和6年能登半島地震により亡くなられた方々のご冥福をお祈りするとともに、被害に遭われた皆さまに対し、心よりお見舞い申し上げます。一日も早く被災地の安全が確保され、復旧が進む事を心よりお祈り申し上げます。

Fedora core LogWatch

Logcheckの結果をメール 受信(2004年8月30日)

メインのFreeBSDサーバは、定期的にLogcheckの結果をメールで受けてる訳ですが・・・
サブ機のFedoraには、LogWatchソフトを導入しようと思います。
 
yumで、logwatchをインストール(*^^)v(最新版はLogwatch 5.2.2ですね)

# yum install logwatch
Gathering header information file(s) from server(s)
Server: Fedora Core 1 - i386 - Base
Server: Fedora Core 1 - i386 - Released Updates
Finding updated packages
Downloading needed headers
Resolving dependencies
Dependencies resolved
I will do the following:
[install: logwatch 4.3.2-2.1.noarch]
Is this ok [y/N]: y
Getting logwatch-4.3.2-2.1.noarch.rpm
logwatch-4.3.2-2.1.noarch 100% |=========================| 70 kB 00:00
Running test transaction:
Test transaction complete, Success!
logwatch 100 % done 1/1
Installed: logwatch 4.3.2-2.1.noarch
Transaction(s) Complete

インストールが完了したら・・・/etc/log.d/conf/logwatch.conf を編集する(^^)/
   ↓
logwatch.conf

########################################################
# This was written and is maintained by:
# Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
# etc, to kirk@kaybee.org.
#
########################################################

# NOTE:
# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.

# You can put comments anywhere you want to. They are effective for the
# rest of the line.

# this is in the format of <name> = <value>. Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.

# Yes = True = On = 1
# No = False = Off = 0

# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log   ←チェックするログのディレクトリ

# You can override the default temp directory (/tmp) here
TmpDir = /tmp

# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = hoge  ←結果のメール送信先

# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No ←結果を標準出力する?

# Leave this to 'Yes' if you have the mktemp program and it supports
# the '-d' option. Some older version of mktemp on pre-RH7.X did not
# support this option, so set this to no in that case and Logwatch will
# use internal temp directory creation that is (hopefully) just as secure
UseMkTemp = Yes

# if set, the results will be saved in <filename> instead of mailed
# or displayed.
#Save = /tmp/logwatch

# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# Archives = Yes
# Range = All

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low  ←レポートの詳細レベル


# The 'Service' option expects either the name of a filter
# (in /etc/log.d/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All  ←チェックするサービスを指定 
/etc/log.d/scripts/services/以下に各設定ファイルがある。
# You can also disable certain services (when specifying all)
#Service = -zz-fortune
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many

# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...

#
# some systems have different locations for mailers
#
mailer = /bin/mail  ←メール送信用プログラムのパス

#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes

テストしてみる( ̄ー ̄)

#/usr/sbin/logwatch

 
指定したアドレス宛に、レポート結果が届くはず・・・

メールで受信した、レポート結果 ↓

################### LogWatch 4.3.2 (02/18/03) #################### 
Processing Initiated: Mon Aug 30 14:16:20 2004
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: server2
################################################################ 

--------------------- pam_unix Begin ------------------------ 

su:
Sessions Opened:
hoge(uid=500) -> root: 4 Time(s)

sshd:
Authentication Failures:
hoge(note.yumidon.com ): 3 Time(s)
hoge(pc3.yumidon.com ): 1 Time(s)


---------------------- pam_unix End ------------------------- 


--------------------- SSHD Begin ------------------------ 


Failed logins from these:
hoge/password from 192.168.1.8: 1 Time(s)

Users logging in through sshd:
hoge logged in from note.yumidon.com (192.168.1.8) using password: 3 Time(s)
hoge logged in from pc3.yumidon.com (192.168.1.6) using password: 1 Time(s)

---------------------- SSHD End ------------------------- 


------------------ Disk Space --------------------

Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 3.2G 32G 10% /
/dev/hda1 99M 18M 76M 20% /boot
none 251M 0 251M 0% /dev/shm


###################### LogWatch End ######################### 

インストール時に自動的にcronに登録されてるみたい・・・
/etc/cron.daily/の中を見てみた。
l00-logwatch -> ../log.d/scripts/logwatch.pl   (*^^)v

/etc/crontabを見てみた。
 # run-parts
 01 * * * * root run-parts /etc/cron.hourly
 02 4 * * * root run-parts /etc/cron.daily
 22 4 * * 0 root run-parts /etc/cron.weekly
 42 4 1 * * root run-parts /etc/cron.monthly

毎朝 4時2分にスクリプトを実行されて、メールでレポート結果が届くと言う訳ね(*^^)v