# HOWTO: Use security/logcheck to keep tabs on your system



## junovitch@ (May 23, 2015)

security/logcheck is a useful tool to help keep tabs on your system logs.  Per the port's pkg-descr:


> Logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.



Logcheck is fairly easy to initially set up but can take some time to trim down the list of what you consider "normal" to reduce the amount of noise produced.  The purpose of this little guide will be to cover that initial setup, provide a few examples of configuration, and hopefully be a small stash of good examples from others.


Install security/logcheck
`pkg install logcheck`


Monitoring /var/log/auth.log makes sense as a best practice, modify newsyslog.conf(5) to allow the logcheck group access to /var/log/auth.log and then fix permissions on the current file.

```
perl -pwi -e 'if (/auth\.log/) {s/auth\.log\t\t/auth.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf
chown root:logcheck /var/log/auth.log
chmod 640  /var/log/auth.log
```

Finally, copy the default file for crontab(1) from the installed example and fix permissions.
`cp /usr/local/share/examples/logcheck/crontab.in /var/cron/tabs/logcheck
chmod 600 /var/cron/tabs/logcheck`

At this point, Logcheck is fully setup and will email you every hour.


Don't like the default interval? Change it.
`crontab -u logcheck -e`


Don't like all the emails accumulating for the logcheck user?  Add an entry to /etc/mail/aliases.

```
logcheck:  jason
```

Not enough noise? Enable logging to /var/log/all.log to get even more detail.

```
perl -pwi -e 'if (/all\.log/)  {s/#\*\.\*/\*\.\*/;}' /etc/syslog.conf
perl -pwi -e 'if (/all\.log/)  {s/all\.log\t\t/all.log\troot:logcheck/;   s/600/640/; }' /etc/newsyslog.conf
touch /var/log/auth.log
chown root:logcheck /var/log/all.log
chmod 640 /var/log/all.log
service syslogd restart
```

Now set Logcheck to check /var/log/all.log instead of /var/log/messages.

```
cat > /usr/local/etc/logcheck/logcheck.logfiles << 'EOF'
/var/log/all.log
/var/log/auth.log
'EOF'
```


----------



## junovitch@ (May 23, 2015)

Examples of pattern matches for ignoring services.  This assumes monitoring all the details in /var/log/all.log.

Please feel free to post up any of yours.

For sysutils/smartmontools:
/usr/local/etc/logcheck/ignore.d.server/local-smartd

```
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], starting scheduled (Short|Long) Self-Test\.
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], self-test in progress, [0-9]+% remaining
^\w{3} [ :0-9]{11} <daemon\.info> [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/ada[0-9], previous self-test completed without error
```

For cron(8):
/usr/local/etc/logcheck/ignore.d.server/local-cron

```
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(root\) CMD
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ crontab\[[0-9]+\]: \(root\) LIST \(root\)
^\w{3} [ :0-9]{11} <cron\.info> [._[:alnum:]-]+ /usr/sbin/cron\[[0-9]+\]: \(operator\) CMD \(/usr/libexec/save-entropy\)
```

For sysutils/puppet:
/usr/local/etc/logcheck/ignore.d.server/local-puppet

```
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-master\[[0-9]+\]: Compiled catalog for [._[:alnum:]-]+ in environment production
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-master\[[0-9]+\]: Starting Puppet master version
^\w{3} [ :0-9]{11} <daemon\.notice> [._[:alnum:]-]+ puppet-agent\[[0-9]+\]: Finished catalog run
```


----------

