lgcheckd

NAME

SYNOPSIS

lgcheckd -a ( start | stop | status )

lgcheckd -a ( defined | monitored )

lgcheckd -a ( [no]collect | [no]ifstart )

lgcheckd -a ( refresh | reset )

lgcheckd -a report

cat logfile | lgcpattern [ -s ] patternfile

cat logfile | lgcpattern -p

AVAILABILITY

DESCRIPTION

---

With lgcheckd logfiles can be analyzed and the content can be classified to different levels of importance.

During analysis the timestamp when a certain log entry has been discovered is added to the collected analysis output.

The levels used to classify the logfile content can be defined in pattern files which are related to one or more logfiles to be analyzed.

Files listed in the LOGFILE OPTIONS section of the configuration file must not exist at start of the lgcheckd. However, as soon as such a file appears it is monitored.

The generated HTML 'Log File Check' report allows easy navigation in the report and provides a view of all matched log file entries per level of importance for a reporting period.
Only existing files or files that once existed during a reporting period will be listed in the report.

The HTML report is also suited for viewing with the lynx(1) browser.

lgcheckd is able to communicate to other commands for each matched logfile entry via the INTERFACES mechanism, which can be configured in the lgcheckd.cfg configuration file. Using interfaces, it is therefore possible to forward discovered matches to a monitoring system that might not have a very sophisticated logfile analysis functionality.

lgcheckd will not fill up the file system where the log data is collected. If file space gets short during log file analysis the log file match data collection is suspended until sufficient disk space is available again (and will then resume automatically).
The suspension applies as soon as the free space is lower then 20 times the current size of the state.db, whereas this number can be changed in the config file using the SUSPENDTRIGGER=number setting.
During the suspension the log files are still analysed, the matches are counted and the interfaces are started.

OPTIONS

-h

usage message.

-V

print daemon version.

-a

action:

start

start the log check daemon lgcheckd in the background. It is possible to start one daemon per system.

stop

stop a running lgcheckd daemon.

report

create a 'Log File Check' report for the period since the last report generation.

When invoking the report action, the current log collection run is ended, the log match data is deleted (depending on the CLEAN_COLLECT setting in the configuration file) and a new collection run is started.

All log files ever monitored are listed in the report.

However, if a log file has no matches in the current log collection run, '<no pattern matches>' is shown in the Logfiles section of the report.

When logfiles have matches, but during it's occurrence the log file match collection was suspended, the related match counts are shown in the Overview section of the report. In that case in the Logfiles section '<no data available>' is shown as long during the whole collect run duration no other matches were recorded.

The produced report file name is printed plain to stdout to allow easy capturing and further processing (as mailing the report using mail_file(1)).

reset

initialize the lgcheckd daemon. All state information, collected logfile content match data, all counters and trend information will be cleared.

status

check if a lgcheckd is running (EXIT STATUS: 14), not running (EXIT STATUS: 15) or is shutting down (EXIT STATUS 18) on the system.

defined

list the logfiles defined in the lgcheckd.cfg (respectively logcheckd.cfg) config file.

monitored

list the currently monitored logfiles including additional information of the current- and past collection runs.

When the lgcheckd experiences heavy load due to many log entries that have to be analysed, it switches temporarily from SINGLE to BURST write mode. Whereas in SINGLE mode match counts and log matches are immediately written to the database, in BURST mode the daemon delays writing to the database and then writes the information in larger junks to it. This to increase performance.

Therefore the information shown when using -a monitored is not up to date while the daemon is in BURST mode.

nocollect

disable collecting of matched logfile data. The matches are nevertheless counted when the collection is disabled.

collect

enable collecting of matched logfile data.

noifstart

disable the start of interfaces on related log file data match.

ifstart

enable the start of interfaces on related log file data match.

refresh

force the resolution of log files to monitor.

The interval of checking for new log files that appeared based on the definition in the configuration file is 5 minutes.

lgcpattern patternfile

utility to help to define, verify and optimize a logcheckd.pattern(4) file. This utility replaces the similar functionality 'logcheckd -a verify patternfile check_levels' as provided by logcheckd(1m).

See lgcpattern(3) for more information.

ENVIRONMENT

EXIT STATUS

0

no error.

1

neither configfile etc/lgcheckd.cfg nor etc/logcheckd.cfg exists.

4

usage listed.

5

program version printed.

14

daemon running.

15

daemon not running.

18

daemon is shutting down.

FILES

etc/lgcheckd.cfg

configuration file of lgcheckd, see lgcheckd.cfg(4), logcheckd.pattern(4) and logcheckd.interface(3) for more information.

The GENERAL OPTIONS options are loaded on daemon start, the LOGFILE OPTIONS options are loaded on daemon start and are re-evaluated in an interval of 300 seconds or when the lgcheckd -a refresh command is invoked.

The provided template file var/samples/templates/lgcheck.cfg contains the settings computed by the lgcheckd only and should be used as starting point for configuration of new setups if the legacy log checking daemon logcheckd was not used before.

(etc/logcheckd.cfg)

configuration file of logcheckd.

If the file etc/lgcheckd.cfg does not exist the lgcheckd reads this file without disadvantages. However, the lgcheckd computes the leaner set of options as documented in lgcheckd.cfg(4).

lib/logcheckd/

This directory contains additional files used by lgcheckd.

lib/logcheckd/database/state.ddl

SQL data definition language (DDL) file to create the state.db.

lib/logcheckd/interface/

This directory contains the interfaces which allow lgcheckd to communicate to other tools.

lib/logcheckd/interface/<interfacefile>

Interface that communicates with other software.

