On Tue, Jan 08, 2008, Ugo Bellavance wrote:
>Joseph L. Casale wrote:
>>Given my experience in Linux is limited currently, what do you guys use
>>to monitor logs such as ?messages? on your centos servers? I had a
>>hardware failure that happened in between me manually looking (of
>>course?). I would hope it might have a some features to email critical
>>issues etc?
>
>logwatch is a good start.
>
>Get the latest version from www.logwatch.org. Runs automatically daily
>and sends output to root.
Isn't logwatch standard in CentOS installations?
Swatch monitors one or more log files in real time, with options
to report events immediately, or after some number of repeations
in a specified time period (e.g. report immediately if a network
interface goes into permiscuous mode, but only report something
else if there are ``n'' occurrences within a minute).
I've attached the swatchrc configuration file from this machine
which has several examples.
Bill
--
INTERNET: bill@xxxxxxxxxxxxx Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
Never blame a legislative body for not doing something. When they do
nothing, that don't hurt anybody. When they do something is when they
become dangerous. -- Will Rogers
perlcode 0 use Sys::Hostname::Long;
perlcode 0 my $host_long = hostname_long;
perlcode 0 my $email=qq(support\@$host_long);
perlcode 0 my $secmail = qq(security\@$host_long);
perlcode my ($month, $day, $time, $host_name, @message) = split(/\s+/);
watchfor /Your ClamAV installation is OUTDATED/
mail addresses=$secmail, subject=[swatch] $host_long clamav update
watchfor /^(\S+) - (\S+) \[(.*?)\].*session_login/
mail addresses=$secmail, subject=[swatch] $host_name usermin login $2 $1
watchfor /entered promiscuous mode/
mail addresses=$secmail, subject=[swatch] $host_name promiscuous
watchfor /File name too long/
mail addresses=$email, subject=[swatch] BufferOverflow_attempt
watchfor /DHCPREQUEST/
mail addresses=postmaster, subject=[swatch] $host_name@message
watchfor /Failed password for.*from\s+(\S+)/
threshold track_by=$1,type=limit,count=3,seconds=60
mail addresses=$secmail, subject=[swatch] $host_name@message
watchfor /Accepted password for root.*from\s+(\S+)/
mail addresses=$secmail, subject=[swatch] $host_name ssh password $1
watchfor /Accepted publickey for root.*from\s+(\S+)/
mail addresses=$secmail, subject=[swatch] $host_name ssh publickey $1
watchfor /Invalid login as admin/
mail addresses=$secmail, subject=[swatch] $host_name@message
watchfor /Invalid login as mainadmin/
mail addresses=$secmail, subject=[swatch] $host_name@message
watchfor /Successful login as mainadmin/
mail addresses=$secmail, subject=[swatch] $host_name@message
watchfor /DeliveryErrors/
mail addresses=postmaster, subject=[swatch] Postfix_Delivery_Errors
watchfor /file system full/
mail addresses=$email, subject=[swatch] $host_name@message
watchfor /refused connect from\s+(\S+)/
threshold track_by=$1,type=limit,count=3,seconds=60
mail addresses=$secmail, subject=[swatch] $host_name@message
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
