LOGCHECK - Documentation

Return to Wiki Index

To use `logcheck`, the following basic syntax is applied:

logcheck [options]

Where `[options]` can vary based on the user’s preferences and the log files to be checked.

• -s, --sendmail: This option sends the output via email to a specified recipient.
• -c, --config <path>: Specifies a custom configuration file instead of the default one.
• -f, --filter <filter_name>: Uses a specific filter for parsing logs.
• -t, --test: Runs the logcheck program in test mode without sending any emails or making any changes.
• -i, --ignore <filename>: Ignores the logs in the specified file.
• -h, --help: Displays a help message with available options.

The main configuration file for `logcheck` is located at `/etc/logcheck/logcheck.conf`. This file controls the general behavior and filtering rules that `logcheck` applies to logs. Key options in this file include:

• **MAILTO**: Defines the email address to which log summaries will be sent.
• **LOGCHECK_RE**: Sets the regular expression filters used to detect suspicious activity.
• **LOGCHECK\_FILTER**: Specifies a default filter to apply to the log files.

An example of a basic configuration entry in `/etc/logcheck/logcheck.conf`:

# Define recipient email address for logcheck alerts
MAILTO="admin@example.com"

# Set the filter type to "security"
LOGCHECK_FILTER="security"

`logcheck` uses regular expressions (regex) to filter through log files. The tool has predefined filters (e.g., for security, system, and authentication logs) but can also be customized with user-defined filters. Some common filters include:

• **Security**: Focuses on logs related to potential security breaches.
• **System**: Filters standard system events and errors.
• **Applications**: Targets logs from applications such as Apache or MySQL.

You can specify a custom filter by using the `-f` option when running `logcheck`.

Example:

logcheck -f security

This command checks the logs against the security filter.

To have `logcheck` run automatically on a schedule, you can use `cron`. A typical cron job configuration to run `logcheck` every day at midnight would look like this:

0 0 * * * /usr/sbin/logcheck

This will execute `logcheck` daily and send the output to the configured email address.

Here is a basic example of running `logcheck`:

logcheck -t

This will test the configuration and show what actions would be taken without actually sending any email.

If you have a custom filter file, you can specify it using the `-f` flag:

logcheck -f /path/to/custom_filter

This will apply the custom filter to your logs instead of the default one.

When `logcheck` runs, it reviews the relevant log files (e.g., `/var/log/messages`, `/var/log/secure`, etc.) for any events that match its filtering rules. If any such events are found, a summary report is generated. By default, this report is emailed to the address specified in the configuration file.

The output is typically categorized into levels, such as:

• **Informational**: General information on system activities.
• **Warning**: Warnings about non-critical issues.
• **Critical**: Critical system or security issues that require attention.

• [Logcheck Official Documentation](https://man7.org/linux/man-pages/man8/logcheck.8.html)
• [Logcheck GitHub Repository](https://github.com/logcheck/logcheck)
• [Debian Package for Logcheck](https://packages.debian.org/stable/admin/logcheck)
• [Logcheck Configuration Guide](https://www.serverwatch.com/tutorials/logcheck-configuring-and-using/)