I wanted to write a brief posting on some basic ways to help remotely administer Ubuntu/Debian boxes. Over the past few months I’ve been tinkering with various methods of handling this and what I’ve come up with seems to work fairly well. It basically consists of two applications: apticron, which monitors repositories for package updates, and logcheck, which monitors logs in for any security or other noteworthy entries.
Apticron is very easy to set up, it’s in the repositories and requires basically no configuration. It will drop a script in /etc/cron.daily and that is about it, emailing any reports to root. Of course this can be modified through a .forward or an entry in /etc/aliases.
Logcheck is fairly simple to set up as well – it is also in the repositories. Once installed, edit the /etc/logcheck/logcheck.conf file to configure. The first thing you will want to set is the REPORTLEVEL setting, options are “workstation”, “server” (default value), or “paranoid”. I use server on mine, which gives a good amount of detail. I would advise against using paranoid unless the server is extremely locked down and users do not typically login. Workstation is good for a desktop environment. The only other variable I edited was SENDMAILTO. Logcheck works by basically comparing each logentry against a set of regular expressions and generate a report if it does not match. I had to modify one or two regex’s slightly to fix false positives, if you want my changes just ask and I’ll send them over.
One other small gem I want to mention : gkrellm. I use this on both my desktop and server, it is invaluable for providing real-time system performance metrics. Sure, it does not have any logging capabilities and thus unsuitable in a large-scale environment but for keeping an eye on one or two boxes it fits the bill quite nicely.
Tags: linux, monitoring, reporting, security, server, sysadmin