Difference between revisions of "Logcheck (Wheezy)"

As with logging in general, this is pretty distribution-specific.

Main Configuration

• /etc/logcheck/logcheck.conf
  • We are a server.
  • SENDMAILTO=uniquemailfolderpermachine

• /etc/logcheck/logcheck.logfiles

/var/log/auth.log
/var/log/error.log
/var/log/warning.log
/var/log/mail.warn
/var/log/hackers.log
/var/log/hackers6.log

Extra files

You will probably want to view the raw version of this page. Wiki formatting messes a few things up here.

/etc/logcheck/ignore.d.server/postfix-extra

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: warning: hostname [^[:space:]]+ does not resolve to address [^[:space:]]+( Name or service not known)?$

Yes, Postfix, this happens. It is either an idiot or a spammer. Just tell them to go away and shut up about it.

/etc/logcheck/ignore.d.server/dovecot-extra

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: SSL: where=0xdigit:+, ret=-?1: before/accept initialization [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: SSL( failed)?: where=0xdigit:+(, ret=)?-?1?: SSLv3 (read|write)( client| server| key)* (certificate|change cipher spec|done|exchange|finished|hello|session ticket)( verify)? A \[[.:a-f[:digit:]]+\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: SSL: where=0xdigit:+, ret=-?1: SSLv3 flush data [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: SSL: where=0xdigit:+, ret=-?1: SSL negotiation finished successfully [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: SSL: where=0xdigit:+, ret=-?1: unknown state [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Warning: SSL alert: where=0xdigit:+, ret=256: warning close notify [^[:space:]]+$

Dovecot is noisy enough as is without its SSL insanity.

/etc/logcheck/ignore.d.server/freshclam-extra

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: getfile: [^[:space:]]+ not found on remote server \(IP: [.:[:digit:]a-f]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: getfile: Error while reading database from [^[:space:]]+ \(IP: [^[:space:]]+ Operation now in progress$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: getfile: Unknown response from remote server \(IP: [.:[:digit:]a-f]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (getpatch: )?Can't download [^[:space:]]+ from [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Your ClamAV installation is OUTDATED!$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: Local version: [^[:space:]]+ Recommended version: [^[:space:]]+$

You may want to remove the last two if you are intent on keeping your installation more up to date, for whatever reason.

/etc/logcheck/ignore.d.server/clamav-extra

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ clamav-milter\[[[:digit:]]+\]: Can't resolve LocalNet hostname unknown$

The poor documentation for the LocalNet variable, combined with the fact that it doesn't get autoconfigured, and because we're not talking to it on outgoing connections anyway makes this rather silly. I would rather have it error out than ignore something.

/etc/logcheck/ignore.d.server/sshd-extra

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: subsystem request for sftp by user [^[:space:]]+$

This is only going to be relevant if you are going to be doing backup exchanges or something similar. If not, you may wish to skip this.

/etc/logcheck/ignore.d.server/general-extra

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *digit:+\.digit:+\])? audit_printk_skb: digit:+ callbacks suppressed$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *digit:+\.digit:+\])? show_signal_msg: digit:+ callbacks suppressed$

"Alright, let's try out this AppArmor business..."

Yikes.