Ubuntu check-log plugin pointing to /var/cache/check-log/default/var/log/auth.log instead of /var/log/auth.log

Ubuntu check-log plugin pointing to /var/cache/check-log/default/var/log/auth.log instead of /var/log/auth.log,ubuntu,sensu,auth.log,Ubuntu,Sensu,Auth.log,I am using sensu to track log file alerts. I need to track auth.log. I have used the following in my config.json. "command": "sudo /etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q 'fatal' -c 1" I am hoping to track hack attempts made to this server, but the sensu command itself gets into the auth.log, making it a chicken-egg issue. In the auth.log sudo: sensu : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q fatal -c 1 How do

I am using sensu to track log file alerts. I need to track auth.log. I have used the following in my

config.json
.

"command": "sudo /etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q 'fatal' -c 1"

I am hoping to track hack attempts made to this server, but the sensu command itself gets into the auth.log, making it a chicken-egg issue.

In the auth.log

sudo:    sensu : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q fatal -c 1

How do I run sensu commands and avoid the command being tracked in

auth.log
. Or can I redirect sensu
auth
trackings to a different file ?

EDIT

To solve this, I added

sensu
user to
adm
group. And removed the entreies from
sudo visudo
for the
sensu
user. Now, I am still not able to get sensu to report. Wierd, error message I get

Check failed to run: Permission denied @ rb_sysopen - /var/cache/check-log/default/var/log/auth.log, ["/etc/sensu/plugins/check-log.rb:208:in

initialize'", "/etc/sensu/plugins/check-log.rb:208:in
open'", "/etc/sensu/plugins/check-log.rb:208:in
search_log'", "/etc/sensu/plugins/check-log.rb:134:in
block in run'", "/etc/sensu/plugins/check-log.rb:128:in
each'", "/etc/sensu/plugins/check-log.rb:128:in
run'", "/opt/sensu/embedded/lib/ruby/gems/2.3.0/gems/sensu-plugin-1.4.0/lib/sensu-plugin/cli.rb:58:in `block in '"]

Notice that I am trying to

check-log
for
/var/log/auth.log
, and the client is trying
/var/cache/check-log/default/var/log/auth.log


#1

You should not need to run check-log.rb with root permissions. Actually, I would highly recommend you don't do any checks which require root permissions at all.

Make sure that /etc/sensu/plugins/check-log.rb has execute permissions for all users:

sudo chmod a+x /etc/sensu/plugins/check-log.rb

And that the file /var/log/auth.log is readable to all:

sudo chmod a+r /var/log/auth.log

Change your check to:

"command": "/etc/sensu/plugins/check-log.rb -f /var/log/auth.log -q 'fatal' -c 1"

Don't forget to restart the server (and possibly also the client) for the change to take effect.

This way you don't need to add the sensu user to any group,