Most of the content come from the article by Diego Stamigni, first published on his site
If you have a server, you probably would like to continually be updated on what the system logs records; a very useful tool that I discover is Logcheck: it works very well, and I’m very greatful with the developers.
I use it to have various email about the logs between a range of time like [3 hours].
Since I use gentoo on all of my PC I’ve, I installed it with emerge:
there are also a lots of USE useful to activate, to have a small description of these, simply do:
quse -D USE_TO_DESCRIBE
Next, the configuration file is in /etc/logcheck, names “logcheck.conf“, great fantasy I think. So, in the conf you can set se MAIL address to allow Logcheck to send you the report of the checked logs.
Another *very* important configuration file is /etc/logcheck/logcheck.logfiles that must contains the path with the name of the logs that you want to check with logcheck; the syntax is the following:
/var/log/syslog /var/log/auth.log /var/log/sulog
By default logcheck is run 2 minutes past every hour. I changed this to run 7:02, which is done by editing the file
Changing the line into:
2 7 * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
Now it’s time to check if this works. Running
logcheck won’t work, so run:
su -c "/bin/bash logcheck -SdRuto" logcheck
Please, read the man of logcheck to understand the FLAGS; summary, we launched it in debug-verbose-nomailsent/tostout mode.
And that’s all for a really basic setup, from here you can start and if you like it change your rules to match more (or less) things in your logs, be safer and in general don’t be worried by all your servers logs.