logcheckd

NAME

SYNOPSIS

logcheckd -a ( start | stop | report | reset | status | defined | monitored )

cat logfile | logcheckd -a verify patternfile check_levels

AVAILABILITY

DESCRIPTION

---

With logcheckd logfiles can be analyzed and the content can be classified to different levels of importance.

During analysis the timestamp when a certain log entry has been discovered is added to the collected analysis output.

The levels used to classify the logfile content can be defined in pattern files which are related to one or more logfiles to be analyzed.

The generated HTML report allows easy navigation in the report and provides an index of the number of selected rows (=hits) per level of importance in an overview section of the report.

To allow judgement of the number of hits the absolute number of hits are also normalized to 'hits per day' (hits/day) which then are less dependent of the reporting period and can be compared to the hits/day of the last analysis period and a calculated hits trend.

The trend is calculated as:

        trend_new = ( 0.75 * trend_last ) + ( 0.25 * hits_last )

The generated report can be kept on the file system, but the main purpose is to send it per mail to system administration personnel which will get a good overview of the log situation on the system.
For compliance the report contains a random compliance code that is used to prove that the report has been viewed. To help the administrative personnel and to enable a consistent compliance procedure the generated report provides a 'send report view confirmation mail' hyperlink that prepares a compliance mail when clicking on it having the compliance code in the the subject line. So in the mailbox it is easy to see which reports have been viewed by sorting it by subject.

logcheckd will not fill up the file system where the log data is collected and reported. If file space will be short during log file analysis the analysis is suspended until sufficient disk space is available again and will then resume automatically. A report will also only be generated if sufficient free space is available. The following suspension criteria applies:

        {1.5 * lsize}  >  {available - (available + used)/100 * MIN_FREESPACE}

logcheckd is also able to communicate to other commands for each matched logfile entry via the INTERFACES mechanism, which can be configured in the logcheckd.cfg configuration file. Using interfaces, it is therefore possible to forward discovered matches to a monitoring system that might not have a very sophisticated logfile analysis functionality.

REPORT STRUCTURE

General

General information about the report. This section contains the following information:

Customer

Name of the Customer.

Environment

Name and description of the environment of which the host is part of.

Hostname

Hostname where the report has been generated.

Report

Name of the report.

Report ID

Unique ID of the report.

Report Period

Period (date and time from, date and time to) that is covered by the report. To allow easy calculations the duration in seconds is provided, too.

Date

Date when the report has been generated.

Generated by

Path and name of the command and user that generated (and mailed) the report.

Confirmation Code

Random confirmation code for compliance usage.

Compliance

Hyperlink providing an email with a structured subject and content that can be mailed to a compliance recipient.

Overview

Overview of all logfiles that existed during the 'Report Period'. This section contains the following information:

Current (hits absolute)

Absolute number of hits per defined level and absolute number of ignored logfile rows during the 'Reporting Period'.

Current (hits/day)

Number of hits per defined level and number of ignored logfile rows during the 'Reporting Period' converted into hits per day.

Last (hits/day)

Number of hits per defined level and number of ignored logfile rows during the last 'Reporting Period' converted into hits per day.

Trend (hits/day)

Trend of hits per defined level and number of ignored logfile rows calculated based on all past reports.

Logfile

Name and size of the logfile.

Logfiles

All captured logfile rows sorted by logfile and defined level.

Footline

Information about the logcheckd version used to generate the report.

OPTIONS

-h

usage message.

-a

action:

start

start the log check daemon logcheckd in the background. It is possible to start one daemon per system.

stop

stop a running logcheckd daemon.

report

create a LogCheck report for the period since the last report generation. If an email address is defined in the REPORT_MAIL_TO setting in the config file etc/logcheckd.cfg the report will be mailed to the recipient(s) defined in REPORT_MAIL_TO, REPORT_MAIL_CC and REPORT_MAIL_BCC.

