logcheck – who is checking your logs?

logcheck – who is checking your logs?

This article describes how I installed and configure logchecklogcheck
is a program which helps the processing of system logfiles.
[Ed. note: it was originally produced by Psionic Software which has since
been acquired by Cisco.]

NOTE: Logcheck has changed. This article no longer describes it well.
Use this post instead

NOTE: logcheck is now a port
and can be found in security/logcheck.

Why bother?

Any system generates log files.  And do you read them?  You should.  
Often it is the only want you are going to detect a problem.  logcheck helps with
that process.  As the website says:

Logcheck helps spot problems and security violations in your logfiles 
automatically and will send the results to you in e-mail.

You can set up logcheck to run at any given interval.  Every day.  
Every hour.  Just put it in your crontab and you’re set.

The key thing about logfiles is people forget to read them.  But logcheck
will scan the logfiles frequently and report any problem immediately.  That’s what I
like about it.  You find out about a problem the next time you read your mail, not
when you remember to check the logs.

The install – port

Remember, I have the entire ports tree installed.  So
I did this:

cd /usr/ports/security/logcheck
make install

The install – non-port

This is not a port.  So I did this:

cd /usr/local
mkdir psionic
chdir psionic
fetch -P http://www.psionic.org/downloads/logsentry-1.1.1.tar.gz
tar xvfz logcheck-1.1.1.tar.gz
cd logcheck-1.1.1

Your first step should be to read the INSTALL file.  I already had syslogd
configured to log what I needed.  So my first step was to configure Makefile.  
The default location for the files is /usr/local/etc.  I changed that to /usr/local/psionic/logcheck
Just my preference.

Then I typed:

make freebsd

Read the README and and INSTALL files supplied with the application.

Running logcheck

I run logcheck every 15 minutes.  You decide how often is right for you.
  Here is my entry from /etc/crontab.  Note there are tabs between the columns
before and after each *, not spaces.

0,15,30,45 * * * * root /bin/sh /usr/local/psionic/logcheck/logcheck.sh

Or, if you used the port, you’d want this:

0,15,30,45 * * * * root /bin/sh /usr/local/etc/logcheck.sh


The only problem I found was conflicts between LogCheck and newsyslog
I was getting this in my LogCheck output.

Unusual System Events
File /var/log/messages cannot be read.

I think this occurs because newsyslog has been started at the same time as LogCheck.
  The way I choose to deal with it was to change the time at which LogCheck ran.

1,16,31,46 * * * * root ...etc

If you installed from the ports, you’ll want /usr/local/etc/logcheck.sh in
the line above.  If you didn’t, the above will work fine, based on the changes made
during the install.

This should make sure that syslogd is stopped by the time logcheck.sh

NOTE: I think the above may cause some problems in missed log scans.  If the logs
are rolled over on the hour, then the logcheck at 1 minute after the hour will miss the
last part of the log which was just rolled over.  I’ll talk to the author about this.
  Also, if you run logcheck 1 minute before newsyslog, you might miss messages, but
only only one minute in that case.  Still not ideal.

Leave a Comment

Scroll to Top