Introduction to Logmuncher

Logmuncher is a simple program designed to help system administrators monitor log files for security violations. It is primarily inspired by logcheck, which was originally created by Psionic Software (later purchased by Cisco). Logmuncher features simple yet powerful configuration and efficient log-monitoring capabilities.

Why Logmuncher?

When I decided to do a better job of securing my systems, I investigated a number of security tools, including intrusion-detection systems. Since most programs report their findings into a log file, I needed to find a program that would allow me to monitor the results. Like any properly lazy sysadmin, I first searched the net and found a number of useful and powerful tools. However, each had characteristics that made them inappropriate for me. Eventually I wrote my own tool, using the one that came closest to my needs as a model.

Other Log-Monitoring Tools

Because logmuncher may not be (is not) appropriate for every installation, here is a summary of the tools that I discovered in my search. I hope that this summary will help others to find the best tool for their systems with relatively little work.

  • Logcheck, originally from Psionic Software (now owned by Cisco) is a very simple shell script that searches log files for unusual events. Advantages: comes with configuration files for various systems, making it relatively easy to set up. Works on many systems. Disadvantages: inflexible. Combines all log files into one, making it hard to handle situations where a string is a problem in one log file but not in another. Default configuration can report many false positives, requiring some tuning to get to a state where only true incursions produce reports. Can be very slow in some configurations. Must be invoked periodically from cron, leaving a window for crackers to clean up the logs. Limited to e-mailing reports to a system administrator. Requires that you modify log-aging scripts to destroy "offset" files used to track what parts of logs have already been seen.
  • logwatch from Kirk Bauer is a pluggable and configurable Perl script to scan log files. Advantages: extremely flexible. Scanning is done by Perl programs, so complex and multi-line conditions can be detected. Can take actions other than e-mail based on what it discovers. Has specialized rules for each log file. Comes with sample rules appropriate for many systems. Disadvantages: might be slow (I haven't tested it). Requires significant Perl programming skills to modify. Modification of rules is difficult and error-prone. Default rules will probably require changes for your own system. Must be invoked periodically from cron, leaving a window for crackers to clean up the logs.
  • swatch, from E. Todd Atkins, is a Perl script that monitors a single log file. Advantages: Easy to configure. Has a "follow" mode that allows only a 1-second window for a cracker to clean up. Probably reasonably fast (I haven't tried). Has a "throttle" feature to keep from overwhelming you with messages. Can restrict rules to a certain time of the day. Disadvantages: Doesn't come with significant samples. Requires one copy of the daemon for each log file monitored.
  • Logsurfer, by Wolfgang Ley and Uwe Ellerman, is a C program that monitors a single log file, inspired by swatch. Advantages: Extremely flexible. Has a "follow" mode that allows only a 1-second window for a cracker to clean up. Can recognize multiple-line patterns, even when they are intermingled with other logfile information. Disadvantages: extremely difficult to configure. Might be slow for large numbers of rules (I haven't tried). Doesn't come with significant samples. Requires one copy of the daemon for each log file monitored.
  • Logmuncher, by Geoff Kuenning is a shell script that searches log files for unusual events. Advantages: Fast and flexible. Easy to configure. Can monitor multiple files with separate rules for each. Can use configuration files from logcheck. Disadvantages: Can only detect single-line patterns. Must be invoked periodically from cron, leaving a window for crackers to clean up the logs. May require that you modify log-aging scripts to destroy "offset" files used to track what parts of logs have already been seen.
  • Downloads

    Logmuncher is distributed only as a gzipped tar file. If you want to read more about it first, the manual pages for the program, the configuration file, and logtail are available separately.


    Geoff Kuenning's home page.

    This page maintained by

    Geoff Kuenning.