Liu logchecker

Examples

Below are some pruned configuration excerpts from the distribution. They show how you set up logchecker to send reports for zoot.example.com to root-zoot@example.com and some.administrator@example.com and in those reports have successful ssh logins flagged as level two except for logins by authorised administrators from a limited range of ip addresses.

zoot.example.com.conf

M root-zoot@example.com
M some.administrator@example.com

I debian.incl

# Machine administrators:
T ssh-ok-for.tmpl user=qha

# The log server fetches some logs that aren't sysloged:
T ssh-ok-for,from.tmpl user=logstaff net=192[.]168[.]1[.]51

debian.incl

# Site administrators:
T ssh-ok-for.tmpl user=magus

# Please keep the section below in sync with the corresponding
# part of ssh-ok-for,from.tmpl:
2 sshd[]0-9[]*: Accepted \(publickey\|password\) for
2 sshd[]0-9[]*: (pam_unix) session opened for user
2 sshd[]0-9[]*: (pam_unix) session closed for user

ssh-ok-for.tmpl

# needs label for: user

# The contents of net below should cover workstations and servers
# that typical administrators will ssh from:
T ssh-ok-for,from.tmpl user=$user net=192[.]168[.]230[.][0-9]*
T ssh-ok-for,from.tmpl user=$user net=192[.]168[.][123][.][0-9]*

ssh-ok-for,from.tmpl

# needs labels for: user, net

# Successful ssh is flagged as level 2 in the os include file. That
# means this template needs to remove messages prior to that, i. e.
# at level 2-

# Please keep this section in sync with the ssh part of debian.incl:
2- sshd[]0-9[]*: Accepted publickey for $user from $net
2- sshd[]0-9[]*: Accepted password for $user from $net

2- sshd[]0-9[]*: (pam_unix) session opened for user $user by (uid=0)
2- sshd[]0-9[]*: (pam_unix) session closed for user $user

---

Download

Eventually I might make a proper release of logchecker, but for now you'll have to get it with git. See instructions on the download page.

---