zeldor.biz

Linux, programming and more

Copyright © 2023
Log in

Remove logs older than X days

July 12, 2011 by Igor Drobot Leave a Comment

The simplest way to remove files older than $NUMBER of days..

Dry run (files will be NOT deleted, you will see a list with files older than 100 days)

1
find -mtime +100 | less

find -mtime +100 | less

Another dry run, see what would be delete:

1
2
3
find -mtime +600 | xargs echo rm
rm /var/log/squid3/access.log.0
rm /var/log/squid3/access.log.2

find -mtime +600 | xargs echo rm rm /var/log/squid3/access.log.0 rm /var/log/squid3/access.log.2

Finally if you decided to remove the files – the final command to delete them:

1
find -mtime +600 | xargs rm

find -mtime +600 | xargs rm

Filed Under: Bash, Linux Tagged With: bash, find, Logs, rm, xargs

Configure logcheck

August 2, 2010 by Igor Drobot Leave a Comment

Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.

Installation

1
apt-get install logcheck

apt-get install logcheck

E-Mail recipients will be configured in “/etc/aliases”.

Logcheck config is in “/etc/logcheck/logcheck.conf”, depending on setting of:

1
2
3
4
INTRO=1
REPORTLEVEL="server"
SENDMAILTO="logcheck"
ADDTAG="yes"

INTRO=1 REPORTLEVEL="server" SENDMAILTO="logcheck" ADDTAG="yes"

Some different rules from the following directories are used:

1
2
3
4
5
6
7
8
9
/etc/logcheck/*
cracking.d
cracking.ignore.d
ignore.d
ignore.d.paranoid
ignore.d.server
ignore.d.workstation
violations.d
violations.ignore.d

/etc/logcheck/* cracking.d cracking.ignore.d ignore.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d

Define your ignore rules
When you are using server reporting level, put your local-rules file in “/etc/logcheck/ignore.d.server/local-rules”

Sample content of “/etc/logcheck/ignore.d.server/local-rules”:

1
2
3
4
5
6
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT

For testing of your rules you can use:

1
egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog

egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog

That will show only messages that will be suppressed and will NOT be mailed to you.

By the way a manual logcheck-run can be started too, and you must not wait until the next cron:

1
su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

Filed Under: Linux Tagged With: Logcheck, Logs