Logcheck: Difference between revisions
(Created page with "[https://logcheck.org Logcheck] is a simple tool which scans logfiles and emails reports out of unrecognized entries. == Installing == {{Cmd|apk add logcheck grep perl-mime-construct run-parts}} At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies. Additionally, while technically not required, perl-mime-construct is needed for email reports. == Configuration == Default configurat...") |
mNo edit summary |
||
| Line 13: | Line 13: | ||
Default configuration in /etc/logcheck/logcheck.conf is quite good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination). | Default configuration in /etc/logcheck/logcheck.conf is quite good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination). | ||
Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You | Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd: | ||
{{Cat|/etc/logcheck/logcheck.logfiles.d/journal.logfiles|#journal}} | {{Cat|/etc/logcheck/logcheck.logfiles.d/journal.logfiles|#journal}} | ||
Additionally, if you use busybox syslog, then you want to add /var/log/messages to syslog.logfiles: | |||
{{Cat|/etc/logcheck/logcheck.logfiles.d/syslog.logfiles|#/var/log/syslog | {{Cat|/etc/logcheck/logcheck.logfiles.d/syslog.logfiles|#/var/log/syslog | ||
| Line 23: | Line 24: | ||
}} | }} | ||
== Scheduling == | |||
Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job: | |||
{{Cat|/etc/periodic/hourly/logcheck|#!/bin/sh | |||
if [ ! -d /run/lock/logcheck ]; then | |||
mkdir -p /run/lock/logcheck | |||
chown logcheck:logcheck /run/lock/logcheck | |||
fi | |||
su -s /bin/bash -c "nice -n10 /usr/sbin/logcheck" logcheck | |||
}} | |||
And make it executable: | |||
{{Cmd|chmod +x /etc/periodic/hourly/logcheck}} | |||
Revision as of 19:09, 1 February 2025
Logcheck is a simple tool which scans logfiles and emails reports out of unrecognized entries.
Installing
apk add logcheck grep perl-mime-construct run-parts
At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies.
Additionally, while technically not required, perl-mime-construct is needed for email reports.
Configuration
Default configuration in /etc/logcheck/logcheck.conf is quite good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination).
Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd:
Contents of /etc/logcheck/logcheck.logfiles.d/journal.logfiles
Additionally, if you use busybox syslog, then you want to add /var/log/messages to syslog.logfiles:
Contents of /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
Scheduling
Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job:
Contents of /etc/periodic/hourly/logcheck
And make it executable:
chmod +x /etc/periodic/hourly/logcheck