Logcheck

Logcheck is a simple tool which scans log files and emails reports out of unrecognized entries.

Installing

apk add logcheck grep perl-mime-construct run-parts

At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies. Additionally, while technically not required, perl-mime-construct is needed for email reports.

User "logcheck" should be added to group adm so that it can read log files:

adduser logcheck adm

Configuration

Default configuration in /etc/logcheck/logcheck.conf is quite a good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination).

Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd:

Additionally you want to add /var/log/messages and any other missing log file to syslog.logfiles and comment out log files not used by your particular syslog daemon i.e. for busybox syslog:

Scheduling

Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job:

And make it executable:

chmod +x /etc/periodic/hourly/logcheck

Busybox syslog

Busybox syslog is run using a group wheel which means logcheck cannot read log files created by it. It would be possible to add logcheck user to group wheel, but as group wheel is semantically meant for allowing users to elevate access to root (even though it would not work in practice as logcheck user should not have password set), it is not an optimal solution.

Instead busybox syslog could be made to run as adm instead:

This is how rsyslog and syslog-ng works without any changes anyways.