reset

initialize the logcheckd daemon. All state information, collected logfile content hits, all counters and trend information will be cleared. If you configured to keep the logfile collection hits ( CLEAN_COLLECT=False ) all collect runs are removed. If you configured to keep the generated reports after mailing them ( CLEAN_REPORT=False ) the reports will be moved to the REPORTDIR/.$TODAY directory.

status

check if a logcheckd is running (EXIT STATUS: 14) or not running (EXIT STATUS: 15) on the system.

defined

list the logfiles defined in the logcheckd.cfg config file.

monitored

list the currently monitored logfiles including some additional information.

verify patternfile check_levels

verify the check_levels of the patternfile for the logfile piped into logcheckd. This option can be used to check if the settings made in a pattern file lead into the expected results. check_levels is a comma separated list of levels to be checked. This is equal to the CHECK_LEVELS setting in the logcheckd.cfg configuration file. When verifying a patternfile no timing information is added to the output.

ENVIRONMENT

SIGNALS

TERM

kill the process without an argument ( kill PID ). Issuing this signal, the daemon will end.

EXIT STATUS

0

no error.

1

configfile etc/logcheckd.cfg does not exist.

2

operating system is not supported. See osid(3) if you get this error.

3

pattern file does not exist. This exit status is returned only when calling logcheckd with the -a verify option.

4

usage listed.

5

logcheckd has been aborted issuing <Ctrl>+<C>. This applies only when using the options -a stop, -a reset or -a report.

6

cannot write to REPORTDIR.

7

cannot write to COLLECTDIR.

8

cannot write to the logcheckd logfile.

9

cannot write to LOCKDIR.

10

directory PATTERNDIR does not exist.

11

a temporary directory could not be claimed or created in /var/tmp. Check the system temporary directory /var/tmp if you get this error, it is an indicator of system intrusion.

12

ambiguous pattern file name. This error only occures if logcheckd is called with the -a verify option. During daemon operation logfile specifications containing ambiguous pattern file names are ignored and the daemon does not exit.

13

report creation failed.

14

daemon running.

15

daemon not running.

16

directory INTERFACECONFIGDIR does not exist.

17

not all interfaces, as specified in INTERFACES in the logcheckd.cfg config file, can be accessed. An interface has to be executable for the root user.

FILES

etc/logcheckd.cfg

configuration file of logcheckd, see logcheckd.cfg(4), logcheckd.pattern(4) and logcheckd.style(4) for more information. The logfile options are reloaded in the interval defined in CHECK_INTERVAL, therefore logfiles can be added, modified and removed from the list without restarting the logcheckd daemon. When a logfile is removed, it will not be checked from that moment an, but it will be included in the first report generated afterwards.

lib/logcheckd/

This directory contains additional files used by logcheckd.

lib/logcheckd/style/

This directory contains the stylesheets used by the logcheckd when a HTML report is generated.

lib/logcheckd/style/WA2L.css

Default style sheet when generating the report.

lib/logcheckd/interface/

This directory contains the interfaces which allow logcheckd to communicate to other tools.

lib/logcheckd/interface/<interfacefile>

Interface that communicates with other software. See logcheckd.interface(3) for more information.

var/log/logcheckd.log

logfile of logcheckd. The location of the logfile can be configured in the etc/logcheckd.cfg config file.

var/logcheckd/pattern/

Location of the pattern files used for logfile analysis.

var/logcheckd/pattern/<patternfile>

Pattern file that can be used on multiple operating systems for logfile analysis.

var/logcheckd/pattern/<patternfile>.<OSID>

Pattern file for a specific operating system.

In the config file etc/logcheckd.cfg the pattern file is specified *without* the <OSID> part. logcheckd first checks if a operating system dependent pattern file exists and then uses the non-operating system dependent pattern file. This eases up configuration and enables to have identical configuration files across different operating systems.

var/logcheckd/iconfig/

Location of the configuration files for the interfaces.

var/logcheckd/iconfig/<interfacefile>.cfg

Configuration file of the interfaces located in the lib/logcheckd/interface/ directory. See logcheckd.interface(3) for more information.

var/logcheckd/collect/

Default collect directory.

