[Logcheck-devel] Bug#862638: logcheck: Please add suricata rules to logcheck

[Hans-J. Ullrich]

Package: logcheck
Version: 1.3.18
Severity: wishlist

Dear Maintainer,

I am very happy with logcheck. It is great working and very usefull. However, it would be nice, if you could add a ruleset for suricata (a successor to the well known snort IDS), so I get alerted, when something fishy is going on. In my case logcheck is run every 30 minutes, so I am very fast aware, when an attack is going on. On the other hand, I found no realtime alert option with suricata. Best way, IMO, would be a ruleset for suricata logs, which do alert me by mail (as logcheck normally do).

I search in the web, but things like snorby, scirius, evebox etc. did not fit the things I am searching for.

Thank you for reading this and thanks for logcheck, it is great!

Best regards

Hans 

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386
 (i686)

Kernel: Linux 4.9.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages logcheck depends on:
ii  adduser                         3.115
ii  cron [cron-daemon]              3.0pl1-128+b1
ii  lockfile-progs                  0.1.17+b1
ii  logtail                         1.3.18
ii  mime-construct                  1.11+nmu2
ii  postfix [mail-transport-agent]  3.1.4-4
ii  rsyslog [system-log-daemon]     8.24.0-1

Versions of packages logcheck recommends:
ii  logcheck-database  1.3.18

Versions of packages logcheck suggests:
pn  syslog-summary  <none>

-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Keine Berechtigung: '/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Keine Berechtigung: '/etc/logcheck/logcheck.logfiles'

-- no debconf information