Logcheck¶

sudo apt install logcheck logcheck-database

sudo nano /etc/logcheck/logcheck.conf

REPORTLEVEL="server"
SENDMAILTO="admin@example.com"
FQDN=1
INTRO=1
SUPPORTCRON=1
LOGFILES="/var/log/syslog /var/log/auth.log /var/log/mail.log"

sudo nano /etc/logcheck/ignore.d.server/custom-ignore

# Eigene Ignore-Regeln
^\w{3} [ :0-9]{11} [^ ]+ sshd\[[0-9]+\]: Accepted password for [^ ]+ from [^ ]+ port [0-9]+ ssh2$
^\w{3} [ :0-9]{11} [^ ]+ postfix\/smtpd\[[0-9]+\]: [A-F0-9]+: client=localhost\[127\.0\.0\.1\]$

sudo nano /etc/logcheck/violations.d/server-custom

# Eigene Violation-Regeln
^\w{3} [ :0-9]{11} [^ ]+ sudo: [^ ]+ : TTY=.* ; PWD=.* ; USER=root ; COMMAND=.*
^\w{3} [ :0-9]{11} [^ ]+ kernel: \[.*\] Out of memory: Kill process

sudo logcheck -t -o

sudo logcheck

sudo nano /etc/cron.d/logcheck

# Logcheck cron job
2 * * * * root logcheck

sudo tail -f /var/log/logcheck.log