logcheck — program to scan system logs for interesting lines
The logcheck program helps spot problems and security violations in
your logfiles automatically and will send the results to you
periodically in an e-mail. By default logcheck runs as an hourly
cronjob just off the hour and after every reboot.
logcheck supports three level of filtering: "paranoid" is for high-
security machines running as few services as possible. Don’t use it if
you can’t handle its verbose messages. "server" is the default and
contains rules for many different daemons. "workstation" is for
sheltered machines and filters most of the messages. The ignore rules
work in additive manner. "paranoid" rules are also included at level
"server". "workstation" level includes both "paranoid" and "server"
The messages reported are sorted into three layers, system events,
security events and attack alerts. The verbosity of system events is
controlled by which level you choose, paranoid, server or workstation.
However, security events and attack alerts are not affected by this.
logcheck can be invoked directly thanks to su(8) or sudo(8), which
change the user ID. The following example checks the logfiles without
updating the offset and outputs everything to STDOUT.
sudo -u logcheck logcheck -o -t
A summary of options is included below.
-c CFG Overrule default configuration file.
-d Debug mode.
-h Show usage information.
-H Use this hostname string in the subject of logcheck mail.
-l LOG Run logfile through logcheck.
-L CFG Overrule default logfiles list.
-m Mail report to recipient.
-o STDOUT mode, not sending mail.
-p Set the report level to "paranoid".
-r DIR Overrule default rules directory.
-R Adds "Reboot:" to the email subject line.
-s Set the report level to "server".
-S DIR Overrule default state directory.
-t Testing mode does not update offset.
-T Do not remove the TMPDIR.
-u Enable syslog-summary.
-v Print current version.
-w Set the report level to "workstation".
/etc/logcheck/logcheck.conf is the main configuration file.
/etc/logcheck/logcheck.logfiles is the list of files to monitor.
/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints
on how to write, test and maintain rules.
0 upon success; 1 upon failure
logcheck is developed by Debian logcheck Team at alioth:
This manual page was written by Jon Middleton.