[Logcheck-devel] logcheck reference in debians harden-doc

Mon Jul 12 10:24:17 UTC 2004

hello everyone,

the description of logcheck in latest harden-doc is outdated
compared to the logcheck version sarge/sid.

please take a look at the diff and comment.
i'll plan to send javier the patch in 2-3 days.

thanks maks

--- after-install.sgml.orig	2004-07-12 12:00:06.000000000 +0200
+++ after-install.sgml	2004-07-12 12:16:18.000000000 +0200
@@ -1208,12 +1208,13 @@
 
 <sect1 id="custom-logcheck">Using and customising <prgn>logcheck</prgn>
 
-<p>The <prgn>logcheck</prgn> package in Debian is divided into two
-packages <package>logcheck</package> (the main program) and
+<p>The <prgn>logcheck</prgn> package in Debian is divided into three
+packages <package>logcheck</package> (the main program), 
 <package>logcheck-database</package> (a database of regular
-expressions for the program). The Debian default (in
+expressions for the program) and <package>logtail</package> (prints
+loglines that have not yet been read). The Debian default (in
 <file>/etc/cron.d/logcheck</file>) is that <prgn>logcheck</prgn> is run
-daily at 2 AM and once after each reboot.
+every hour just off the hour and once after each reboot.
 
 <p>This tool can be quite useful if properly customised to alert the
 administrator to unusual events in the system. <prgn>Logcheck</prgn>
@@ -1225,7 +1226,7 @@
 <file>/etc/logcheck/logcheck.conf</file>, sourced by the program, that
 defines which user the checks are sent to. It also provides a way for
 packages that provide services to implement new policies in the
-directories: <file>/etc/logcheck/hacking.d/_packagename_</file>,
+directories: <file>/etc/logcheck/cracking.d/_packagename_</file>,
 <file>/etc/logcheck/violations.d/_packagename_</file>,
 <file>/etc/logcheck/violations.ignore.d/_packagename_</file>,
 <file>/etc/logcheck/ignore.d.paranoid/_packagename_</file>,
@@ -1236,29 +1237,31 @@
 appropriate package (as a <em>wishlist</em> bug). For more information read
 <file>/usr/share/doc/logcheck/README.Debian</file>
 
-<p>The best way to configure <prgn>logcheck</prgn> is to install it
-(it will ask for the user to which reports should be mailed and generate
-<file>/etc/logcheck/logcheck.logfiles</file> from syslog entries). If
-you wish to add new log files just add them to
-<file>/etc/logcheck/logcheck.logfiles</file>. The
-package dependency will also force the installation of 
-<package>logcheck-database</package>; during installation it will ask which
-security level is desired: workstation, server or paranoid. This will
-make <file>/etc/logcheck/ignore.d</file> point to the appropriate
-directories (through symbolic links). To change this run
-<tt>dpkg-reconfigure -plow logcheck-database</tt>.  Then create the
-<file>/etc/ignore.d/local</file>, this file will hold all the rules to
-exclude messages that should not be reported. Leave it empty for the
-moment (a simple <tt>cp /dev/null /etc/ignore.d/local</tt> will
-work). 
+<p>The best way to configure <prgn>logcheck</prgn> is to edit its
+main configuration file <file>/etc/logcheck/logcheck.conf</file> 
+after installation. Change the default user (root) whom reports
+should be mailed. You should set there the reportlevel.
+<package>logcheck-database</package> has three report levels of 
+increasing verbosity: workstation, server, paranoid.
+"server" beeing the default level, paranoid is only recommended 
+for high-security machines running as few services as possible 
+and workstation for relatively sheltered machines.
+If you wish to add new log files just add them to
+<file>/etc/logcheck/logcheck.logfiles</file>. It is tuned for a
+default syslog install.
 
 <p>Once this is done you might want to check the mails that are sent, for the
 first few days/weeks/months. If you find you are sent messages you do not wish 
-to receive, just add the regular expressions (see 
-<manref name="regex" section="7">) that correspond to these messages to the
-<file>/etc/ignore.d/local</file>. It's an ongoing tuning process; once the 
-messages that are sent are always relevant you can consider the tuning 
-finished. Note that if <prgn>logcheck</prgn> does not find anything relevant 
+to receive, just add the regular expressions (see
+<manref name="regex" section="7"> and <manref name="egrep" section="1">) that
+correspond to these messages to the
+<file>/etc/logcheck/ignore.d.{reportlevel}/local</file>. Try to match the
+hole logline. Details on howto write rules are explained in
+<file>/usr/share/doc/logcheck-database/README.logcheck-database.gz</file>
+It's an ongoing tuning process; once the messages that are sent are always
+relevant you can consider the tuning finished. Please file bugs on
+<package>logcheck-database</package> whith the repeated logline and your rule.
+Note that if <prgn>logcheck</prgn> does not find anything relevant
 in your system it will not mail you even if it does run (so you might get a 
 mail only once a week, if you are lucky).
 


