
http://mirror.contribs.org/releases/testing/8/smeos/i386/repodata/repoview/logwatch-0-7.3.2-3.el5.sme.html

[Teviot]

Is there any SME specific documentation available for version 7.3?

Thanks for you help too.

Regards
Teviot

[brianr]

just tried

yum install logwatch

on 7.3, seems to be installed and working fine, runs daily, try

/etc/cron.daily/0logwatch

for a test, results sent to admin email.

[milaweb]

Thanks...

I'll just install logwatch and give it a try.

[okepc]

Im using logcheck and logwatch.
Logcheck is an old utility but still working like a charm.
It wil send you a mail report every hour to the admin account.

ftp://ftp.funet.fi/pub/mirrors/archive.redhat.com/contrib/libc6/i386/logcheck-1.1.1-1.i386.rpm
ftp://ftp.icm.edu.pl/vol/rzm1/linux-redhat-contrib/libc6/i386/logcheck-1.1.1-1.i386.rpm

Regards

Dirk

[milaweb]

Code: [Select]

yum install logwatch
on 7.3, seems to be installed and working fine, runs daily, try
/etc/cron.daily/0logwatch
for a test, results sent to admin email.
It installs fine,but it doesn't send any mail if i run the /etc/cron.daily/0logwatch.
Did you setup anything after install?
My testserver is a VMware and i have had some problems with mails in that setup earlier. Maybe thats why....

[brianr]

It works out of the box for me.

[haymann]

Very nice! Worked for me as well w/ no other configuration needed.

[geoff]

All good and it works well, but floods me with emails.

Sorry to be a klutz, but how do I uninstal it, please?

[geoff]

Google is my Friend.

yum remove .......

[raem]

geoff

yum remove .......

That's OK if there are no other dependencies.

Until
yum remove packagename
is fixed, a safer removal method that only removes the specifc package is
rpm -e logwatch
and this is the currently recommended method to use.

[geoff]

Thank you, Ray, much appreciated. I'll do that in future.

In the meantime 'yum remove logwatch' did the trick.

Thanks for your help.