Logcheck
Logcheck is a simple tool which scans log files and emails reports out of unrecognized entries.
Installing
apk add logcheck grep run-parts
At the moment grep and run-parts must be manually installed, otherwise logcheck won't work. Work is being done to remove these dependencies.
Additionally, perl-mime-construct if you want to let logcheck to email reports.
apk add perl-mime-construct
User "logcheck" should be added to group adm so that it can read log files:
adduser logcheck adm
Configuration
Default configuration in /etc/logcheck/logcheck.conf is quite a good starting point. It is meant for servers and will email reports to "logcheck" (should be changed if your mail configuration won't deliver such emails to desired destination or just let cron to send mails instead).
If you do not want logcheck to send mails to you you can let cron do it by just adding MAILOUT=1 to logcheck.conf.
Contents of /etc/logcheck/logcheck.conf
Log files
Log files to be scanned are configured in /etc/logcheck/logcheck.logfiles.d. You want to comment out "journal" from journal.logfiles as we are not using systemd:
Contents of /etc/logcheck/logcheck.logfiles.d/journal.logfiles
Additionally you want to add /var/log/messages and any other missing log file to syslog.logfiles and comment out log files not used by your particular syslog daemon i.e. for busybox syslog:
Contents of /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
Scheduling
Logcheck does not run as a daemon, instead it should be ran periodically. Create a hourly cron job:
Contents of /etc/periodic/hourly/logcheck
And make it executable:
chmod +x /etc/periodic/hourly/logcheck
Busybox syslog
Busybox syslog is run using a group wheel which means logcheck cannot read log files created by it. It would be possible to add logcheck user to group wheel, but as group wheel is semantically meant for allowing users to elevate access to root (even though it would not work in practice as logcheck user should not have password set), it is not an optimal solution.
Instead busybox syslog could be made to run as adm instead:
Contents of /etc/init.d/syslog
This is how rsyslog and syslog-ng works without any changes anyways.