Aus crazylinux.de
Zur Navigation springen Zur Suche springen

The logcheck program helps spot problems and security violations in your logfiles automatically and will send the results to you periodically in an e-mail. By default logcheck runs as an hourly cronjob just off the hour and after every reboot.

logcheck supports three level of filtering: "paranoid" is for high-security machines running as few services as possible.
Don't use it if you can't handle its verbose messages. "server" is the default and contains rules for many different daemons.
"workstation" is for sheltered machines and filters most of the messages. The ignore rules work in additive manner. "paranoid" rules are also included at level "server". "workstation" level includes both "paranoid" and "server" rules.

The messages reported are sorted into three layers, system events, security events and attack alerts. The verbosity of system events is controlled by which level you choose, paranoid, server or workstation. However, security events and attack alerts
are not affected by this.


to ignore lines like that

Oct  3 14:02:03 mail vboxadm-sa[9900]: 2012/10/03-14:02:03 CONNECT TCP Peer: "" Local: ""#012
Oct  3 14:02:03 mail vboxadm-sa[9900]: 2012.10.03-14:02:03#011VBoxAdm::SMTP::Proxy::SA::process_request#011INFO#011Ooops, looks like the SQL server went away. Trying to reconnect ...
Oct  3 14:02:03 mail vboxadm-sa[9900]: 2012.10.03-14:02:03#011VBoxAdm::SMTP::Proxy::SA::is_spam#011INFO#011clean message <20121003120203.6AD3912007C@xxx.de> (-0.00/6.31) from <logcheck@xxx.de> for yyy@xxx.de in 0.29 s, 1341 bytes. rules hit: NO_RELAYS
Oct  3 14:02:03 mail vboxadm-sa[9900]: 2012.10.03-14:02:03#011VBoxAdm::SMTP::Proxy::SA::process_request#011INFO#011message-accepted - queued as 80F7D12007B; from=<logcheck@xxx.de>; to=yyy@xxx.de; client=[UNKNOWN]; helo=[UNKNOWN]; proto=[UNKNOWN]; source=LOCAL;


^\w{3} [ :0-9]{11} [._[:alnum:]-]+ vboxadm-sa\[[0-9]+\]: (.*)011INFO(.*)$