var/logcheckd/collect/<collect_run>/

This directory contains the collected logfile entries (hits) of all checked logfiles for a certain collect run.

var/logcheckd/collect/<collect_run>/<logfile_number>.excluded

Number of excluded ([EXCLUDE] section) rows of a checked logfile.

var/logcheckd/collect/<collect_run>/<logfile_number>.ignored

Number of ignored rows of a checked logfile.

var/logcheckd/collect/<collect_run>/<logfile_number>.<LEVEL>

Selected rows of a logfile for a certain LEVEL as configured in the pattern file. See also logcheckd.pattern(4) for more information about pattern files.

var/logcheckd/collect/<collect_run>/ts.begin

Begin timestamp of a logfile analysis / reporting period.

var/logcheckd/collect/<collect_run>/ts.end

End timestamp of a logfile reporting period..

var/logcheckd/state/

Persistent state information of the logcheckd daemon. All information herein is maintained by the logcheckd command, do not edit it by hand.

var/logcheckd/state/index

Index of all configured logfiles that have been found on the system.

var/logcheckd/state/collect.seq

Counter of collect runs.

var/logcheckd/state/report.seq

Counter of generated reports.

var/logcheckd/state/files/

File properties that have to be saved across collect runs.

var/logcheckd/state/files/<logfile_number>.inode

Inode number of a checked logfile.

var/logcheckd/state/files/<logfile_number>.rows

Number of rows of a checked logfile.

var/logcheckd/state/files/<logfile_number>.size

Size in kBytes (1 kByte = 1024 Bytes) of a checked logfile.

var/logcheckd/state/files/<logfile_number>.<LEVEL>.hits.last

Number of hits per day of a logfile for a certain LEVEL.

var/logcheckd/state/files/<logfile_number>.<LEVEL>.hits.trend

Trend of hits per day of a logfile for a certain LEVEL.

var/logcheckd/state/files/<logfile_number>.ignored.last

Number of ignored logfile rows per day of the last reporting period.

var/logcheckd/state/files/<logfile_number>.ignored.trend

Trend of number of ignored rows per day.

var/logcheckd/state/files/<logfile_number>.excluded.last

Number of excluded logfile rows per day of the last reporting period.

var/logcheckd/state/files/<logfile_number>.excluded.trend

Trend of number of excluded rows per day.

var/logcheckd/report/

Default report output directory.

<REPORTDIR>/<customer>_<report>_<environment_name>_<report_id>.html

Report file if it is saved.

var/samples/templates/logcheck.cfg

Template configuration file for logcheckd.

EXAMPLES

1) verify a pattern file

In this example the logfile of su(1) command which allows to switch the user is checked. su writes successful user switches in the logfile as:

        SU 06/05 11:03 + ta barney-root

unsuccessful attempts are logged as:

        SU 06/05 11:03 - ta barney-root

The LogCheck report in this example should exclude all successful switches of the root user to any user, due to the fact that we trust the root user:

        [EXCLUDE]

        .* + .* root-.*$

Non-successful tries to switch to the root user are classified to the HIGH section:

        [HIGH]

        .* - .*-root$

Successful switches to root are classified as MEDIUM because the user doing the switch knows the password and the assumption here is, that the user knows this password by purpose:

        [MEDIUM]

        .* + .*-root$

Non-successful switches to other users as root are also classified as MEDIUM due to the fact that the abuse of a non-root user has less impact as the abuse of the root user, but it also might be a brute force attack to get access to a user login:

        .* -

All remaining entries are classified to the VERIFY section:

        [VERIFY]

        .*

Later when running logcheckd as daemon the VERIFY and EXCLUDE sections will only be collected/reported when they are listed in the CHECK_LEVELS setting (e.g: CHECK_LEVELS=HIGH,MEDIUM,LOW,VERIFY,EXCLUDE ) in the config file logcheckd.cfg(4).

