更新日: 2011-06-17 16:25:11

Linux システムログ内容を設定により抽出、編集し、メールで管理者に通知する方法

著者: benijake-T

編集者: airiiiii

閲覧数: 1065

Okgn btn gudie info favorite

0

関連タグ:

はじめに

Photo by shinji_w

システムログ内容を設定により抽出、編集し、メールで管理者に通知します。
Logwatchはcronで定期的に実行されます。
あらかじめ定義したパターンにより内容を抽出します。

STEP1 logwatchの設定

logwatch-7.3系でのデフォルト設定ファイルは /usr/share/logwatch/default.conf/logwatch.conf*1です。
ログファイルの保存場所、メール送信先、対象ログの抽出期間などを設定できます。
通常は、デフォルト設定から変更する事はないと思います。

STEP2 各ログファイル、各サービス毎の条件設定

各サービスごと、各ログファイルごとに抽出条件を設定できます。

各サービスの設定は

/usr/share/logwatch/default.conf/services/

各ログファイルの設定は

/usr/share/logwatch/default.conf/logfiles/

のディレクトリ配下になります。
設定例

デフォルトの設定でPostfixを運用していると、「statistics: max connection rate 1/60s」のようなログがlogwatchが拾っています。
このログは情報を示しているログでPostfixの異常ではありません。今回は「statistics」を含む行をlogwatchで拾わないように設定します。

* /usr/share/logwatch/default.conf/services/postfix.confの編集
上記がPostfixの設定ファイルなので、下記の行を追加します。

*Remove = statistics

*Removeは指定した文字列にマッチした行はチェック対象外にする(大文字小文字の区別なし)と言う意味です。

* 実行結果の確認
下記コマンドを入力するとlogwatchの実行結果をターミナルに出力します

/usr/share/logwatch/scripts/logwatch.pl --print

翌日からは、上記結果を同じ内容がメールで送信されます。

設定ファイルの内容

########################################################
# This was written and is maintained by:
# Kirk Bauer
#
# Please send all comments, suggestions, bug reports,
# etc, to kirk@kaybee.org.
#
########################################################

STEP3 # NOTE:

# All these options are the defaults if you run logwatch with no
# command-line arguments. You can override all of these on the
# command-line.

# You can put comments anywhere you want to. They are effective for the
# rest of the line.

# this is in the format of = . Whitespace at the beginning
# and end of the lines is removed. Whitespace before and after the = sign
# is removed. Everything is case *insensitive*.

# Yes = True = On = 1
# No = False = Off = 0

# Default Log Directory
# All log-files are assumed to be given relative to this directory.
LogDir = /var/log ←チェックするログのディレクトリ

# You can override the default temp directory (/tmp) here
TmpDir = /var/cache/logwatch

# Default person to mail reports to. Can be a local account or a
# complete email address.
MailTo = root ←結果のメール送信先

# Default person to mail reports from. Can be a local account or a
# complete email address.
MailFrom = Logwatch ←メール送信アカウント

STEP4

# If set to 'Yes', the report will be sent to stdout instead of being
# mailed to above person.
Print = No ←結果を標準出力する

# if set, the results will be saved in instead of mailed
# or displayed.
#Save = /tmp/logwatch

# Use archives? If set to 'Yes', the archives of logfiles
# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will
# be searched in addition to the /var/log/messages file.
# This usually will not do much if your range is set to just
# 'Yesterday' or 'Today'... it is probably best used with
# By default this is now set to Yes. To turn off Archives uncomment this.
#Archives = No
# Range = All

# The default time range for the report...
# The current choices are All, Today, Yesterday
Range = yesterday

# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low ←レポートの詳細レベル

STEP5

# The 'Service' option expects either the name of a filter
# (in /usr/share/logwatch/scripts/services/*) or 'All'.
# The default service(s) to report on. This should be left as All for
# most people.
Service = All ←チェックするサービスを指定 /etc/log.d/scripts/services/以下に各設定ファイルがある。
# You can also disable certain services (when specifying all)
Service = "-zz-network" # Prevents execution of zz-network service, which
# prints useful network configuration info.
Service = "-zz-sys" # Prevents execution of zz-sys service, which
# prints useful system configuration info.
Service = "-eximstats" # Prevents execution of eximstats service, which
# is a wrapper for the eximstats program.
# If you only cared about FTP messages, you could use these 2 lines
# instead of the above:
#Service = ftpd-messages # Processes ftpd messages in /var/log/messages
#Service = ftpd-xferlog # Processes ftpd messages in /var/log/xferlog
# Maybe you only wanted reports on PAM messages, then you would use:
#Service = pam_pwdb # PAM_pwdb messages - usually quite a bit
#Service = pam # General PAM messages... usually not many

STEP6

# You can also choose to use the 'LogFile' option. This will cause
# logwatch to only analyze that one logfile.. for example:
#LogFile = messages
# will process /var/log/messages. This will run all the filters that
# process that logfile. This option is probably not too useful to
# most people. Setting 'Service' to 'All' above analyizes all LogFiles
# anyways...

#
# By default we assume that all Unix systems have sendmail or a sendmail-like system.
# The mailer code Prints a header with To: From: and Subject:.
# At this point you can change the mailer to any thing else that can handle that output
# stream. TODO test variables in the mailer string to see if the To/From/Subject can be set
# From here with out breaking anything. This would allow mail/mailx/nail etc..... -mgt
mailer = "sendmail -t" ←メール送信用プログラムのパス

#
# With this option set to 'Yes', only log entries for this particular host
# (as returned by 'hostname' command) will be processed. The hostname
# can also be overridden on the commandline (with --hostname option). This
# can allow a log host to process only its own logs, or Logwatch can be
# run once per host included in the logfiles.
#
# The default is to report on all log entries, regardless of its source host.
# Note that some logfiles do not include host information and will not be
# influenced by this setting.
#
#HostLimit = Yes

# vi: shiftwidth=3 tabstop=3 et

【PR】

このガイドは役に立ちましたか?ガイドの著者にお礼を伝えよう!

Okgn btn gudie info thunks b

47

関連タグ:

当ガイドは作成日時点での情報です。ガイド内容の実施はご自身の責任の元、ご利用いただきますようお願いいたします。

このガイドを通報する