Skip to content

Logcheck

https://wiki.koumbit.net/MonitoringService/SoftwareComparison#Logcheck

Run manually, pipe to file

sudo -u logcheck sh -c '/usr/sbin/logcheck -o -S $(mktemp -d) > /tmp/logwatch.log'

Use different, new state directory

sudo -u logcheck /usr/sbin/logcheck -o -S ${mktemp -d} > logwatch.eml

Tune ignores

zless /usr/share/doc/logcheck-database/README.logcheck-database.gz

Custom ignores are in /etc/logcheck/ignore.d.workstation/custom-varac.

i.e. Ignore ferm logs:

Dec  9 18:18:59 rocinante kernel: [106230.394358] INPUT DENIED by ferm: IN=wlp3s0 OUT= MAC=8c:70:5a:d4:72:24:b8:27:eb:4e:b1:f9:08:00 SRC=192.168.178.34 DST=192.168.178.22 LEN=204 TOS=0x00 PREC=0x00 TTL=64 ID=24513 DF PROTO=UDP SPT=1900 DPT=49112 LEN=184