Setting up your copy of logcheck.sh is very easy, these are some of the main sections that must be edited:
As the purpose of LogSentry is to send you e-mail alerts of things happening on your system, you should point out your mailbox.
Full path to logtail program is usually in /usr/local/bin. Logtail is custom executable that remembers the last position of a text file. This program is used by logcheck to parse out information from the last time the log was opened, this prevents reviewing old material twice.
This should be non public writable /tmp directory which prevents race condition and potential symlink problems.
A few examples of LogCheck reports:
May 13 23:58:32 pilus sshd: Bad protocol version identification '' from 188.8.131.52
May 10 01:51:20 pilus su(pam_unix): authentication failure; logname=spartacus uid=502 euid=0 tty= ruser= rhost= user=root
I hope these tips helped you answer some of your basic questions, and gave few pointers on how some things should be done. These are some useful references for the things covered in this article.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.