Logcheck

Logcheck is a simple tool which scans logfiles and emails reports out of unrecognized entries.

Installing

apk add logcheck grep perl-mime-construct run-parts

At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies.

Additionally, while technically not required, perl-mime-construct is needed for email reports.

Configuration

Default configuration in /etc/logcheck/logcheck.conf is quite good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination).

Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd:

Contents of /etc/logcheck/logcheck.logfiles.d/journal.logfiles

#journal

Additionally, if you use busybox syslog, then you want to add /var/log/messages to syslog.logfiles:

Contents of /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

#/var/log/syslog
#/var/log/auth.log
/var/log/messages

Scheduling

Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job:

Contents of /etc/periodic/hourly/logcheck

#!/bin/sh
if [ ! -d /run/lock/logcheck ]; then
    mkdir -p /run/lock/logcheck
    chown logcheck:logcheck /run/lock/logcheck
fi
su -s /bin/bash -c "nice -n10 /usr/sbin/logcheck" logcheck

And make it executable:

chmod +x /etc/periodic/hourly/logcheck