Note that by itself, LogCheck only does two things:
- Looks through all the log files shown for suspicious or "hackish" activity
- E-mails the report
Installation:
I'll be doing the install on FreeBSD. LogCheck is just a script, so it will run on pretty much anything that isn't Windows.
$ sudo pkg_add -r logcheckConfiguration:
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.3-release/Latest/logcheck.tbz... Done.
To see what LogCheck thinks is "hackish", check out logcheck.hacking and logcheck.violations (in /usr/local/etc/ when installed from FreeBSD's packages) Those contain a list of regular expressions (one per line) that will be used to gather reporting information from the logs. Similarly, logcheck.ignore and logcheck.violations.ignore contain regular expressions that can filter certain results from the report. I recommend looking at these files but not editing them at first. Let LogCheck run for a week or so (daily) to get a feel for it. Then, start adding or removing expressions to the lists to fine tune your reports.
To change what e-mail address the report is sent to, find logcheck.sh (it's also in /usr/local/etc/ when installed from FreeBSD's packages) and modify this block of text as appropriate:
# Person to send log activity to.Look at the other variables, too. By default, the log files and configuration will likely be workable, but it's a good idea to make sure.
SYSADMIN=root
Adding the following line to the system's crontab will launch LogCheck every hour. This isn't a big deal because it will only mail you if there is something suspicious. If you would rather have a daily log, read the man page on crontab to figure out how the schedule options.
00 * * * * root /bin/sh /usr/local/etc/logcheck.sh
Logcheck has changed. This configuration no longer works.
ReplyDeleteThanks for the heads up. I'll look into it.
ReplyDelete