In the following of introducing tools for monitor Linux system log activity, this article will present Introducing LogCheck for Linux Log Monitoring. You need software to log files and check them for security violations and unusual activity. To reach this target, LogCheck is designed as an automated tool that will also remember the last position it has read from the log file. LogCheck runs and checks the log files every hour and sends an email to the administrator in case of finding a problem. It is developed by Debian LogCheck Team. Since it is included in the stable repository on Debian/Ubuntu Linux distribution, you will be able to install it easily. The available packages of Eldernode are designed according to various needing, purchase your own Linux VPS and enjoy it.
What is Logcheck And How It Works?
As an administrator, you need a simple utility to help you view the log files which are produced upon hosts under your control. LogCheck is a widely used tool to analyze the system logs and sends a summary of log files when it filters ”normal” entries. LogCheck reads each log entry from the files specified in /etc/logcheck/logcheck.logfiles. In this case, the logfiles /var/log/syslog and /var/log/auth.log. To track the read messages, it uses a Perl utility called ”logtail”. It can bookmark its place in the logs. in this way, events will not be reported twice in successive LogCheck runs.
LogCheck scans your system log files and emails suspicious issues. Since it runs via cron, it may be hiding in a few different places:
1- In standard root crontab entry.
2- in /etc/crontab
3- As an entry under /etc/cron.d
4- Under one of the “run-parts” subdirectories like /etc/cron.daily
LogCheck supports 3 levels of filtering as paranoid, server, and workstation.
Paranoid: This level supports the high-security machines running as few services as possible. It has verbose messages that you should consider is it easy for you to handle or not.
Server: The default level is the server that contains rules for many different daemons.
Workstation: The workstation level includes both the above rules and the paranoid rules are included at the server level. It is for sheltered machines and filters most of the messages.
The messages reported are sorted into three layers as system events, security events, and attack alerts and has the following features :
1- Has predefined templates for reports
2- Easy log filtering mechanism with regular expressions
3- Instant email notifications
4- Has cloud-based dispatch handling system
5- Instant security issues alerts
LogCheck Email Reports
In the following, we will have a quick review of the New LogCheck Email Reports that is easier to read.
The Metric section gives you a summary of the notable daily activity in your logbook at a glance.
Note section could list all notes taken in the field. You will be able to communicate with your team using the Notes section.
Using the Photos section helps your team to make sure that critical checks are being performed. So, you can view all photos taken in the field.
The Alert section will list all records with out-of-range values and allows you to identify/prevent potential problems easily.
The Redated Records section helps you identify records with modified timestamps.
– Cloud-based dispatch management system.
– The developer can access this tool using their mobile phone also.
– Gives instant information about security problems.
– The log can filter easily with regular expression.
– Sends instant notification by email.
– Has Important pre-made report templates to make an instant report.
– LogCheck is easy to set up and works on many systems.
– Enables staff to save time and reduce risks.
LogCheck is not flexible. It combines all log files into one and it means handling situations will be hard if a string is a problem in one log file but not in another. It is slow in some configurations and limits e-mailing reports to a system administrator.
LogCheck Options (LogCheck for Linux Log Monitoring)
Let’s see some of the logCheck options
-c CFG: Overrule default configuration file.
-d: Debug mode.
-h: Show usage information.
-H: Use this hostname string in the subject of logCheck mail.
-l LOG: Run logfile through logCheck.
-L CFG: Overrule default logfiles list.
-m: Mail report to the recipient.
-o: STDOUT mode, not sending mail.
-p: Set the report level to “paranoid”.
-r DIR: Overrule default rules directory.
-R: Adds “Reboot”: to the email subject line.
-s: Set the report level to “server”.
-S DIR: Overrule default state directory.
-t: The testing mode does not update offset.
-T: Do not remove the TMPDIR.
-u: Enable Syslog-summary.
-v: Print current version.
-w: Set the report level to “workstation”.
LogCheck Usage (Introducing LogCheck for Linux Log)
Let’s see some examples of how you can use the logCheck commands. As you know, logCheck sends emails periodically by default. As result, you can use the -m option to force it to send one immediately. Look at the below command:
1. You can use the -h option followed by a hostname to use that hostname in the subject of the email.
2. You can use the -o option to send the report to stdout, rather than email.
Linux Log Monitoring using LogCheck
System administrators of most Linux distros check log files production environment frequently to ensure system health, running state of applications, potential memory issues, events with high priority, and so on. Therefore, various problems may affect the users and their applications, so the overall system performance will decrease. It explains the need to use a tool to view and analyze the log files to monitor log files. LogCheck runs every hour as a cronjob and after every bootup. However, users can install LogCheck both with command-line and downloading from its project website.
This article was Introducing LogCheck for Linux Log Monitoring. LogCheck is simple to use and extremely customizable. Undoubtedly, LogCheck is on the top 10 list of the best Linux log file management tools. System administrators find this tool as a primary and enjoy its capabilities. Discuss with your friends on Eldernode Community and mention the Pros and Cons of LogCheck if you have used it.