These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Configuring Logcheck

Classnotes | UNIX03 | RecentChanges | Preferences
One of the unfortunate things about this whole Psionic upheaval is that there is no set standard place for configuring Logcheck.

Often, people will recommend simply editting the Logcheck script (which is a shell script) by hand and tweaking the settings there. More sensible Logcheck installations (such as those you will find in Red Hat, Debian, and FreeBSD) involved the editting of system-wide configuration files in /etc/logcheck. This is the way we will configure Logcheck.

/etc/logcheck/logcheck.conf

If you are using a "sensible" Logcheck installation, then you will find a logcheck.conf file for configuration. This file is a shell script as well, but is sourced by Logcheck when it runs. Let's now look at a typical logcheck.conf file: 
 # The following variable settings are the initial default values,
 # which can be uncommented and modified to alter logcheck's
 # behaviour


 # Controls the format of date-/time-stamps in subject lines:
 # Alternatively, set the format to suit your locale
 #DATE="$(date +'%Y/%m/%d %H:%M')"


 # Controls the presence of boilerplate at the top of each message:
 # Alternatively, set to "0" to disable the introduction.
 #
 # If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
 # are present their contents will be read and used as the header and
 # footer of any generated mails.
 #
 #INTRO=1


 # Controls the level of filtering: 
 # Can be Set to "workstation", "server" or "paranoid" for different
 # levels of filtering. Defaults to paranoid if not set.
 REPORTLEVEL="server"


 # Controls the address mail goes to:
 # *NOTE* the script does not set a default value for this variable!
 # May be set to "emailaddress@some.domain.tld"
 SENDMAILTO="root"


 # Controls whether "sort -u" is used on log entries (which will
 # eliminate duplicates but destroy the original ordering); the
 # default is to use "sort -k 1,3 -s":
 # Alternatively, set to "1" to enable unique sorting
 #SORTUNIQ=0


 # Controls whether /etc/logcheck/cracking.ignore.d is scanned for
 # exceptions to the rules in /etc/logcheck/cracking.d:
 # Alternatively, set to "1" to enable cracking.ignore support
 #SUPPORT_CRACKING_IGNORE=0


 # Controls the base directory for rules file location
 # This must be an absolute path
 #RULEDIR="/etc/logcheck"


 # Controls if syslog-summary is run over each section.
 # Alternatively, set to "1" to enable extra summary.
 #SYSLOGSUMMARY=0


 # Controls Subject: lines on logcheck reports:
 #ATTACKSUBJECT="Attack Alerts"
 #VIOLATIONSSUBJECT="Security Violations"
 #EVENTSSUBJECT="System Events"

/etc/logcheck/logcheck.logfiles

This file tells Logcheck which files to monitor. You simply provide a list of the files separated by a newline. An example follows: 
 # these files will be checked by logcheck
 # This has been tuned towards a default syslog install
 /var/log/syslog
 /var/log/auth.log


Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 28, 2003 3:22 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.