See logcheckd.interface(3) for more information.

var/cache/logcheckd/

cache data for lgcheckd.

var/log/lgcheckd.log

logfile of lgcheckd.

var/logcheckd/pattern/

Location of the pattern files used for logfile analysis.

var/logcheckd/pattern/<patternfile>

Pattern file that can be used on multiple operating systems for logfile analysis.

The needed pattern files are loaded on on daemon start and if changed re-loaded in an interval of 300 seconds or when the lgcheckd -a refresh command is invoked.

See logcheckd.pattern(3) for more information.

var/logcheckd/pattern/<patternfile>.<OSID>

Pattern file for a specific operating system.

In the config file etc/lgcheckd.cfg the pattern file is specified *without* the <OSID> part. lgcheckd first checks if an operating system dependent pattern file exists and then uses the non-operating system dependent pattern file. This eases up configuration and enables to have identical configuration files across different operating systems.

See logcheckd.pattern(3) for more information.

var/logcheckd/pattern/lgcheckd

Pattern file to alert lgcheckd own events.

var/logcheckd/iconfig/

Location of the configuration files for the interfaces.

var/logcheckd/iconfig/<interfacefile>.cfg

Configuration file of the interfaces located in the lib/logcheckd/interface/ directory.

See logcheckd.interface(3) for more information.

var/logcheckd/iconfig/lgcheckd.cfg

Configuration file of the lgcheckd interface used to send alert mails on events in the logfile var/log/lgcheckd.log of the lgcheckd only.

var/logcheckd/state/

Persistent state information of the lgcheckd daemon. All information herein is maintained by the lgcheckd command, do not edit it by hand.

var/logcheckd/state/state.db

database that contains all state information and collection data of the lgcheckd. The state.db is a SQLite (see: sqlite(1)) database.

var/logcheckd/report/

Default report output directory.

var/logcheckd/report/logcheck.<hostname>.<timestamp>.html

Report file generated invoking the lgcheckd -a report command.

The report is also suited for viewing with the lynx(1) browser.

var/samples/templates/lgcheck.cfg

Template configuration file for lgcheckd.

EXAMPLES

1) an example pattern file

In this example the logfile of su(1) command which allows to switch the user is checked. su writes successful user switches in the logfile as:

        SU 06/05 11:03 + ta barney-root

unsuccessful attempts are logged as:

        SU 06/05 11:03 - ta barney-root

The Log Check report in this example should exclude all successful switches of the root user to any user, due to the fact that we trust the root user:

        [EXCLUDE]

        .* + .* root-.*$

Non-successful tries to switch to the root user are classified to the HIGH section:

        [HIGH]

        .* - .*-root$

Successful switches to root are classified as MEDIUM because the user doing the switch knows the password and the assumption here is, that the user knows this password by purpose:

        [MEDIUM]

        .* + .*-root$

Non-successful switches to other users as root are also classified as MEDIUM due to the fact that the abuse of a non-root user has less impact as the abuse of the root user, but it also might be a brute force attack to get access to a user login:

        .* -

All remaining entries are classified to the VERIFY section:

        [VERIFY]

        .*

The complete pattern file:

        [ /root ]
        [ root@acme001 ][-sh]: cat -n /opt/edrc/var/logcheckd/pattern/su

        01  #
        02  # logcheckd/pattern/su - logfile analysis pattern file for: su
        03  #
        04  # [00] 25.04.2008 CWa   Initial Version
        05  #
        06   
        07  [EXCLUDE]
        08
        09  .* + .* root-.*$
        10   
        11  [HIGH]
        12   
        13  .* - .*-root$
        14   
        15  [MEDIUM]
        16   
        17  .* + .*-root$
        18  .* -
        19   
        20  [LOW]
        21   
        22   
        23   
        24  [VERIFY]
        25   
        26  .*

2) start the lgcheckd daemon

[ /root ]
[ root@acme001 ][-sh]: lgcheckd -a start

lgcheckd - a log file checking and reporting daemon, by Chr. Walther

lgcheckd-INFO: start daemon.

3) check lgcheckd status

[ /root ]
[ root@acme001 ][-sh]: lgcheckd -a status

lgcheckd - a log file checking and reporting daemon, by Chr. Walther

lgcheckd-INFO: daemon is not running, collection is 'enabled', interfacestart is 'enabled'.

4) create a 'Log File Check' report

[ /root ]
[ root@acme001 ][-sh]: lgcheckd -a report

lgcheckd - a log file checking and reporting daemon, by Chr. Walther

lgcheckd-INFO: create report for collect run '13'.
lgcheckd-INFO: report file is '/opt/edrc/var/logcheckd/report/logcheck.acme001.20240817121518.html'.
lgcheckd-INFO: collection match data for collect run '13' deleted.
lgcheckd-INFO: active collect run is now '14'.
done.

5) stop lgcheckd

[ /root ]
[ root@acme001 ][-sh]: lgcheckd -a stop

lgcheckd - a log file checking and reporting daemon, by Chr. Walther

lgcheckd-INFO: daemon not running.

6) reset lgcheckd

[ /root ]
[ root@acme001 ][-sh]: lgcheckd -a reset

lgcheckd - a log file checking and reporting daemon, by Chr. Walther

lgcheckd-INFO: daemon database initialized.

SEE ALSO

NOTES

The lgcheckd can be started using edrcinit(1m), for which the service handler WA2Ledrc.lgcheckd is available.

BUGS

AUTHOR

COPYRIGHT

This is free software; see edrc/doc/COPYING for copying conditions. There is ABSOLUTELY NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.