Re: System log monitor

To: Steve <tarka@zip.com.au>
Cc: debian-security@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: System log monitor
From: Rene Mayrhofer <rene.mayrhofer@vianova.at>
Date: Sun, 10 Dec 2000 02:01:46 +0100
Message-id: <[🔎] 3A32D5FA.9C0E70C4@vianova.at>
References: <[🔎] 14889.52122.881743.444993@tarka.org> <[🔎] 14895.5113.625043.815450@colderidge.tarka.org>

[I am crossposting this to -devel since other package maintainers might be
interested in this idea. If you are, please CC me in replies, I am currently not
subscribed to -devel.]

Steve wrote:
> 
> Thanks to everyone that replied.  I've installed logcheck and it works
> well after a couple of iterations of weeding out the false alarms.  I
> suppose it would be nice if packages could supply their own violations
> and ignore files to make this easier.  For example, postfix would
> supply a violations file containing
> 
>     postfix/(pickup|cleanup|qmgr|smtpd): .*(fatal|warn|error)
> 
> and an ignore file like
> 
>     postfix/pickup\[[0-9]+\]: [A-Z0-9]+: uid=[0-9]+ from=
>     postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id=
>     postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: from=.*, size=[0-9]+
>     etc ...
> 
> And logcheck does a run-parts style include of all the files plus the
> defaults.  Does this seem like a plausible system, and does it fit
> with the debian policy.  Sorry if this is just idle speculation, I'm a
> bit of a newbie to the debian way of doing things.
> 
> That said, I'd be prepared to take on implementing this if it seems
> like a good idea.
That is a very good idea. Implementing it in logcheck.sh should be fairly easy
and I can do it for the next version of logcheck (I am the maintainer). But we
would have to define a way for the packages to plug in their files.

How about directories
/etc/logcheck/logcheck.ignore.d
/etc/logcheck/logcheck.violations.d
/etc/logcheck/logcheck.violations.ignore.d
/etc/logcheck/logcheck.hacking.d

logcheck.sh would then use the contents of the currently existing config files
and all files in those directories for it's searches. Would that be ok ?

That should enable other packages to come up with appropriate rules for
logcheck, but I have to remember that maintainers should be a bit paranoid when
writing those default rules, so that administrators do not miss important
messages unless they don't want to get notified. 

Does anybody have an idea how this could (with minimal overhead) be implemented
with the current workstation/server/paranoid scheme that logcheck is using now
for its default configuration ? Maybe this could apply to other packages (which
supply logcheck rules) as well.

best greets,
Rene

Reply to:

References:
- System log monitor
  - From: Steve <tarka@zip.com.au>
- System log monitor
  - From: Steve <tarka@zip.com.au>

Prev by Date: Re: System log monitor
Next by Date: Re: System log monitor
Previous by thread: Re: System log monitor
Next by thread: Re: System log monitor
Index(es):
- Date
- Thread