Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail.
Installation
1 | apt-get install logcheck |
E-Mail recipients will be configured in “/etc/aliases”.
Logcheck config is in “/etc/logcheck/logcheck.conf”, depending on setting of:
1 2 3 4 | INTRO=1 REPORTLEVEL="server" SENDMAILTO="logcheck" ADDTAG="yes" |
Some different rules from the following directories are used:
1 2 3 4 5 6 7 8 9 | /etc/logcheck/* cracking.d cracking.ignore.d ignore.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d |
Define your ignore rules
When you are using server reporting level, put your local-rules file in “/etc/logcheck/ignore.d.server/local-rules”
Sample content of “/etc/logcheck/ignore.d.server/local-rules”:
1 2 3 4 5 6 | ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync status change ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: success resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ named\[[0-9]+\]: connection refused resolving ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: DISCONNECTED ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: TIMEOUT ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imapd: LOGOUT |
For testing of your rules you can use:
1 | egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/syslog |
That will show only messages that will be suppressed and will NOT be mailed to you.
By the way a manual logcheck-run can be started too, and you must not wait until the next cron:
1 | su -s /bin/bash -c "/usr/sbin/logcheck" logcheck |