/var/log/messages monitoring tool

This tool will monitor /var/log/messages file and send alerts via Telegram if detects any anomalies.

• cd /opt
• git clone https://github.com/makhomed/automon.git automon

• cd /opt/automon
• git pull

• vim /opt/automon/automon.conf
• write to config something like this:

host localhost
host example.com one-line description of this host

Configuration file allow comments, from symbol # to end of line.

Configuration file has only four directives: host, log, alert and delay.

host directive has syntax: host <hostname>[:port] [description]. <hostname> part is requred, it may be domain name or ip address. port is optional, by default used port 22. description also optional. If hostname is localhost or 127.0.0.1 - direct access to log files will be used, else log files will be acessed via ssh.

log directive has syntax log </path/to/logfile>. Default value of log directive is /var/log/messages. It can be redefined to any other value, for example, /var/log/syslog. Value of log directive will be used for all below host declarations. For example:

host centos1
host centos2

log var/log/syslog

host debian1
host debian2

alert directive defines path to alert program, default value is /opt/automon/bin/alert-via-telegram. Program /opt/automon/bin/alert-via-telegram included in automon and send alerts to Telegram via https://pypi.python.org/pypi/telegram-send script. alert program receive one argument - full name of file with generated alert text. See source of /opt/automon/bin/alert-via-telegram program for details. Using /opt/automon/bin/alert-via-telegram as example you can write own alert program for sending alerts via email or SMS or via any other way.

delay directive defines delay between two automon scans is daemon mode. By default delay is 600 seconds.

Global ignore patterns defined if files in directory /opt/automon/ignore.d. This directory included in automon repository. Local ignore patterns should be defined in files in directory /opt/automon/local-ignore.d. This directory is not included in automon repository and should be created manually. Host-specific ignore paterns should be defined in files in subdirectories named as host name + ".d". For example, for host localhost ignore patterns should be defined in files localed inside directory /opt/automon/local-ignore.d/localhost.d, for host example.com ignore patterns should be defined in directory /opt/automon/local-ignore.d/example.com.d.

Each line in ignore file should be python regular expression, symbols ^ at start and $ at end will be added automatically. If first non-whitespace symbol of line is # - such line considered as comment and will be ignored in pattern matching.

automon [-c /path/to/configuration/file.conf] [mode]

automon has optional command line agrument -c </path/to/configuration/file.conf>. If agrument -c not defined - by default will be used config /opt/automon/automon.conf.

automon also has ohe optional positional argument mode. Allowed values are daemon, once and debug. daemon mode useful for running automon as systemd service. In this mode automon will be run forever with delay seconds delay between two scans of hosts defined in configuration. once mode is useful for running automon from cron. In once mode automon run once and exit. debug mode useful for debug, in this mode no alerts will be send and no logscan state will be readed or saved. In debug mode alert will be printed to stdout and automon will exit. In daemon and once modes alerts will be send to system administrator via alert program.

Before first run you need to create Telegram bot and configure telegram-send script. Detalis see in https://pypi.python.org/pypi/telegram-send documentation.

For work you need to generate private ssh key on automon server with comamnd ssh-keygen -t rsa and copy public key from /root/.ssh/id_rsa.pub to /root/.ssh/authorized_keys on monitored servers. Also you need to check connection with monitored server with command ssh example.com and answer yes to ssh question:

# ssh example.com
The authenticity of host 'example.com' can't be established.
ECDSA key fingerprint is SHA256:/cYI0bJzEX+CF3DhGEUQ+ZeGFmMzEJYAt3C15450zKs.
ECDSA key fingerprint is MD5:44:20:bd:f5:aa:a7:52:ac:c5:19:e5:e0:28:2b:90:49.
Are you sure you want to continue connecting (yes/no)? yes

Create configuration file /opt/automon/cron.conf and define hosts to check inside it. After it configure cron job, for example, in file /etc/cron.d/automon:

0 * * * * root /opt/automon/automon -c /opt/automon/cron.conf once

Create configuration file /opt/automon/automon-daemon.conf and define hosts to check inside it. After it create systemd service, for example, in file /etc/systemd/system/automon.service:

[Unit]
Description=automon
After=network-online.target

[Service]
ExecStart=/opt/automon/automon -c /opt/automon/automon-daemon.conf daemon
Restart=always
StartLimitInterval=0

[Install]
WantedBy=multi-user.target

Note: in new versions of systemd StartLimitInterval renamed to StartLimitIntervalSec and moved from [Service] to [Unit] section. See details at https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html

After this you need to start service:

• systemctl daemon-reload
• systemctl enable automon
• systemctl start automon
• systemctl status automon

If all ok you will see what service is enabled and running.

Create multiple configuration file /opt/automon/service1.conf, /opt/automon/service2.conf, ... and define hosts to check inside it. After it create systemd service, for example, in file /etc/systemd/system/[email protected]:

[Unit]
Description=automon %I
After=network-online.target

[Service]
ExecStart=/opt/automon/automon -c /opt/automon/%i.conf daemon
Restart=always
StartLimitInterval=0

[Install]
WantedBy=multi-user.target

Note: in new versions of systemd StartLimitInterval renamed to StartLimitIntervalSec and moved from [Service] to [Unit] section. See details at https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html

After this you need to start services:

• systemctl daemon-reload
• systemctl enable automon@service1
• systemctl enable automon@service2
• ...
• systemctl start automon@service1
• systemctl start automon@service2
• ...
• systemctl status automon@service1
• systemctl status automon@service2
• ...

If all ok you will see what automon services are enabled and running.