Getting Started With logcheck
logcheck is an updated version of logsentry (from the
sentrytools package), which is a tool to analyze the system logs.
Additionally, logcheck comes with a built-in database of common,
not-interesting log messages to filter out the noise. The general idea of the
tool is that all messages are interesting, except the ones explicitly marked as
noise. logcheck periodically sends you an e-mail with a summary of
It is strongly recommended to remove logsentry if you have it installed on
your system. Additionally, you should remove /etc/logcheck to avoid permission
and file collision problem.
Code Listing 1.1: Removing logsentry
# emerge -C logsentry
# rm -rf /etc/logcheck
Now you can proceed with the installation of logcheck.
Code Listing 1.2: Installing logcheck
# emerge -av app-admin/logcheck
logcheck creates a separate user "logcheck" to avoid running as root.
Actually, it will refuse to run as root. To allow it to analyze the logs,
you need to make sure they are readable by logcheck. Here is an example
Code Listing 1.3: /etc/syslog-ng/syslog-ng.conf snippet
Now reload the configuration and make sure the changes work as expected.
Code Listing 1.4: Reload syslog-ng configuration
# /etc/init.d/syslog-ng reload
# ls -l /var/log/messages
-rw-r----- 1 root logcheck 1694438 Feb 12 12:18 /var/log/messages
You should now adjust some basic logcheck settings in
Code Listing 1.5: Basic /etc/logcheck/logcheck.conf setup
# Controls the level of filtering:
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.
# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "firstname.lastname@example.org"
# Controls if syslog-summary is run over each section.
# Alternatively, set to "1" to enable extra summary.
# HINT: syslog-summary needs to be installed.
You also have to tell logcheck which log files to scan
Code Listing 1.6: Basic /etc/logcheck/logcheck.logfiles setup
Finally, enable the logcheck cron job.
Code Listing 1.7: Enable logcheck cron job
# nano -w /etc/cron.hourly/logcheck.cron
For more information about cron read the Cron
Congratulations! Now you will be regularly getting important log messages by
email. An example message looks like this:
Code Listing 1.8: Example logcheck message
Feb 10 17:13:53 localhost kernel: [30233.238342] conftest: segfault at 40 ip 40061403 sp bfc443c4 error 4
Feb 11 12:31:21 localhost postfix/pickup: fatal: could not find any active network interfaces
Feb 11 12:31:22 localhost postfix/master: warning: process //usr/lib/postfix/pickup pid 18704 exit status 1
Feb 11 12:31:22 localhost postfix/master: warning: //usr/lib/postfix/pickup: bad command startup -- throttling
You can use the logcheck's -d switch to display more debugging
Code Listing 2.1: Debugging logcheck
# su -s /bin/bash -c '/usr/sbin/logcheck -d' logcheck
D:  Turning debug mode on
D:  Sourcing - /etc/logcheck/logcheck.conf
D:  Finished getopts c:dhH:l:L:m:opr:RsS:tTuvw
D:  Trying to get lockfile: /var/lock/logcheck/logcheck.lock
D:  Running lockfile-touch /var/lock/logcheck/logcheck.lock
D:  cleanrules: /etc/logcheck/cracking.d/kernel
D:  cleanrules: /etc/logcheck/violations.d/su
D:  cleanrules: /etc/logcheck/violations.d/sudo
D:  logoutput called with file: /var/log/messages
D:  Running /usr/sbin/logtail2 on /var/log/messages
D:  Sorting logs
D:  Setting the Intro
D:  Checking for security alerts
D:  greplogoutput: kernel
D:  greplogoutput: returning 1
D:  Checking for security events
D:  greplogoutput: su
D:  greplogoutput: Entries in checked
D:  cleanchecked - file: /tmp/logcheck.uIFLqU/violations-ignore/logcheck-su
D:  report: cat'ing - Security Events for su
D:  report: cat'ing - System Events
D:  Setting the footer text
D:  Sending report: 'localhost 2010-08-09 03:53 Security Events' to root
D:  cleanup: Killing lockfile-touch - 17979
D:  cleanup: Removing lockfile: /var/lock/logcheck/logcheck.lock
D:  cleanup: Removing - /tmp/logcheck.uIFLqU
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.