Debianhelp.co.uk

Logcheck Configuration in Debian

What is Logcheck?

Logcheck parses system logs and generates email reports based on anomalies. Anomolies can be defined by users with 'violations' files. It differentiates between 'Active System Attacks', 'Security Violations', and 'Unusual Activity', and is smart enough to remember where in the log it stopped processing to improve efficiency. It can also warn when log files shrink, and does not report errors when they are rotated.

 Logcheck Installation in Debian

#apt-get install logcheck

At the time of installation it will show you a message about the configuration file and documents location

That's it installation done.Now you need to configure the logcheck

 Main Configuration file for logcheck located at /etc/logcheck/logcheck.conf

 Default Logcheck configuration file as below and you need to change this file options as per your needs

# The following variable settings are the initial default values,

# which can be uncommented and modified to alter logcheck's behaviour

 # Controls the format of date-/time-stamps in subject lines:

# Alternatively, set the format to suit your locale

 #DATE="$(date +'%Y-%m-%d %H:%M')"

# Controls the presence of boilerplate at the top of each message:

# Alternatively, set to "0" to disable the introduction.

# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt

# are present their contents will be read and used as the header and

# footer of any generated mails.

#INTRO=1

 # Controls the level of filtering:

# Can be Set to "workstation", "server" or "paranoid" for different

# levels of filtering. Defaults to server if not set.

 REPORTLEVEL="server" 

# Controls the address mail goes to:

# *NOTE* the script does not set a default value for this variable!

# Should be set to an offsite "emailaddress@some.domain.tld"

 SENDMAILTO="root"

 # Should the hostname of the generated mails be fully qualified?

FQDN=1

 # Controls whether "sort -u" is used on log entries (which will

# eliminate duplicates but destroy the original ordering); the

# default is to use "sort -k 1,3 -s":

# Alternatively, set to "1" to enable unique sorting 

#SORTUNIQ=0

# Controls whether /etc/logcheck/cracking.ignore.d is scanned for

# exceptions to the rules in /etc/logcheck/cracking.d:

# Alternatively, set to "1" to enable cracking.ignore support 

#SUPPORT_CRACKING_IGNORE=0

# Controls the base directory for rules file location

# This must be an absolute path

 #RULEDIR="/etc/logcheck"

 # Controls if syslog-summary is run over each section.

# Alternatively, set to "1" to enable extra summary.

#SYSLOGSUMMARY=0

 # Controls Subject: lines on logcheck reports: 

#ATTACKSUBJECT="Attack Alerts"

#SECURITYSUBJECT="Security Events"

 #EVENTSSUBJECT="System Events"

 # Controls [logcheck] prefix on Subject: lines

 # ADDTAG="no"

For more details about logcheck configuration file check below man page for logcheck

logcheck manpage

NAME

       logcheck -- program to scan system logs for interesting lines

 SYNOPSIS

       logcheck [TIONS]

 DESCRIPTION

       This manual page documents briefly the logcheck command.

        logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. 

OPTIONS

       These programs follow the usual GNU command line syntax. A summary of options is included below.

        -c CFG    Overrule default configuration file.

        -d        debug mode.

        -h        Show usage information.

        -H        Use this hostname string in the logcheck mail.

        -l LOG    Run logfile through logcheck.

        -L CFG    Overrule default logfiles list.

        -m        Mail report to recipient.

        -o        STDOUT mode, not sending mail.

        -p        Set the report level to "paranoid".

       -r DIR    Overrule default rules directory.

        -R        Adds "Reboot:" to the email subject line.

        -s        Set the report level to "server".

        -S DIR    Overrule default state directory.

        -t        Testing mode does not update offset.

        -T        Do not remove the TMPDIR.

       -u        Enable syslog-summary.

        -v        Print current version. 

       -w        Set the report level to "workstation".

 FILES

       /etc/logcheck/logcheck.conf is the main configuration file.

        /etc/logcheck/logcheck.logfiles is the list of files to monitor.

 SEE ALSO

       logtail(8) 

For hints on how to maintain rules, see README.logcheck-database.gz