Re: Re: Log Monitoring Recomendation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, Jan 08, 2008, Ugo Bellavance wrote:
>Joseph L. Casale wrote:
>>Given my experience in Linux is limited currently, what do you guys use 
>>to monitor logs such as ?messages? on your centos servers? I had a 
>>hardware failure that happened in between me manually looking (of 
>>course?). I would hope it might have a some features to email critical 
>>issues etc?
>
>logwatch is a good start.
>
>Get the latest version from www.logwatch.org.  Runs automatically daily 
>and sends output to root.

Isn't logwatch standard in CentOS installations?

Swatch monitors one or more log files in real time, with options
to report events immediately, or after some number of repeations
in a specified time period (e.g. report immediately if a network
interface goes into permiscuous mode, but only report something
else if there are ``n'' occurrences within a minute).

I've attached the swatchrc configuration file from this machine
which has several examples.

Bill
--
INTERNET:   bill@xxxxxxxxxxxxx  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

Never blame a legislative body for not doing something.  When they do
nothing, that don't hurt anybody.  When they do something is when they
become dangerous. -- Will Rogers
perlcode 0 use Sys::Hostname::Long;
perlcode 0 my $host_long = hostname_long;
perlcode 0 my $email=qq(support\@$host_long);
perlcode 0 my $secmail = qq(security\@$host_long);
perlcode my ($month, $day, $time, $host_name, @message) = split(/\s+/); 

watchfor /Your ClamAV installation is OUTDATED/
   mail addresses=$secmail, subject=[swatch] $host_long clamav update

watchfor /^(\S+) - (\S+) \[(.*?)\].*session_login/
   mail addresses=$secmail, subject=[swatch] $host_name usermin login $2 $1

watchfor /entered promiscuous mode/
   mail addresses=$secmail, subject=[swatch] $host_name promiscuous

watchfor /File name too long/
    mail addresses=$email, subject=[swatch] BufferOverflow_attempt

watchfor /DHCPREQUEST/
	mail addresses=postmaster, subject=[swatch] $host_name@message

watchfor /Failed password for.*from\s+(\S+)/
	threshold track_by=$1,type=limit,count=3,seconds=60
   	mail addresses=$secmail, subject=[swatch] $host_name@message

watchfor /Accepted password for root.*from\s+(\S+)/
   mail addresses=$secmail, subject=[swatch] $host_name ssh password $1

watchfor /Accepted publickey for root.*from\s+(\S+)/
   mail addresses=$secmail, subject=[swatch] $host_name ssh publickey $1

watchfor /Invalid login as admin/
   mail addresses=$secmail, subject=[swatch] $host_name@message
   
watchfor /Invalid login as mainadmin/
   mail addresses=$secmail, subject=[swatch] $host_name@message

watchfor /Successful login as mainadmin/
   mail addresses=$secmail, subject=[swatch] $host_name@message

watchfor /DeliveryErrors/
   mail addresses=postmaster, subject=[swatch] Postfix_Delivery_Errors

watchfor /file system full/
    mail addresses=$email, subject=[swatch] $host_name@message

watchfor /refused connect from\s+(\S+)/
	threshold track_by=$1,type=limit,count=3,seconds=60
   	mail addresses=$secmail, subject=[swatch] $host_name@message

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux