On Tue, Jan 08, 2008, Ugo Bellavance wrote: >Joseph L. Casale wrote: >>Given my experience in Linux is limited currently, what do you guys use >>to monitor logs such as ?messages? on your centos servers? I had a >>hardware failure that happened in between me manually looking (of >>course?). I would hope it might have a some features to email critical >>issues etc? > >logwatch is a good start. > >Get the latest version from www.logwatch.org. Runs automatically daily >and sends output to root. Isn't logwatch standard in CentOS installations? Swatch monitors one or more log files in real time, with options to report events immediately, or after some number of repeations in a specified time period (e.g. report immediately if a network interface goes into permiscuous mode, but only report something else if there are ``n'' occurrences within a minute). I've attached the swatchrc configuration file from this machine which has several examples. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 Never blame a legislative body for not doing something. When they do nothing, that don't hurt anybody. When they do something is when they become dangerous. -- Will Rogers -------------- next part -------------- perlcode 0 use Sys::Hostname::Long; perlcode 0 my $host_long = hostname_long; perlcode 0 my $email=qq(support\@$host_long); perlcode 0 my $secmail = qq(security\@$host_long); perlcode my ($month, $day, $time, $host_name, @message) = split(/\s+/); watchfor /Your ClamAV installation is OUTDATED/ mail addresses=$secmail, subject=[swatch] $host_long clamav update watchfor /^(\S+) - (\S+) \[(.*?)\].*session_login/ mail addresses=$secmail, subject=[swatch] $host_name usermin login $2 $1 watchfor /entered promiscuous mode/ mail addresses=$secmail, subject=[swatch] $host_name promiscuous watchfor /File name too long/ mail addresses=$email, subject=[swatch] BufferOverflow_attempt watchfor /DHCPREQUEST/ mail addresses=postmaster, subject=[swatch] $host_name at message watchfor /Failed password for.*from\s+(\S+)/ threshold track_by=$1,type=limit,count=3,seconds=60 mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /Accepted password for root.*from\s+(\S+)/ mail addresses=$secmail, subject=[swatch] $host_name ssh password $1 watchfor /Accepted publickey for root.*from\s+(\S+)/ mail addresses=$secmail, subject=[swatch] $host_name ssh publickey $1 watchfor /Invalid login as admin/ mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /Invalid login as mainadmin/ mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /Successful login as mainadmin/ mail addresses=$secmail, subject=[swatch] $host_name at message watchfor /DeliveryErrors/ mail addresses=postmaster, subject=[swatch] Postfix_Delivery_Errors watchfor /file system full/ mail addresses=$email, subject=[swatch] $host_name at message watchfor /refused connect from\s+(\S+)/ threshold track_by=$1,type=limit,count=3,seconds=60 mail addresses=$secmail, subject=[swatch] $host_name at message