Logcheck

From Alpine Linux

Logcheck is a simple tool which scans log files and emails reports out of unrecognized entries.

Installing

apk add logcheck grep run-parts

At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies.

Additionally, perl-mime-construct if you want to let logcheck to email reports.

apk add perl-mime-construct

User "logcheck" should be added to group adm so that it can read log files:

adduser logcheck adm

Configuration

Default configuration in /etc/logcheck/logcheck.conf is quite a good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination or just let cron to send mails instead).

If you do not want logcheck to send mails to you you can let cron do it by just adding MAILOUT=1 to logcheck.conf.

Contents of /etc/logcheck/logcheck.conf

... # Output the results to stdout instead of mail MAILOUT=1 ...

Log files

Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd:

Contents of /etc/logcheck/logcheck.logfiles.d/journal.logfiles

#journal

Additionally you want to add /var/log/messages and any other missing log file to syslog.logfiles and comment out log files not used by your particular syslog daemon i.e. for busybox syslog:

Contents of /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

#/var/log/syslog #/var/log/auth.log /var/log/messages

Scheduling

Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job:

Contents of /etc/periodic/hourly/logcheck

#!/bin/sh if [ ! -d /run/lock/logcheck ]; then mkdir -p /run/lock/logcheck chown logcheck:logcheck /run/lock/logcheck fi su -s /bin/bash -c "nice -n10 /usr/sbin/logcheck" logcheck

And make it executable:

chmod +x /etc/periodic/hourly/logcheck

Busybox syslog

Busybox syslog is run using a group wheel which means logcheck cannot read log files created by it. It would be possible to add logcheck user to group wheel, but as group wheel is semantically meant for allowing users to elevate access to root (even though it would not work in practice as logcheck user should not have password set), it is not an optimal solution.

Instead busybox syslog could be made to run as adm instead:

Contents of /etc/init.d/syslog

#!/sbin/openrc-run description="Message logging system" name="busybox syslog" command="/sbin/syslogd" command_args="${SYSLOGD_OPTS} -n" pidfile="/run/syslogd.pid" command_background=true #start_stop_daemon_args="-g wheel -k 027" start_stop_daemon_args="-g adm -k 027" depend() { need clock hostname localmount provide logger }

This is how rsyslog and syslog-ng works without any changes anyways.