Ignoring snoopy logs with logcheck

snoppy is an awesome tool available on the debian archives. It allows you to see what commands your users have run (by default logs to /var/log/auth.log). It acts like a beefed up .bash_history that users cannot disable/delete/etc.

logcheck scans your logs for weird things, and emails them to you.

By default, these two programs do not get along. snoopy entries show up in logcheck’s emails (which can get very, very big). This sort of defeats the purpose of logcheck, since you get sent massive emails with the important stuff hidden between giant blocks of snoopy logs.

To disable this

echo ‘^w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*’ > /etc/logcheck/violations.ignore.d/snoopy

chmod 644  /etc/logcheck/violations.ignore.d/snoopy

ln -s /etc/logcheck/violations.ignore.d/snoopy /etc/logcheck/ignore.d.server/snoopy

Now test it

sudo -u logcheck logcheck

To make more logcheck ignore rules, test your file(s) by:

egrep -f logcheck-file /var/log/auth.log

It will display only what will be ignored.

Make sure the file(s) are 644 (rw r r) or logcheck won’t be able to ignore what’s in the file.

2 thoughts on “Ignoring snoopy logs with logcheck”

  1. Yo,

    well your rule is a little bit too general for me. Because I’d like to see certain events from Snoopy, otherwise the installation of snoopy is quite pointless, don’t you think?

    Greetz,
    s1mmel

  2. 99% of the things snoopy will generate are useless, and will just cause you to have countless logcheck emails filled with too much to read.

    snoopy is not useful to check for in logcheck, in my opinion, because if there is an issue you should be trying to have logcheck notify you of the issue (and you can use the issues timestamp to narrow down with snoopy where the issue originated from)

    You will probably not find a good logcheck rule for snoopy, if only because there are not many regular expressions that can tell between mundane and malicious commands.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.