        [ /root ]
        [ root@acme001 ][-sh]: cat -n /opt/edrc/var/logcheckd/pattern/su

        01  #
        02  # logcheckd/pattern/su - logfile analysis pattern file for: su
        03  #
        04  # [00] 25.04.2008 CWa   Initial Version
        05  #
        06   
        07  [EXCLUDE]
        08
        09  .* + .* root-.*$
        10   
        11  [HIGH]
        12   
        13  .* - .*-root$
        14   
        15  [MEDIUM]
        16   
        17  .* + .*-root$
        18  .* -
        19   
        20  [LOW]
        21   
        22   
        23   
        24  [VERIFY]
        25   
        26  .*

        [ /root ]
        [ root@acme001 ][-sh]: tail -16 /var/adm/sulog | \
           ~edrc/bin/logcheckd -a verify su EXCLUDE,HIGH,MEDIUM,LOW,VERIFY

        logcheckd - a log file checking and reporting daemon, by Chr. Walther
         
        verify patternfile '/opt/edrc/var/logcheckd/pattern/su' ...
                [EXCLUDE]
                        009| SU 06/05 11:00 + tty?? root-oracle
                        009| SU 06/05 11:01 + tty?? root-edrc
                        009| SU 06/05 11:01 + tty?? root-edrc
                        009| SU 06/05 12:00 + tty?? root-oracle
                        009| SU 06/05 12:00 + tty?? root-oracle
                        009| SU 06/05 12:00 + tty?? root-oracle
                        009| SU 06/05 12:00 + tty?? root-oracle
                        009| SU 06/05 12:02 + tty?? root-edrc
                        009| SU 06/05 12:02 + tty?? root-edrc
                        009| SU 06/05 12:02 + tty?? root-edrc
                        (10)
                [HIGH]
                        013| SU 06/05 11:03 - ta barney-root
                        (1)
                [MEDIUM]
                        018| SU 06/05 11:02 - ta barney-fred
                        017| SU 06/05 11:03 + ta barney-root
                        017| SU 06/05 11:32 + tc barney-root
                        017| SU 06/05 11:33 + 2 fred-root
                        (4)
                [LOW]
                        (0)
                [VERIFY]
                        026| SU 06/05 11:40 + ta barney-fred
                        (1)
                ignored
                        (0)
        done.

2) start logcheckd

[ /root ]
[ root@acme001 ][-sh]: logcheckd -a start

logcheckd - a log file checking and reporting daemon, by Chr. Walther

start logcheckd daemon ...(PID=23757)... done.

3) check logcheckd status

[ /root ]
[ root@acme001 ][-sh]: logcheckd -a status

logcheckd - a log file checking and reporting daemon, by Chr. Walther

logcheckd daemon status ...(running,PID=23757,revision=33,collectrun=5)... done.

4) create a LogCheck report

[ /root ]
[ root@acme001 ][-sh]: logcheckd -a report

logcheckd - a log file checking and reporting daemon, by Chr. Walther

create report ...
        report information ...
                Customer ....... : WA2L
                Report ID ...... : acme001_10000
                Report Period .. : 2008-06-25 15:20:00 - 2008-06-29 00:39:48 (292788 seconds)
                Send to ........ : admin@acme.ch
                Collect Run .... : 5
        done.
        write report ...
                header section ... done.
                general section ... done.
                overview section ... done.
                logfile section ... done.
                foot section ... done.
        done.
        send report ... done.
        clear collect directory ... done.
        clear report ... done.
done.

5) stop logcheckd

[ /root ]
[ root@acme001 ][-sh]: logcheckd -a stop

logcheckd - a log file checking and reporting daemon, by Chr. Walther

stop logcheckd daemon ...
        send logcheckd daemon the stop signal ... done.
        wait for daemon to stop .... done.
done.

6) reset logcheckd

[ /root ]
[ root@acme001 ][-sh]: logcheckd -a reset

logcheckd - a log file checking and reporting daemon, by Chr. Walther

initialize logcheckd daemon ...
    clear state information ...... done.
    clear collect data ...... done.
    clear saved reports ...... done.
done.

SEE ALSO

NOTES

BUGS

AUTHOR

COPYRIGHT

This is free software; see edrc/doc/COPYING for copying conditions. There is ABSOLUTELY NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.