logcheck and syslog-summary
Logcheck
This program periodically (default: every hour) searches through the logs in /var/log (generated by syslog or syslog-ng)to find unusual or "suspicious" entries. Each time it is run, it mails a report to the root user (or the user you defined in the configaration file). You could modify the /etc/logcheck/logcheck.ignore file so it doesn't send you too much useless information.
To install: apt-get install logcheck
syslog-summary
This program summarizes the contents of a log file written by syslog, by displaying each unique (except for the time) line once, and also the number of times such a line occurs in the input. The lines are displayed in the order they occur in the input.
To install: apt-get install syslog-summary
To configure logcheck to use syslog-summary, edit /etc/logcheck/logcheck.conf and set
SYSLOGSUMMARY=1
Logwatch
Logwatch
This program monitors the logfiles syslog or syslog-ng produces and mail you a summery on a daily basis. This is a much less intensive approach than installing logcheck and recieving numerous daily emails. The summaries are simple enough to read and are sent by email once a day - they show things like available disk space, logins, rejected logins, commands ran by users via sudo and more.
Comparison of logcheck and logwatch
Logcheck parses the log files related to security (i.e. auth.log) and sends the email with the access denied entries. The format Logcheck provides information is same as the log files.
Logwatch provides relevant information not only about security issues but also from all the services running on the server. The information is well summarized and presented in a way it is easy to get a general and a detailed view of the server status and operation.
To install: apt-get install logwatch
syslogd, syslog-ng and socklog:
syslogd
This is the standard Unix program which is in charge of handling different log or notice messages and sending them to a file where they may be examined.The files produced vary from system to system but tend to include:/var/log/auth.log,
/var/log/syslog, /var/log/kern.log. etc. These files are controlled by the settings in /etc/syslog.conf, which defines which messages should be logged to a file. The disadvantage of syslog is that, When you look after a group of machines chances, it takes too much effort to login to multiple machines and watch the logfiles.
syslog-ng (
[9])
This is a flexible, scalable and centralized system logging application. It allows all the log messages to be sent to a single machine, where you can view all the logfiles in one place. On the log server, you configure the syslog-ng to listen upon the network (port 514) so that it can recieve messages, and tell it where to put them. On the log client, you configure syslog-ng to send their logs to the central server in addition to logging locally.
To install: apt-get install syslog-ng
By default when syslog-ng is installed, it will remove sysklogd and the klog (kernel logger).
Here is a link about the difference between syslogd and syslog-ng (
[10])
socklog (
[11])
This is another network logging solution. socklog, in cooperation with the runit package, is a small and secure replacement for syslogd. There are three main features syslogd provides:
- receiving syslog messages from an unix domain socket ("/dev/log") and writing them to various files on disk depending on facility and priority.
- receiving syslog messages from an udp socket ("0.0.0.0:514") and writing them to various files on disk depending on facility and priority.
- writing received syslog messages to an udp socket ("a.b.c.d:514")
socklog provides these features with the help of runit's runsvdir, runsv, and svlogd, provides a different network logging concept, and additionally does log event notification.
svlogd has a built in log file rotation based on file size, so there is no need for any cron jobs or similar to rotate the logs. Log partitions can be calculated properly.
To install: apt-get install socklog
php-syslog-ng
Php-Syslog-ng is a GUI frontend for viewing syslog-ng messages logged to
MySQL in realtime. It features customized searches based on device, priority, date, time, and message.
Here is the link of Demo version and install instruction
[12]
ccze
ccze is a nice small package which colorizes the output of log files making it much easier to read and find stuff.