User Tools

Site Tools


Sidebar

js#vista.png msort nsort

security:logcheck

Logcheck Tweeks

RSyslogd

The rsyslogd syslog entries as follows will cause the default install of logcheck to trip:

Sep 18 06:25:01 zcn1 kernel: imklog 3.18.6, log source = /proc/kmsg started.
Sep 18 06:25:01 zcn1 rsyslogd: [origin software="rsyslogd" swVersion="3.18.6" x-pid="2097" x-info="http://www.rsyslog.com"] restart

and therefore it's best to add the following lines to /etc/logcheck/ignore.d.server/rsyslogd to ignore them:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$

SSHD

SSH logs information regarding connections, connection attempts and disconnects. The default config for SSHD checks doesn't account for disconnects properly (whether intensional or not it gets on my nerves). So to ignore log entries such as:

Sep 13 15:49:35 zmn1 sshd[6393]: Received disconnect from 81.13.159.17: 11: disconnected by user

add the following to /etc/logcheck/ignore.d.server/ssh

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from 81.13.159.17: 11: disconnected by user

just make sure to change 81.13.159.17 to the address that you mostly use to access the machine. That way you still get informed of disconnects from other addresses.

CRM/Corosync/Pacemaker/Heartbeat

To be honest, these logentries will drive you crazy if you aren't carefull. So to ignore log entries such as:

Oct  7 17:47:33 bps1 crmd: [456]: info: do_cib_control: CIB connection established
Oct  7 17:47:33 bps1 crmd: [456]: info: crm_cluster_connect: Connecting to OpenAIS

add the following to /etc/logcheck/ignore.d.server/corosync

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ attrd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cib: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crmd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crmd: \[[0-9]+\]: notice: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]: .* info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [TOTEM ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [MAIN  ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [SERV  ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [pcmk  ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ logd: \[[0-9]+\]: debug: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ logd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ lrmd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ lrmd: \[[0-9]+\]: WARN: G_SIG_dispatch: Dispatch function for SIGCHLD was delayed .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pengine: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pengine: \[[0-9]+\]: notice: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pingd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stonithd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stonithd: \[[0-9]+\]: notice: .*$
security/logcheck.txt · Last modified: 2020/02/24 11:16 (external edit)