Archive:Log host

From TARDIS Project
This page is out of date and needs rewriting.
The content is likely to be incomplete or incorrect.

Most Tardis Linux machines are set to send log messages to the log host (currently piper) for easy consultation and to provide log summary emails. The summary emails are compiled by bacam's piperlog (previously they were produced by logcheck). These are sent to the sysmans-logs alias. Separate emails are provided for mail by a locally patched version of pflogsumm, which are sent to postfix-logs.

To make syslog send logs to the log host, put

*.*     @loghost

into /etc/syslog.conf.

To get syslog to accept remote logs, you need to edit /etc/init.d/sysklogd.

Some newer installs have rsyslogd rather than syslog. This causes problems when sending logs to an external syslog that doesn't handle the hostnames properly (see rsyslogd's README.Debian for details), so instead put

$template sysklogd,"<%PRI%>%TIMESTAMP% %syslogtag%%msg%"
*.* @loghost;sysklogd

To receive hourly log summaries by email, add yourself to the sysmans-logs and root aliases in /etc/aliases on mccoy, and remember to run 'newaliases' when you're done. The altlogs alias was introduced when the piperlog script was first tried out, but now receives the same logs as sysmans-logs.

Ignoring more or less messages

To adjust which messages make it into the log summaries, you can adjust the following files in /etc/piperlog on piper:

discard messages you want to see, but logcheck ignores
extra messages you want to ignore in addition to the patterns from logcheck
summarise patterns giving messages which should collapsed into a single message in the summary

In the summarise patterns the groups (the parts in parentheses) must match. For example, the pattern

^sshd\[[0-9]+\]: Illegal user .+ from (.+)$

in the summarise file makes piperlog report only one failed login attempt from each host regardless of how many usernames are tried because only the host name is in parentheses.

After changing the discard or extra files you should rebuild the ignore file by running the mkignore script. There is also a test script which gives the messages to date which will appear in the next summary email.

The number and timing of the email messages sent out can also be adjusted:

crontab -e -u piperlog

Firewall logging

The one exception to the above is the firewall, which generates its own log emails. Currently this uses bacam's piperlog for the syslog entries and fwlogwatch for firewall reports.