Logcheck is created to help in processing system logfiles generated by system daemons, TCP wrappers, log daemons, etc.
Logcheck helps spot problems and security violations in your logfiles automatically as specified by entries in the rules files that logcheck consults.
Logcheck utilizes a program called logtail that remembers the last position it read from in a log file and uses this position on subsequent runs to process new information. Then a shell script proceeds to analyze the extracted entries from the log files, and generates a report that gets sent out as an e-mail.
Think of Logcheck as your little secretary who does all the tedius tasks of analyzing your mountains of paperwork, telling you which ones you need to deal with, and advising you what to do.
Logcheck is an IDS system, however, unlike the IDSes we have looked at thus far, Logcheck is not one that operates in real time. Logcheck runs at some given interval, and will not analyze and detect an attack until after it has fired. In other words, if you have Logcheck running hourly, that gives a cracker an average of 30 minutes to do damage under the best of circumstances, and an entire weekend under the worst circumstances.
When Logcheck detects something askew in the logs, it sends an e-mail to the administrator (whomever has been configured as it). This e-mail will contain entries such as this:
System Events
=-=-=-=-=-=-=
Jun 27 18:02:03 rygel postfix/local[2426]: warning:
database /etc/aliases.db is older than source file /etc/aliases
Jun 27 18:02:03 rygel postfix/local[2426]: warning:
dict_nis_init: NIS domain name not set - NIS lookups disabled
Jun 27 18:03:08 rygel inetd[265]: sunrpc/tcp: bind:
Address already in use
Jun 27 18:13:08 rygel inetd[265]: sunrpc/tcp: bind:
Address already in use
Logcheck has gone under quite a bit of upheaval since this book was written, and is now pretty tricky to track down. Originally, Logcheck was produced by [Psionic]. It was relicensed under the Gnu GPL, and then its name was changed to LogSentry. Psionic was purchased by Cisco, and tools such as LogSentry became their main staple. However, the free (as in no-cost) LogSentry became burried in their site and is now very difficult to find.
Luckily for us, Logcheck is included in most Linux distributions. Under Debian you can apt-get it, Red Hat usually includes it enabled by default, and most others at least have it on one of their supplimental CDs. While it may technically be called LogSentry on whatever distribution you are using, the executable is still called Logcheck, and thus, that is the name we will continue to use.
