logcheck — program to scan system logs for interesting lines
program helps spot problems and security violations in your
logfiles automatically and will send the results to you periodically in an
e-mail. By default logcheck runs as an hourly cronjob just off the hour and
after every reboot.
supports three level of filtering: "paranoid" is for
high-security machines running as few services as possible. Don't use it if
you can't handle its verbose messages. "server" is the default and
contains rules for many different daemons. "workstation" is for
sheltered machines and filters most of the messages. The ignore rules work in
additive manner. "paranoid" rules are also included at level
"server". "workstation" level includes both
"paranoid" and "server" rules.
The messages reported are sorted into three layers, system events, security
events and attack alerts. The verbosity of system events is controlled by
which level you choose, paranoid, server or workstation. However, security
events and attack alerts are not affected by this.
can be invoked directly thanks to su(8) or sudo(8), which change
the user ID. The following example checks the logfiles without updating the
offset and outputs everything to STDOUT.
sudo -u logcheck logcheck
A summary of options is included below.
- -c CFG
- Overrule default configuration file.
- Debug mode.
- Show usage information.
- Use this hostname string in the subject of logcheck
- -l LOG
- Run logfile through logcheck.
- -L CFG
- Overrule default logfiles list.
- -D DIR
- Overrule default logfiles lists directory
- Mail report to recipient.
- STDOUT mode, not sending mail.
- Set the report level to "paranoid".
- -r DIR
- Overrule default rules directory.
- Adds "Reboot:" to the email subject line.
- Set the report level to "server".
- -S DIR
- Overrule default state directory.
- Testing mode does not update offset.
- Do not remove the TMPDIR.
- Enable syslog-summary.
- Print current version.
- Set the report level to "workstation".
/etc/logcheck/logcheck.conf is the main configuration file.
/etc/logcheck/logcheck.logfiles is the list of files to monitor.
/etc/logcheck/logcheck.logfiles.d is the directory of lists of files to monitor.
/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to
write, test and maintain rules.
0 upon success; 1 upon failure
logcheck is developed by Debian logcheck Team at alioth:
This manual page was written by Jon Middleton.