[Logcheck-devel] logcheck reference in debians harden-doc
maks attems
debian at sternwelten.at
Mon Jul 12 10:24:17 UTC 2004
hello everyone,
the description of logcheck in latest harden-doc is outdated
compared to the logcheck version sarge/sid.
please take a look at the diff and comment.
i'll plan to send javier the patch in 2-3 days.
thanks maks
--- after-install.sgml.orig 2004-07-12 12:00:06.000000000 +0200
+++ after-install.sgml 2004-07-12 12:16:18.000000000 +0200
@@ -1208,12 +1208,13 @@
<sect1 id="custom-logcheck">Using and customising <prgn>logcheck</prgn>
-<p>The <prgn>logcheck</prgn> package in Debian is divided into two
-packages <package>logcheck</package> (the main program) and
+<p>The <prgn>logcheck</prgn> package in Debian is divided into three
+packages <package>logcheck</package> (the main program),
<package>logcheck-database</package> (a database of regular
-expressions for the program). The Debian default (in
+expressions for the program) and <package>logtail</package> (prints
+loglines that have not yet been read). The Debian default (in
<file>/etc/cron.d/logcheck</file>) is that <prgn>logcheck</prgn> is run
-daily at 2 AM and once after each reboot.
+every hour just off the hour and once after each reboot.
<p>This tool can be quite useful if properly customised to alert the
administrator to unusual events in the system. <prgn>Logcheck</prgn>
@@ -1225,7 +1226,7 @@
<file>/etc/logcheck/logcheck.conf</file>, sourced by the program, that
defines which user the checks are sent to. It also provides a way for
packages that provide services to implement new policies in the
-directories: <file>/etc/logcheck/hacking.d/_packagename_</file>,
+directories: <file>/etc/logcheck/cracking.d/_packagename_</file>,
<file>/etc/logcheck/violations.d/_packagename_</file>,
<file>/etc/logcheck/violations.ignore.d/_packagename_</file>,
<file>/etc/logcheck/ignore.d.paranoid/_packagename_</file>,
@@ -1236,29 +1237,31 @@
appropriate package (as a <em>wishlist</em> bug). For more information read
<file>/usr/share/doc/logcheck/README.Debian</file>
-<p>The best way to configure <prgn>logcheck</prgn> is to install it
-(it will ask for the user to which reports should be mailed and generate
-<file>/etc/logcheck/logcheck.logfiles</file> from syslog entries). If
-you wish to add new log files just add them to
-<file>/etc/logcheck/logcheck.logfiles</file>. The
-package dependency will also force the installation of
-<package>logcheck-database</package>; during installation it will ask which
-security level is desired: workstation, server or paranoid. This will
-make <file>/etc/logcheck/ignore.d</file> point to the appropriate
-directories (through symbolic links). To change this run
-<tt>dpkg-reconfigure -plow logcheck-database</tt>. Then create the
-<file>/etc/ignore.d/local</file>, this file will hold all the rules to
-exclude messages that should not be reported. Leave it empty for the
-moment (a simple <tt>cp /dev/null /etc/ignore.d/local</tt> will
-work).
+<p>The best way to configure <prgn>logcheck</prgn> is to edit its
+main configuration file <file>/etc/logcheck/logcheck.conf</file>
+after installation. Change the default user (root) whom reports
+should be mailed. You should set there the reportlevel.
+<package>logcheck-database</package> has three report levels of
+increasing verbosity: workstation, server, paranoid.
+"server" beeing the default level, paranoid is only recommended
+for high-security machines running as few services as possible
+and workstation for relatively sheltered machines.
+If you wish to add new log files just add them to
+<file>/etc/logcheck/logcheck.logfiles</file>. It is tuned for a
+default syslog install.
<p>Once this is done you might want to check the mails that are sent, for the
first few days/weeks/months. If you find you are sent messages you do not wish
-to receive, just add the regular expressions (see
-<manref name="regex" section="7">) that correspond to these messages to the
-<file>/etc/ignore.d/local</file>. It's an ongoing tuning process; once the
-messages that are sent are always relevant you can consider the tuning
-finished. Note that if <prgn>logcheck</prgn> does not find anything relevant
+to receive, just add the regular expressions (see
+<manref name="regex" section="7"> and <manref name="egrep" section="1">) that
+correspond to these messages to the
+<file>/etc/logcheck/ignore.d.{reportlevel}/local</file>. Try to match the
+hole logline. Details on howto write rules are explained in
+<file>/usr/share/doc/logcheck-database/README.logcheck-database.gz</file>
+It's an ongoing tuning process; once the messages that are sent are always
+relevant you can consider the tuning finished. Please file bugs on
+<package>logcheck-database</package> whith the repeated logline and your rule.
+Note that if <prgn>logcheck</prgn> does not find anything relevant
in your system it will not mail you even if it does run (so you might get a
mail only once a week, if you are lucky).
More information about the Logcheck-devel
mailing list