Revised logcheck man page
Here is my revised version of the logcheck man page. The package
author has neither reviewed nor approved it, but I think it is
accurate. I couldn't figure out how logcheck worked, so I read the
code and then documented it.
Note that the subject headings for email messages given in the man
page below are not the current ones, but reflect other patches I made.
The current headings are
ATTACKSUBJECT="Security Alerts"
VIOLATIONSSUBJECT="Security Violations"
EVENTSSUBJECT="System Events"
There is also evidence that earlier versions of logcheck handled the
server/workstation/paranoid issue differently than the current one.
The behavior described is for logcheck 1.2.15.
For additional information see bug 215640. Direct comments,
corrections, and, ideally, patches, to there as appropriate. Since
that bug is in the distribution list of this message, please remove
the bug from your reply list otherwise.
By the way, my statement below that it removes duplicates seems to
have been a bit optimistic.
logcheck(8) logcheck(8)
NAME
logcheck -- program to scan system logs for interesting lines
SYNOPSIS
logcheck [OPTIONS]
DESCRIPTION
logcheck is a program that scans system logs and reports if it finds
anything suspicious. By default, it mails the report to root.
The default setup considers all messages in /var/log/syslog and
/var/log/auth.log since the last run. It attempts to follow the files
even if they have been rotated. It classifies these messages as, in
order or decreasing severity, attacks, violations, events, or of no
interest. A message will only appear in a single category, and dupli-
cate log messages are discarded.
Running the program at the paranoid level will produce the most output,
workstation the least, and server an intermediate level of output.
Configure this through the command line or the configuration file
logcheck.conf.
Ordinarily, logcheck runs as an hourly cron job.
logcheck identifies suspicious messages by matching them against regu-
lar expressions in files in its configuration directories. It ignores
initially suspicious lines that also match patterns in its ignore
directories. The files should contain only patterns, comment lines
starting with # in the first column, and blank lines. Matching uses
patterns in the egrep(1) style.
Log messages that match regular expressions in files under
/etc/logcheck/cracking.d/ are considered possible "attacks." If the
optional parameter SUPPORT_CRACKING_IGNORE is set to 1 in
/etc/logcheck/logcheck.conf (it is not by default) then it discards
lines matching patterns in the files of /etc/logcheck/crack-
ing.ignore.d/. If any lines remain, the message subject line will be
"Security: Possible Attacks" (controlled by ATTACKSUBJECT in
logcheck.conf ).
Log messages matching expressions in files under /etc/logcheck/viola-
tions.d/, but not in cracking.d/, are possible security "violations."
Exactly which ignore directories are considered depends on the report
level selected. logcheck always uses ignore patterns from files in
ignore.d/ and ignore.d.paranoid/. Additionally, if the check runs at
the server level, the ignore files include those in ignore.d.server/ as
well. Checks at workstation level use all those exclusions as well as
those in ignore.d.workstation/. If files with the same name appear in
several directories all of them are checked. If any log lines match
after all the ignores are processed, they are reported with "Security:
Possible Violations" (VIOLATIONSSUBJECT in logcheck.conf).
Finally, if any log lines are neither ignored nor reported as a viola-
tion or an attack, they appear as "Security: System Events" (EVENTSSUB-
JECT).
The exact rules for processing the ignore files are somewhat involved.
o If a log line matches a pattern in foo (e.g., /etc/cracking.d/foo
or /etc/violations.d/foo) it is ignored if it also matches a pat-
tern in a file named foo in one of the relevant ignore.d directo-
ries.
o For security patterns from file logcheck only, any ignore pat-
terns from files named logcheck-* apply as well.
o Ignore all log lines matching patterns in ignore files named
local or local-*.
o Files named logcheck-* in cracking.d/ andviolations.d/ are
ignored, i.e., their patterns are not used to determine suspi-
cious entries. Such files should only go in the ignore.d direc-
tories.
OPTIONS
These programs follow the usual GNU command line syntax. A summary of
options is included below.
-c CFG Overrule default configuration file.
-d debug mode.
-h Show usage information.
-l LOG Overrule default logfile
-o STDOUT mode, not sending mail
-p Set the report level to "paranoid"
-r DIR Overrule default rules directory
-R Adds "Reboot:" to the email subject line
-s Set the report level to "server"
-S DIR Overrule default state directory
-t Do not remove the TMPDIR
-w Set the report level to "workstation"
FILES
/etc/logcheck/ location of all configuration files.
/etc/logcheck/logcheck.conf main configuration file; set options here.
/etc/logcheck/logcheck.logfiles list of paths of files with log infor-
mation to inspect
/etc/logcheck/cracking.d/ Lines in the logfiles that match regular
expressions in files in this directory indicate possible serious secu-
rity violations ("attacks").
/etc/logcheck/cracking.ignore.d/ If /etc/logcheck/logcheck.conf has
SUPPORT_CRACKING_IGNORE=1 (which it does not by default) these patterns
exclude entries in cracking.d/.
/etc/logcheck/violations.d/ Logfile lines matching these patterns are
potentional security violations.
/etc/logcheck/violations.ignore.d/ and /etc/logcheck/ignore.d.level/
where level is one of paranoid, server, or workstation, indicates pat-
terns of violations to ignore.
/etc/logcheck/header.txt, /etc/logcheck/footer.txt optional material
for start and end of emailed notices.
Modifying these files
Package foo can add files named foo to the appropriate directories. If
it wishes to cause some items from the logcheck to be ignored, it
should create logcheck-foo in an appropriate directory.
Administrators should put their changes in files named local or local-*
to preserve them across package upgrades.
SEE ALSO
egrep(1)
AUTHORS
This manual page was written by Jon Middleton and Ross Boylan.
logcheck(8)
Reply to: