Introduction to logcheck, a common log analysis tool in Linux

Author: Liu Zhiyong Guo conghui

For those with a large number of accounts and BUSY systemsLinuxIn terms of the system, its log files are extremely large, and a lot of useless information will overwhelm the noteworthy information, causing great inconvenience to the user to analyze logs. There are some tools dedicated to log analysis, such as logcheck and friends.

Logcheck is used to analyze a large log file, filter out log items with potential security risks or other abnormal conditions, and then notify the specified user by email. It is developed by psionic and can be downloaded at http://www.psionic.com/tools/logcheck-1.1.1.tar.gz. Or go to the http://www.psionic.com/abacus/logcheck/to see if there is a new version.

The installation of this program is quite convenient. Decompress the package and run the make file. Follow the prompts to select the type of the operating system and then compile the file. The configuration file and running script are installed under/usr/local/etc/by default.

Logcheck. Sh

This is the logcheck shell script used to analyze this log file and report the result.

Logcheck. Hacking

This file is configured with a keyword that is filtered in the log file. This keyword prompts information about potential security risks. You can customize your own log files and add or delete keywords in the logcheck. Hacking file.

Logcheck. Violations

This file is used to analyze and filter keywords that encounter exceptions when the system is running.

Logcheck. Violations. Ignore

If the system encounters an exception but contains the keyword in this file, it is considered normal and is not written into the analysis report file of logcheck.

Logcheck. Ignore

If the system log file records messages that may be attacked but contains keywords in the logcheck. Ignore file, logcheck is considered normal and does not include these messages in the analysis report file.

After logcheck is installed, you must modify the parameters in the logcheck. Sh file to meet your requirements. There are two points worth noting. The following commands:

# Person to send log activity to.SYSADMIN=root

Logcheck sends the Report to the root user by default. If you want to send it to the specified email address, you can change it here. If you want to send the report to multiple users, you can define the mail alias. Settings of the log file to be checked:

# Linux $ logtail/var/log/syslog> $ tmpdir/check. $ logtail/var/log/messages> $ tmpdir/check. $ you can add the log file to be checked as needed, for example, $ logtail/var/log/auth. log> $ tmpdir/check. $ logtail/var/log/deamon. log> $ tmpdir/check. $ logtail/var/log/mail. log> $ tmpdir/check. $

Finally, the cron is used to schedule the server to automatically execute the logcheck. Sh script file at regular intervals.

 

Related reading:

• Encapsulate the logging module (kency, 2007-2-12)
• Linux Log Analysis (alone, 2007-2-13)
• Linux Log system introduction (alone, 2007-2-13)
• RedHat Linux common log files and Common commands (alone, 2007-2-13)
• Configure the Linux Log File (alone, 2007-2-13)
• Introduction to logrotate, a log file management tool (alone, 2007-2-13)