[Logcheck-devel] logcheck reference in debians harden-doc

Mon Jul 12 21:21:55 UTC 2004

* updated patch thx to suggestions from Alfie.
* removed reference to bts as it already exists
  one chapter above that is unchange.

--- after-install.sgml.orig	2004-07-12 12:00:06.000000000 +0200
+++ after-install.sgml	2004-07-12 23:17:36.000000000 +0200
@@ -1208,12 +1208,13 @@
 
 <sect1 id="custom-logcheck">Using and customising <prgn>logcheck</prgn>
 
-<p>The <prgn>logcheck</prgn> package in Debian is divided into two
-packages <package>logcheck</package> (the main program) and
+<p>The <prgn>logcheck</prgn> package in Debian is divided into the
+three packages <package>logcheck</package> (the main program),
 <package>logcheck-database</package> (a database of regular
-expressions for the program). The Debian default (in
+expressions for the program) and <package>logtail</package> (prints
+loglines that have not yet been read). The Debian default (in
 <file>/etc/cron.d/logcheck</file>) is that <prgn>logcheck</prgn> is run
-daily at 2 AM and once after each reboot.
+every hour just off the hour and once after each reboot.
 
 <p>This tool can be quite useful if properly customised to alert the
 administrator to unusual events in the system. <prgn>Logcheck</prgn>
@@ -1225,7 +1226,7 @@
 <file>/etc/logcheck/logcheck.conf</file>, sourced by the program, that
 defines which user the checks are sent to. It also provides a way for
 packages that provide services to implement new policies in the
-directories: <file>/etc/logcheck/hacking.d/_packagename_</file>,
+directories: <file>/etc/logcheck/cracking.d/_packagename_</file>,
 <file>/etc/logcheck/violations.d/_packagename_</file>,
 <file>/etc/logcheck/violations.ignore.d/_packagename_</file>,
 <file>/etc/logcheck/ignore.d.paranoid/_packagename_</file>,
@@ -1234,33 +1235,34 @@
 not many packages currently do so. If you have a policy that can be
 useful for other users, please send it as a bug report for the
 appropriate package (as a <em>wishlist</em> bug). For more information read
-<file>/usr/share/doc/logcheck/README.Debian</file>
+<file>/usr/share/doc/logcheck/README.Debian</file>.
 
-<p>The best way to configure <prgn>logcheck</prgn> is to install it
-(it will ask for the user to which reports should be mailed and generate
-<file>/etc/logcheck/logcheck.logfiles</file> from syslog entries). If
-you wish to add new log files just add them to
-<file>/etc/logcheck/logcheck.logfiles</file>. The
-package dependency will also force the installation of 
-<package>logcheck-database</package>; during installation it will ask which
-security level is desired: workstation, server or paranoid. This will
-make <file>/etc/logcheck/ignore.d</file> point to the appropriate
-directories (through symbolic links). To change this run
-<tt>dpkg-reconfigure -plow logcheck-database</tt>.  Then create the
-<file>/etc/ignore.d/local</file>, this file will hold all the rules to
-exclude messages that should not be reported. Leave it empty for the
-moment (a simple <tt>cp /dev/null /etc/ignore.d/local</tt> will
-work). 
+<p>The best way to configure <prgn>logcheck</prgn> is to edit its
+main configuration file <file>/etc/logcheck/logcheck.conf</file>
+after installation. Change the default user (root) to whom reports 
+should be mailed. You should set the reportlevel in there, too.
+<package>logcheck-database</package> has three report levels of 
+increasing verbosity: workstation, server, paranoid.
+"server" beeing the default level, paranoid is only recommended
+for high-security machines running as few services as possible
+and workstation for relatively sheltered, non-critical machines.
+If you wish to add new log files just add them to
+<file>/etc/logcheck/logcheck.logfiles</file>. It is tuned for default
+syslog install.
 
 <p>Once this is done you might want to check the mails that are sent, for the 
 first few days/weeks/months. If you find you are sent messages you do not wish 
-to receive, just add the regular expressions (see 
-<manref name="regex" section="7">) that correspond to these messages to the
-<file>/etc/ignore.d/local</file>. It's an ongoing tuning process; once the 
-messages that are sent are always relevant you can consider the tuning 
-finished. Note that if <prgn>logcheck</prgn> does not find anything relevant 
-in your system it will not mail you even if it does run (so you might get a 
-mail only once a week, if you are lucky).
+to receive, just add the regular expressions (see
+<manref name="regex" section="7"> and <manref name="egrep" section="1">) that
+correspond to these messages to the
+<file>/etc/logcheck/ignore.d.<var>reportlevel</var>/local</file>.
+Try to match the hole logline. Details on howto write rules are explained in
+<file>/usr/share/doc/logcheck-database/README.logcheck-database.gz</file>.
+It's an ongoing tuning process; once the messages that are sent are always
+relevant you can consider the tuning finished.  Note that if
+<prgn>logcheck</prgn> does not find anything relevant in your system
+it will not mail you even if it does run (so you might get a mail only
+once a week, if you are lucky).
 
 
 <sect1>Configuring where alerts are sent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040712/90bba372/attachment.pgp 
