#!/bin/bash # # logcheck.sh: Log file checker # Written by Matthew Schumacher # Idea stollen from Craig Rowland, but mostly rewritten. # # This file needs bash and retail to run. # # Logcheck uses the retail program to tail selected log files # then parses the logs looking for interesting things before # mailing the results to a notify address. # # Use the following cron syntax to make it run every 5 minutes: # */5 * * * * /usr/sbin/logcheck.sh # # Version Information # # 1.0 07/15/2005 -- Initial Release #======================================================================== # CONFIGURATION SECTION # set the patch PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin # Full path to retail program. # This program is required to run this script. # If you don't have it, then get it at http://xjack.org/retail/ RETAIL=/usr/bin/retail # Full path to SECURED (non public writable) /tmp directory. # Prevents Race condition and potential symlink problems. I highly # recommend you do NOT make this a publically writable/readable directory. # You would also be well advised to make sure all your system/cron scripts # use this directory for their "scratch" area. TMPDIR=/tmp/logcheck # The 'grep' command. This command MUST support the '-i' '-v' and '-f' # flags. GREP=egrep # This script uses sendmail to send email. Don't like it? Then change it. SENDMAIL=/usr/sbin/sendmail # set the hostname and date HOSTNAME=`hostname` DATE=`date +%m/%d/%y:%H.%M` # log parsing config. # SEARCHNAME is the name of search. # SEARCHFILE is a location to a file containing things you want to search for. # OMITFILE is a location to a file containing things you want omited from the search. # SEARCHLOGS is a list of log files to search seperated by spaces. # NOTIFYADDR is the address to send the notification to. # # example: # -------------------------- # SEARCHNAME[0]="Warning" # SEARCHFILE[0]="/etc/search.warning.logcheck" # OMITFILE[0]="/etc/omit.warning.logcheck" # SEARCHLOGS[0]="/var/log/messages /var/log/maillog" # NOTIFYADDR[0]="matt.s@aptalaska.net" SEARCHNAME[0]="Warning" SEARCHFILE[0]="/etc/search.warning.logcheck" OMITFILE[0]="/etc/omit.warning.logcheck" SEARCHLOGS[0]="/var/log/messages /var/log/maillog" NOTIFYADDR[0]="sysadmin@domain.com" # END CONFIGURATION SECTION #======================================================================== # this should never be changed umask 177 # check the tmp dir if [ ! -d "$TMPDIR" ]; then echo "Can't find the temp dir: $TMPDIR" exit 1 fi # loop though the config for (( i = 0 ; i < ${#SEARCHNAME[@]} ; i++ )); do # check the search file if [ ! -f "${SEARCHFILE[$i]}" ]; then echo "Can't find search file: ${SEARCHFILE[$i]}" exit 1 fi # check the omit file if [ ! -f "${OMITFILE[$i]}" ]; then echo "Can't find omit file: ${OMITFILE[$i]}, creating file." touch ${OMITFILE[$i]} if [ ! -f "${OMITFILE[$i]}" ]; then echo "Can't create omit file: ${OMITFILE[$i]}" exit 1 fi fi # loop though log files for LOGFILE in ${SEARCHLOGS[$i]}; do # make sure we have a log to parse if [ ! -f "$LOGFILE" ]; then echo "Can't find log file: $LOGFILE" rm -rf $TMPDIR/logcheck.$$ exit 1 fi # retail the log file $RETAIL $LOGFILE >> $TMPDIR/logcheck.$$ done # grep it already!! if $GREP -i -f ${SEARCHFILE[$i]} $TMPDIR/logcheck.$$ | $GREP -v -f ${OMITFILE[$i]} > $TMPDIR/logcheckoutput.$$; then # create the message echo "Subject: $HOSTNAME $DATE ${SEARCHNAME[$i]} Report" > $TMPDIR/logcheckreport.$$ echo >> $TMPDIR/logcheckreport.$$ echo "${SEARCHNAME[$i]} Report" >> $TMPDIR/logcheckreport.$$ echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/logcheckreport.$$ cat $TMPDIR/logcheckoutput.$$ >> $TMPDIR/logcheckreport.$$ # email the report to the notify address cat $TMPDIR/logcheckreport.$$ | $SENDMAIL ${NOTIFYADDR[$i]} fi # clean up rm -f $TMPDIR/logcheck.$$ $TMPDIR/logcheckoutput.$$ $TMPDIR/logcheckreport.$$ done