Oct 142011
 

Most of the content come from the article by Diego Stamigni, first published on his site

If you have a server, you probably would like to continually be updated on what the system logs records; a very useful tool that I discover is Logcheck: it works very well, and I’m very greatful with the developers.

I use it to have various email about the logs between a range of time like [3 hours].



Since I use gentoo on all of my PC I’ve, I installed it with emerge:

emerge logcheck

there are also a lots of USE useful to activate, to have a small description of these, simply do:

quse -D USE_TO_DESCRIBE

Next, the configuration file is in /etc/logcheck, names “logcheck.conf“, great fantasy I think. So, in the conf you can set se MAIL address to allow Logcheck to send you the report of the checked logs.

Another *very* important configuration file is /etc/logcheck/logcheck.logfiles that must contains the path with the name of the logs that you want to check with logcheck; the syntax is the following:

/var/log/syslog
/var/log/auth.log
/var/log/sulog

By default logcheck is run 2 minutes past every hour. I changed this to run 7:02, which is done by editing the file

/etc/cron.d/logcheck

Changing the line into:

2 7 * * *       logcheck    if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi

Now it’s time to check if this works. Running logcheck won’t work, so run:

su -c "/bin/bash logcheck -SdRuto" logcheck

Please, read the man of logcheck to understand the FLAGS; summary, we launched it in debug-verbose-nomailsent/tostout mode.

And that’s all for a really basic setup, from here you can start and if you like it change your rules to match more (or less) things in your logs, be safer and in general don’t be worried by all your servers logs.


Popular Posts:

flattr this!

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>