I am using sensu to track log file alerts. I need to track auth.log. I have used the following in my config.json.
"command": "sudo /etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q 'fatal' -c 1"
I am hoping to track hack attempts made to this server, but the sensu command itself gets into the auth.log, making it a chicken-egg issue.
In the auth.log
sudo: sensu : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q fatal -c 1
How do I run sensu commands and avoid the command being tracked in auth.log. Or can I redirect sensu auth trackings to a different file ?
EDIT
To solve this, I added sensu user to adm group. And removed the entreies from sudo visudo for the sensu user. Now, I am still not able to get sensu to report. Wierd, error message I get
Check failed to run: Permission denied @ rb_sysopen - /var/cache/check-log/default/var/log/auth.log, ["/etc/sensu/plugins/check-log.rb:208:in
initialize'", "/etc/sensu/plugins/check-log.rb:208:inopen'", "/etc/sensu/plugins/check-log.rb:208:insearch_log'", "/etc/sensu/plugins/check-log.rb:134:inblock in run'", "/etc/sensu/plugins/check-log.rb:128:ineach'", "/etc/sensu/plugins/check-log.rb:128:inrun'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugin-1.4.0/lib/sensu-plugin/cli.rb:58:in `block in '"]
Notice that I am trying to check-log for /var/log/auth.log, and the client is trying /var/cache/check-log/default/var/log/auth.log
You should not need to run
check-log.rbwith root permissions. Actually, I would highly recommend you don't do any checks which require root permissions at all.Make sure that /etc/sensu/plugins/check-log.rb has execute permissions for all users:
And that the file /var/log/auth.log is readable to all:
Change your check to:
Don't forget to restart the server (and possibly also the client) for the change to take effect.
This way you don't need to add the
sensuuser to any group,