logcheck

aptitude install logcheck logcheck-database
/etc/logcheck/logcheck.conf
[...]

# Controls the level of filtering:
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.

REPORTLEVEL="paranoid"

# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "emailaddress@some.domain.tld"

SENDMAILTO="you@example.com"

[...]

Tune your filters and remember:
:!: it is very important to verify you have no superfluous spaces or CR/LFs in your rows!

/etc/logcheck/ignore.d.paranoid/local-rules
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? possible SYN flooding on port 80\. Sending cookies\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[[:digit:]]+\]: [[:alnum:]]+: removed$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Set /proc/self/oom_adj to 0$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Set /proc/self/oom_score_adj to 0$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Postponed publickey for .* ssh2 \[preauth\]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: fatal: no matching mac found: client .*$
# to get rid of the noisy postfix logs, apply rules of the server section:
cd /etc/logcheck/ignore.d.paranoid
ln -s ../ignore.d.server/postfix postfix-server
 
# ssh rules from server are what we want, too
ln -s ../ignore.d.server/ssh ssh-server

Some testing:

# test your rules:
egrep -f /etc/logcheck/ignore.d.paranoid/local-rules /var/log/auth.log | less
 
# the output will be supressed in logcheck and NOT be mailed to you
# don't wait for cron and run right now 
# (will send an email to you if something passes the filters)
su -s /bin/bash -c "/usr/sbin/logcheck" logcheck
linux/logcheck.txt · Last modified: 2017-01 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready