The logcheck program helps spot problems and security violations in your logfiles automatically and will send the results to you periodically in an e-mail. By default logcheck runs as an hourly cronjob just off the hour and after every reboot.
logcheck supports three level of filtering: "paranoid" is for high-security machines running as few services as possible. Don't use it if you can't handle its verbose messages. "server" is the default and contains rules for many different daemons. "workstation" is for sheltered machines and filters most of the messages. The ignore rules work in additive manner. "paranoid" rules are also included at level "server". "workstation" level includes both "paranoid" and "server" rules.
The messages reported are sorted into three layers, system events, security events and attack alerts. The verbosity of system events is controlled by which level you choose, paranoid, server or workstation. However, security events and attack alerts are not affected by this.
logcheck can be invoked directly thanks to su(8) or sudo(8), which change the user ID. The following example checks the logfiles without updating the offset and outputs everything to STDOUT.
sudo -u logcheck logcheck -o -t
A summary of options is included below.
/etc/logcheck/logcheck.conf is the main configuration file.
/etc/logcheck/logcheck.logfiles is the list of files to monitor.
/usr/share/doc/logcheck-database/README.logcheck-database.gz for hints on how to write, test and maintain rules.
0 upon success; 1 upon failure
logcheck is developed by Debian logcheck Team at alioth: http://alioth.debian.org/projects/logcheck/.
This manual page was written by Jon Middleton.