Line 0
Link Here
|
|
|
1 |
--- docs/README.logcheck-database.orig 2017-01-25 21:08:04 UTC |
2 |
+++ docs/README.logcheck-database |
3 |
@@ -15,7 +15,7 @@ normal egrep pattern-matches, applied in |
4 |
1. the "SECURITY ALERTS" layer, designed to detect the traces of active |
5 |
intrusion attempts. |
6 |
|
7 |
- Patterns raising the alarm go in "/etc/logcheck/cracking.d"; any |
8 |
+ Patterns raising the alarm go in "%%ETCDIR%%/cracking.d"; any |
9 |
event that matches one of these patterns turns the report |
10 |
into an urgent "Security Alerts" report, with the relevant |
11 |
event moved to a special section. The cracking.d standard |
12 |
@@ -26,7 +26,7 @@ normal egrep pattern-matches, applied in |
13 |
the default logcheck configuration, but if the local |
14 |
administrator enables this layer of filtering in |
15 |
logcheck.conf, then the rules go in the directory |
16 |
- "/etc/logcheck/cracking.ignore.d". Matches with |
17 |
+ "%%ETCDIR%%/cracking.ignore.d". Matches with |
18 |
cracking.ignore rules will then reclassify the alert as a |
19 |
false alarm (compare violations.ignore below). Note that |
20 |
this means they are totally ignored - log messages handled |
21 |
@@ -35,12 +35,12 @@ normal egrep pattern-matches, applied in |
22 |
2. the "SECURITY EVENTS" layer, designed to detect less critical |
23 |
events still considered worthy of special attention. |
24 |
|
25 |
- Patterns raising the alarm go in "/etc/logcheck/violations.d"; |
26 |
+ Patterns raising the alarm go in "%%ETCDIR%%/violations.d"; |
27 |
matches with these result in a "Security Events" alert, |
28 |
with the relevant event moved to a special section. |
29 |
|
30 |
Patterns cancelling such alarms go in the standard directory |
31 |
- "/etc/logcheck/violations.ignore.d"; apparent "Security |
32 |
+ "%%ETCDIR%%/violations.ignore.d"; apparent "Security |
33 |
Events" that match with violations.ignore patterns are |
34 |
discarded as false alarms. |
35 |
|
36 |
@@ -51,7 +51,7 @@ normal egrep pattern-matches, applied in |
37 |
from the logfiles are considered for inclusion in the main |
38 |
"System Events" section. |
39 |
|
40 |
- Patterns in the three "/etc/logcheck/ignore.d.*" directories |
41 |
+ Patterns in the three "%%ETCDIR%%/ignore.d.*" directories |
42 |
again function to overrule alerts; the log messages that |
43 |
match them are excluded from the report as trivial. The |
44 |
specific directories consulted depend on the prevailing |
45 |
@@ -78,13 +78,13 @@ underscore, and hyphen. |
46 |
Contains filters relevant to only one Debian package - for example |
47 |
if "fooserver" logs suspicious events like this: |
48 |
"$DATE $HOSTNAME fooserver[$PID]: $USER is up to no good" |
49 |
-then a line in "/etc/logcheck/violations.d/fooserver" with an |
50 |
+then a line in "%%ETCDIR%%/violations.d/fooserver" with an |
51 |
appropriate pattern will promote it from a mere "System Event" |
52 |
to a full "Security Event" in a subsection of the mailing headed |
53 |
"fooserver". Or then again if that kind of log message is more |
54 |
trivial than it looks (maybe "foo" is a networked game of |
55 |
spy-and-counterspy) then a line in |
56 |
-"/etc/logcheck/ignore.d.server/fooserver" will turn it into a |
57 |
+"%%ETCDIR%%/ignore.d.server/fooserver" will turn it into a |
58 |
nonevent for all but the most assiduous of administrators. |
59 |
|
60 |
Sometimes a package will have not only special alarm calls which |
61 |
@@ -107,7 +107,7 @@ that need to be processed. |
62 |
|
63 |
Standard "generic" rules go in each directory's "./logcheck" file; |
64 |
thus for instance any log message at all matching "ATTACK" |
65 |
-(listed in "/etc/logcheck/cracking.d/logcheck") _always_ triggers |
66 |
+(listed in "%%ETCDIR%%/cracking.d/logcheck") _always_ triggers |
67 |
a "Security Alert", unless you deliberately tamper with |
68 |
"cracking.ignore.d" rules. |
69 |
|
70 |
@@ -122,12 +122,12 @@ non-package-specific "flagging" patterns |
71 |
"fooserver" outputs syslog messages like this: |
72 |
"$DATE $HOSTNAME fooserver[$PID]: 3 attempts 0 rejected" |
73 |
then the standard keyword "reject" listed in the generic |
74 |
-"/etc/logcheck/violations.d/logcheck" file will trigger frequent |
75 |
+"%%ETCDIR%%/violations.d/logcheck" file will trigger frequent |
76 |
"Security Events" reports. Putting a filtering pattern in |
77 |
-"/etc/logcheck/violations.ignore.d/fooserver" won't help here! |
78 |
+"%%ETCDIR%%/violations.ignore.d/fooserver" won't help here! |
79 |
The solution is to use a file named in the specially-privileged |
80 |
./logcheck-<packagename> format: |
81 |
-"/etc/logcheck/violations.ignore.d/logcheck-fooserver". |
82 |
+"%%ETCDIR%%/violations.ignore.d/logcheck-fooserver". |
83 |
This can contain patterns provided by that particular package |
84 |
which nonetheless need to take precedence over the generic rules. |
85 |
|
86 |
@@ -137,8 +137,8 @@ Sysadmins can use the "local-*" filename |
87 |
additions to the "logcheck-*" pattern lists. If you have "ippl" |
88 |
logging network connections verbosely into syslog then you can put |
89 |
custom "Security Events" keywords in |
90 |
-"/etc/logcheck/violations.d/local-ippl" and exceptions in |
91 |
-"/etc/logcheck/violations.ignore.d/local-ippl". |
92 |
+"%%ETCDIR%%/violations.d/local-ippl" and exceptions in |
93 |
+"%%ETCDIR%%/violations.ignore.d/local-ippl". |
94 |
|
95 |
|
96 |
WRITING RULES |
97 |
@@ -181,7 +181,7 @@ logcheck-test(1)). |
98 |
Alternatively you can manually grep your log file, and remove trailing |
99 |
space with something like this: |
100 |
|
101 |
- sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep \ |
102 |
+ sed -e 's/[[:space:]]*$//' /var/log/messages | egrep \ |
103 |
'^\w{3} [ :0-9]{11} oempc wwwoffled\[[0-9]+\]: WWWOFFLE (On|Off)line\.$' |
104 |
|
105 |
If the log line is displayed, then your regex works. |