A couple of months back I was involved in a lengthy process to move my site from a compromised server to a new server. Part of this process was setting up samhain. Samhain has been behaving predictably and made me feel much reassured about the security of my server. However, it sent me an ALRT email just a few minutes ago with msg=LOGKEY.

I'm not entirely sure what all the samhain messages mean but seem to recall that ALRT messages are the most serious type and that logkeys are only generated when a log is started. I want to know what this means and whether I should be concerned about my system. Can anyone tell me more about this?

Logkeys are used in Samhain to allow you to verify the integrity of the logs. From what I remember, when the logging is restarted, a log key is generated. In this case, it sounds like you received some form of alert message and the logkey was provided to allow you to verify the authenticity of the alert. It would be prudent to investigate the alert and determine the source. More than likely, it is indicating that something uncommon happened, which could be a form of scan attempt or any number of things and I wouldn't take this to mean that you have been compromised. See this link for some more information on the log key feature.

As an example of what I mean, this morning, I was reviewing the output of logwatch and noticed an entry for connect from in.comsat on 127.0.0.1 in the secure log. As I keep the SSH port closed off to all but my a few known IP addresses on the public interface, this really caught my attention. Doing some digging, showed that the time was at the same point that the ClamAV update process ran. Further digging showed that this is a daemon process involving mail and that it was an email being sent to the root@localhost user. It was a benign alert, but it caught my attention because it was out of the ordinary.

Thanks again, Noway2.

Yes this alert was quite uncommon. I usually only get alerts when I change something. I went digging around and it would appear that logrotate finally decided to rotate the samhain log. The timing of the new logkey appears to coincide more or less precisely with the dates on the log files. If I'm not mistaken, it would appear that logrotate signalled the samhain process and rotated the logs. I'm just not sure if this is how samhain behaves or not.

I used the new log key to verify the current log file and it gives a PASS for every line:
I guess I'm just wondering if that's how samhain would behave when a log gets rotated.