zeldor.biz

Linux, programming and more

Copyright © 2023
Log in

Configure logcheck

August 2, 2010 by Igor Drobot Leave a Comment

Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.

Installation

1
apt-get install logcheck

apt-get install logcheck

E-Mail recipients will be configured in “/etc/aliases”.

Logcheck config is in “/etc/logcheck/logcheck.conf”, depending on setting of:

1
2
3
4
INTRO=1
REPORTLEVEL="server"
SENDMAILTO="logcheck"
ADDTAG="yes"

INTRO=1 REPORTLEVEL="server" SENDMAILTO="logcheck" ADDTAG="yes"

Some different rules from the following directories are used:

1
2
3
4
5
6
7
8
9
/etc/logcheck/*
cracking.d
cracking.ignore.d
ignore.d
ignore.d.paranoid
ignore.d.server
ignore.d.workstation
violations.d
violations.ignore.d

/etc/logcheck/* cracking.d cracking.ignore.d ignore.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d

Define your ignore rules
When you are using server reporting level, put your local-rules file in “/etc/logcheck/ignore.d.server/local-rules”

Sample content of “/etc/logcheck/ignore.d.server/local-rules”:

1
2
3
4
5
6
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT

For testing of your rules you can use:

1
egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog

egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog

That will show only messages that will be suppressed and will NOT be mailed to you.

By the way a manual logcheck-run can be started too, and you must not wait until the next cron:

1
su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

Filed Under: Linux Tagged With: Logcheck, Logs

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *