Logcheck explained
Intro
Logcheck is a program that helps you in sorting out the relevant messages from the various (system) log files on Unix systems. It sifts through them on a regular basis (via crontab) and sends its findings to the system administrator by mail. That mail contains all the possibly important events, break-in attemts and other strange messages.
It was created by Psionic Software (now merged with Cisco) and is confirmed to run on many of the most popular Unix systems, including OpenBSD.
Download
Since www.psionic.com isn’t providing the package anymore (because of the merger with Cisco), you can download Logcheck from PureBSD.
You can also install the port (or package) called «logsentry». LogSentry and Logcheck are the same thing, but since Psionics merger with Cisco it lives on with a different name.
The port is located in /usr/ports/security/logsentry. The binary package has a name equal or similar to «logsentry-1.1.1p1.tgz» and can be found on any FTP site carrying OpenBSD.
Installation
By source:
cd /tmp
tar xvfz /location/of/logcheck-1.1.1.tar.gz
cd logcheck-1.1.1
make generic
By port:
cd /usr/ports/security/logsentry
make
make install
By binary package:
pkg_add logsentry-1.1.1p1.tgz
Configuration
Make sure that /usr/local/etc/logcheck.sh is setup the way you prefer.
If you do not want to have root receive mail from Logcheck, but a local user or remote user, edit the SYSADMIN variable:
SYSADMIN=alexdehaas@puur.rookgordijn.nl
All «$LOGTAIL» lines should be commented out, except the ones for the OpenBSD log files:
# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
# OpenBSD 3.4
$LOGTAIL /var/cron/log > $TMPDIR/check.$$
$LOGTAIL /var/log/authlog >> $TMPDIR/check.$$
$LOGTAIL /var/log/daemon >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
$LOGTAIL /var/log/messages >> $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/wlanlog >> $TMPDIR/check.$$
Running Logcheck
Edit root’s crontab:
crontab -e
And add the following two lines:
# Security: Check every 30 minutes logfiles
*/30 * * * * /usr/local/etc/logcheck.sh
Filtering log messages
If you do or do not wish to see certain log messages mailed to you, you can edit thelogcheck.[hacking,ignore,violations,violations.ignore] files located in/usr/local/etc. All lines in those files are patterns in the regular expression format used bygrep.
logcheck.hacking:
This file contains lines which consist of patterns indicating an active system attack. You can add your own patterns to it when deemed necessary.logcheck.violations:
This file contains lines with patterns indicating some sort of negative system activity. You can add your own patterns to it when deemed necessary.logcheck.violations.ignore:
Lines of patterns in this file are used to filter out log messages thatlogcheck.violationspicks up as being negative system events. In other words: the more specific pattern lines inlogcheck.violations.ignoreoverride the more generic pattern lines inlogcheck.violations.You can add your own exceptions to it. Examples:
sendmail.*: .*: Authentication-Warning: .*: .* owned process doing -bs
sm-mta.*: ruleset=check_relay, .* reject=.* .*
logcheck.ignore:
This file contains lines with keywords indicating that a message should not be reported. Normally, all log messages are reported as «unusual system activity», so you won’t miss anything not accounted for in the other logcheck files. So this is a catch-all file.You can add your own exceptions to it. Examples:
dhcpd: DHCPDISCOVER from .* via xl0
dhcpd: DHCPREQUEST for 10.0.* from .* via xl0
dhcpd: DHCPOFFER on 10.0.* to .* via xl0
dhcpd: DHCPACK on 10.0.* to .* via xl0
wlanmon: WLAN bridge connection is just fine\.
syslogd: restart
spamd.*: .*\..*\..*\..*: connected \(.*\)
spamd.*: .*\..*\..*\..*: disconnected after .* seconds\.
spamd.*: .*\..*\..*\..*: \<.*\> -\> \<.*\>
spamd.*: .*\..*\..*\..*: From: .* To: .*
ftp-proxy.*: accepted connection from 10.0.0.*:.* to .*
cvs.*: connect from .*.intranet.atomicvoid.net
Now log messages matching any of the above lines are being ignored by Logcheck.