Managing your Logs with Chklogs

An introduction to a program written by Mr. Grimaldo to manage system logs.
Setting Up the Environment

Once you have created your first configuration file, you need to have Chklogs initialize its internal database (not to be confused with configuration) specified by either the configuration variable ResrcFile (for historic reasons) or the Personal Resource File's ChklogsDb variable. Remember, initialization overwrites any previous history so should be done only after the first installation (rather than when you make changes to add/remove logs/groups). Use the following administrative command:

chklogsadm init

Then, issue the administrative command:

chklogsadm initrepos
to initialize all the alternate repositories. Unlike init, you must execute this command each time you create a new group or change the location of your alternate repository (the global parameter). All of these steps are explained in detail in the documentation provided with the package.

Finally, the sync option of chklogsadm is needed whenever you make a modification to the configuration file (chklogs.conf). This is not done automatically because it is not very effective if several modifications are made to the file consecutively. This operation is as simple as typing:

chklogsadm sync
The Plug-out Interface

Chklogs comes with several plug-outs. I use them to generate statistics on my UUCP logs, listserver log, etc. You can build your own plug-outs, and in fact I would like to hear about any log scanners or filters you have. Available plug-outs are stored in the /plug-out and /contrib directories.

A plug-out is any external program executed by Chklogs in the Pre/Post group directives or the execute actions. This program must not generate any output on stdout/stderr as it will clutter the report, and if you, like most users, run Chklogs with a cron job, then this sort of behavior is undesirable. So, do you have a nice scanner that does write to stdout/stderr and don't want to hack it up? Or don't know a thing about programming? Simply use the cdkwrap wrapper provided in the distribution, and it will capture all the output and mail it to you.

Also, the plugged-out child inherits certain environment variables that provide useful information:

  • CDKLOG: The fully-qualified log name

  • CDKROOT: The archive repository

  • CDKMAILTO: The e-mail address for mailing the report

Running Chklogs from the Command-Line

Now, we have finished our setup; we have a configuration file, a resource file and initialized repositories. The administrative tasks are done for now (you can make changes later, if needed), and we are ready to get down to the action. Chklogs has several command-line options, some of which can be combined to achieve a particular effect. I won't cover all of them, or even all of the possibilities, but I will discuss enough of them to enable you to begin, and to acquaint you with a few of its capabilities. Note that we will now be using the chklogs program, not the administrative program, chklogsadm.

Basically, there are four major actions you can perform:

  1. Check the configuration file.

  2. Get an overview of all the logs that are archived.

  3. Obtain a report of actions to be taken when you execute the program.

  4. Perform the actions as directed on the configuration file.

To check the correctness of the configuration file (although the check is not very thorough) use the following command:

chklogs -w

For a quick overview of which logs are archived into the repositories, there is the -l command line option:

chklogs -l
This gives you an indication of how many logs you need to scan or filter and needed information in case something suspicious happens on your system.

To get the usual log report indicating whether a log is still within its threshold, and if not, what action would be performed, use the -w option:

chklogs -w [-m]

Alternatively, you can also specify the -m (mail) option to mail the report. You cannot put them on the same switch (-wm).

Finally, when you want Chklogs to actually process your logs as specified in the configuration file, simply use it without any of the above options:

chklogs [-m]

A report is produced on standard output unless you use the mail (-m) option. Mail is the most frequently used option.

Most users make an entry into the /etc/crontab file so that Chklogs runs every day at a particular time and mails the report. A typical crontab entry looks like this:

# System Cron Tab
45 23 * * * root /usr/local/sbin/chklogs -m
______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix