Logcheck: Difference between revisions
(Created page with "[https://logcheck.org Logcheck] is a simple tool which scans logfiles and emails reports out of unrecognized entries. == Installing == {{Cmd|apk add logcheck grep perl-mime-construct run-parts}} At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies. Additionally, while technically not required, perl-mime-construct is needed for email reports. == Configuration == Default configurat...") |
Prabuanand (talk | contribs) (added category category:System Administration) |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
[https://logcheck.org Logcheck] is a simple tool which scans | [https://logcheck.org Logcheck] is a simple tool which scans log files and emails reports out of unrecognized entries. | ||
== Installing == | == Installing == | ||
{{Cmd|apk add logcheck grep | {{Cmd|apk add logcheck grep run-parts}} | ||
At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies. | At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies. | ||
Additionally | Additionally, perl-mime-construct if you want to let logcheck to email reports. | ||
{{Cmd|apk add perl-mime-construct}} | |||
User "logcheck" should be added to group adm so that it can read log files: | |||
{{Cmd|adduser logcheck adm}} | |||
== Configuration == | == Configuration == | ||
Default configuration in /etc/logcheck/logcheck.conf is quite good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination). | Default configuration in /etc/logcheck/logcheck.conf is quite a good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination or just let cron to send mails instead). | ||
If you do not want logcheck to send mails to you you can let cron do it by just adding MAILOUT=1 to logcheck.conf. | |||
{{Cat|/etc/logcheck/logcheck.conf|<nowiki>... | |||
# Output the results to stdout instead of mail | |||
MAILOUT=1 | |||
...</nowiki>}} | |||
Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You | === Log files === | ||
Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd: | |||
{{Cat|/etc/logcheck/logcheck.logfiles.d/journal.logfiles|#journal}} | {{Cat|/etc/logcheck/logcheck.logfiles.d/journal.logfiles|#journal}} | ||
Additionally you want to add /var/log/messages and any other missing log file to syslog.logfiles and comment out log files not used by your particular syslog daemon i.e. for busybox syslog: | |||
{{Cat|/etc/logcheck/logcheck.logfiles.d/syslog.logfiles|#/var/log/syslog | {{Cat|/etc/logcheck/logcheck.logfiles.d/syslog.logfiles|#/var/log/syslog | ||
| Line 23: | Line 38: | ||
}} | }} | ||
== Scheduling == | |||
Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job: | |||
{{Cat|/etc/periodic/hourly/logcheck|#!/bin/sh | |||
if [ ! -d /run/lock/logcheck ]; then | |||
mkdir -p /run/lock/logcheck | |||
chown logcheck:logcheck /run/lock/logcheck | |||
fi | |||
su -s /bin/bash -c "nice -n10 /usr/sbin/logcheck" logcheck | |||
}} | |||
And make it executable: | |||
{{Cmd|chmod +x /etc/periodic/hourly/logcheck}} | |||
== Busybox syslog == | |||
Busybox syslog is run using a group wheel which means logcheck cannot read log files created by it. It would be possible to add logcheck user to group wheel, but as group wheel is semantically meant for allowing users to elevate access to root (even though it would not work in practice as logcheck user should not have password set), it is not an optimal solution. | |||
Instead busybox syslog could be made to run as adm instead: | |||
{{Cat|/etc/init.d/syslog|<nowiki>#!/sbin/openrc-run | |||
description="Message logging system" | |||
== | name="busybox syslog" | ||
command="/sbin/syslogd" | |||
command_args="${SYSLOGD_OPTS} -n" | |||
pidfile="/run/syslogd.pid" | |||
command_background=true | |||
#start_stop_daemon_args="-g wheel -k 027" | |||
start_stop_daemon_args="-g adm -k 027" | |||
depend() { | |||
need clock hostname localmount | |||
provide logger | |||
}</nowiki> | |||
}} | |||
This is how rsyslog and syslog-ng works without any changes anyways. | |||
[[category:System Administration]] | |||
Latest revision as of 04:26, 5 February 2025
Logcheck is a simple tool which scans log files and emails reports out of unrecognized entries.
Installing
apk add logcheck grep run-parts
At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies.
Additionally, perl-mime-construct if you want to let logcheck to email reports.
apk add perl-mime-construct
User "logcheck" should be added to group adm so that it can read log files:
adduser logcheck adm
Configuration
Default configuration in /etc/logcheck/logcheck.conf is quite a good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination or just let cron to send mails instead).
If you do not want logcheck to send mails to you you can let cron do it by just adding MAILOUT=1 to logcheck.conf.
Contents of /etc/logcheck/logcheck.conf
Log files
Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd:
Contents of /etc/logcheck/logcheck.logfiles.d/journal.logfiles
Additionally you want to add /var/log/messages and any other missing log file to syslog.logfiles and comment out log files not used by your particular syslog daemon i.e. for busybox syslog:
Contents of /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
Scheduling
Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job:
Contents of /etc/periodic/hourly/logcheck
And make it executable:
chmod +x /etc/periodic/hourly/logcheck
Busybox syslog
Busybox syslog is run using a group wheel which means logcheck cannot read log files created by it. It would be possible to add logcheck user to group wheel, but as group wheel is semantically meant for allowing users to elevate access to root (even though it would not work in practice as logcheck user should not have password set), it is not an optimal solution.
Instead busybox syslog could be made to run as adm instead:
Contents of /etc/init.d/syslog
This is how rsyslog and syslog-ng works without any changes anyways.