Install Logcheck# cd /tmp
# wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/logcheck-1.1.1.tar.gz
# tar xvfz logcheck-1.1.1.tar.gz
# cd logcheck-1.1.1/systems/
Now change the variable SYSADMIN in logcheck.sh. SYSADMIN is the person that will receive logcheck’s output per email (this can be an email address or a user on the system where you install logcheck on):
[...]
# CONFIGURATION SECTION
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.
# Person to send log activity to.
SYSADMIN=me@myself.tld
# Full path to logtail program.
# This program is required to run this script and comes with the package.
LOGTAIL=/usr/local/bin/logtail
[...]
# cd ../../
# mkdir -p /usr/local/etc/tmp
# make
# make linux
This will install logcheck under /usr/local/etc.
Now we have to create a cron job in order to run logcheck periodically. Edit root’s cron file ( /var/spool/cron/crontabs/root )and enter the following line:
0 3 * * * /usr/local/etc/logcheck.sh
Then run
# chmod 600 /var/spool/cron/crontabs/root
# /etc/init.d/crond restart
This will invoke logcheck once a day at 3 am. It will now inform you about unusual system events, security violations, system attacks, etc.