logcheck

logcheck has a script, logcheck.sh, that is run on a regular basis (once per hour) to collect information from the log files. The data collected is the result of running grep against the log files based on information is a set of files that contain words and phrases that typically indicate potential problems. For example, the word refused in /var/log/messages or /var/log/secure can indicate a problem, especially if it becomes successful the next time the same IP appears.

To install logcheck, expand the tar file archive somewhere and the enter:

If you don't care for the default locations for files (/usr/local/etc for the configuration files) change them in Makefile first.

The author recommends that all logging be forced to a single file by adding an entry of the form:

*.info /var/log/messages

to /etc/syslog.conf. This definitely makes the work of logcheck easier, but more difficult if you try to do any manual checking, so decide for yourself. The ownership on this file should be root.wheel, and the permissions should be 600.

Now that the files are installed, you need to configure logcheck for your use.

logcheck.sh

Following the documentation in the file itself, make any adjustments that you want to make in the script.

Set the SYSADMIN variable for the user you want.
Set the paths for logcheck and for the temporary files.
Set the configuration file paths if necessary.
Provide a complete list of log files to be checked.

crontab

Make a crontab entry for logcheck.sh of the form:

00 * * * * /usr/local/etc/logcheck.sh

logcheck.ignore

Add any words or phrases you want to ignore. The most likely scenario is that after using logcheck for a while you will add things to this file. However, anything not in this file gets reported, so anything that shows up that you don't want in the future, put it in here. Examples are:

cron.*CMD
ftp.*stored

logcheck.hacking

Words and phrases here are indications of an actual problem. Don't put too many things in here as they generate the highest response. Examples are:

ATTACK
LOGIN root REFUSED

logcheck.violations

Words and phrases here are indications of a potential problem, but not a certain intrusion. Put anything in here that would attract your interest if you saw it in a log file. Examples are:

LOGIN REFUSED
unauthorized host

logcheck.violations.ignore

All violations are scanned for things in this file and if there is a match, they are dropped. So it can help reduce the amount of information collected, but you don't want to miss anything important, so be cautious. Examples are:

stat=Sent

Reports

All logcheck reports come through email, so you may get quite a few. It might be handy to set up a special mail account if the number is onerous, but don't forget to check the mail often.