Man Linux: Main Page and Category List


       logcheck — program to scan system logs for interesting lines


       logcheck [OPTIONS]


       The  logcheck  program  helps  spot problems and security violations in
       your  logfiles  automatically  and  will  send  the  results   to   you
       periodically  in  an  e-mail.  By  default  logcheck  runs as an hourly
       cronjob just off the hour and after every reboot.

       logcheck supports three level of filtering:  "paranoid"  is  for  high-
       security  machines running as few services as possible. Don’t use it if
       you can’t handle its verbose messages.  "server"  is  the  default  and
       contains  rules  for  many  different  daemons.   "workstation"  is for
       sheltered machines and filters most of the messages.  The ignore  rules
       work  in  additive  manner. "paranoid" rules are also included at level
       "server". "workstation" level includes  both  "paranoid"  and  "server"

       The  messages  reported  are  sorted  into three layers, system events,
       security events and attack alerts. The verbosity of  system  events  is
       controlled  by which level you choose, paranoid, server or workstation.
       However, security events and attack alerts are not affected by this.


       logcheck can be invoked directly thanks  to  su(8)  or  sudo(8),  which
       change  the  user ID. The following example checks the logfiles without
       updating the offset and outputs everything to STDOUT.

       sudo -u logcheck logcheck -o -t


       A summary of options is included below.

       -c CFG    Overrule default configuration file.

       -d        Debug mode.

       -h        Show usage information.

       -H        Use this hostname string in the subject of logcheck mail.

       -l LOG    Run logfile through logcheck.

       -L CFG    Overrule default logfiles list.

       -m        Mail report to recipient.

       -o        STDOUT mode, not sending mail.

       -p        Set the report level to "paranoid".

       -r DIR    Overrule default rules directory.

       -R        Adds "Reboot:" to the email subject line.

       -s        Set the report level to "server".

       -S DIR    Overrule default state directory.

       -t        Testing mode does not update offset.

       -T        Do not remove the TMPDIR.

       -u        Enable syslog-summary.

       -v        Print current version.

       -w        Set the report level to "workstation".


       /etc/logcheck/logcheck.conf is the main configuration file.

       /etc/logcheck/logcheck.logfiles is the list of files to monitor.

       /usr/share/doc/logcheck-database/README.logcheck-database.gz for  hints
       on how to write, test and maintain rules.


       0 upon success; 1 upon failure




       logcheck   is   developed   by   Debian   logcheck   Team   at  alioth:

       This manual page was written by Jon Middleton.