1Logcheck(8) Logcheck(8)
2
3
4
6 logcheck - program to scan system logs for interesting lines
7
9 logcheck [ OPTIONS ]
10
12 The logcheck program helps spot problems and security violations in
13 your logfiles automatically and will send the results to you periodi‐
14 cally in an e-mail. By default logcheck runs as an hourly cronjob just
15 off the hour and after every reboot.
16
17 logcheck supports three level of filtering: "paranoid" is for high-
18 security machines running as few services as possible. Don't use it if
19 you can't handle its verbose messages. "server" is the default and
20 contains rules for many different daemons. "workstation" is for shel‐
21 tered machines and filters most of the messages. The ignore rules work
22 in additive manner. "paranoid" rules are also included at level
23 "server". "workstation" level includes both "paranoid" and "server"
24 rules.
25
26 The messages reported are sorted into three layers, system events,
27 security events and attack alerts. The verbosity of system events is
28 controlled by which level you choose, paranoid, server or workstation.
29 However, security events and attack alerts are not affected by this.
30
32 logcheck can be invoked directly thanks to su(8) or sudo(8), which
33 change the user ID. The following example checks the logfiles without
34 updating the offset and outputs everything to STDOUT.
35
36 sudo -u logcheck logcheck -o -t
37
39 A summary of options is included below.
40
41 -c CFG Overrule default configuration file.
42
43 -d Debug mode.
44
45 -h Show usage information.
46
47 -H Use this hostname string in the subject of logcheck mail.
48
49 -l LOG Run logfile through logcheck.
50
51 -L CFG Overrule default logfiles list.
52
53 -D DIR Overrule default logfiles lists directory
54
55 -m Mail report to recipient.
56
57 -o STDOUT mode, not sending mail.
58
59 -p Set the report level to "paranoid".
60
61 -r DIR Overrule default rules directory.
62
63 -R Adds "Reboot:" to the email subject line.
64
65 -s Set the report level to "server".
66
67 -S DIR Overrule default state directory.
68
69 -t Testing mode does not update offset.
70
71 -T Do not remove the TMPDIR.
72
73 -u Enable syslog-summary.
74
75 -v Print current version.
76
77 -w Set the report level to "workstation".
78
80 /etc/logcheck/logcheck.conf is the main configuration file.
81
82 /etc/logcheck/logcheck.logfiles is the list of files to monitor.
83
84 /etc/logcheck/logcheck.logfiles.d is the directory of lists of files to
85 monitor.
86
87 /usr/share/doc/logcheck-database/README.logcheck-database.gz for hints
88 on how to write, test and maintain rules.
89
91 0 upon success; 1 upon failure
92
94 logtail(8)
95
97 logcheck is developed by Debian logcheck Team at alioth:
98 http://alioth.debian.org/projects/logcheck/.
99
100 This manual page was written by Jon Middleton.
101
102
103
104 May 3, 2005 Logcheck(8)