Logcheck

Logcheck is used to examine log files, and notify sysadmins of suspicious activity. It is run every so often (the actual time varies depending on the server) from cron.

Configuration Files
The main logcheck configuration files are /etc/logcheck/logcheck.conf and /etc/logcheck/logcheck.logfiles. The former sets various settings about logcheck itself, such as where to send notification messages to, and the latter specifies which log files to check.

Other configuration is done in logcheck "rules," in /etc/logcheck/violations.ignore.d, /etc/logcheck/ignore.d.server, and the other subdirectories. The files in these "ignore" directories specify what lines in the logfiles to ignore. Each line in each file is a regular expression, which matches a line in a log file which is to be ignored (i.e. the normal log messages, which are no cause for alarm). The directories cracking.d and violations.d specify log messages which are more suspicious. Messages that match those expressions cannot be ignored by normal ignore.d.* rules, and must be matched by cracking.ignore.d or violations.ignore.d rules, respectively.

Since logcheck rule files are maintained by a Debian package, do not edit them directly. If there is a log message which should be ignored, they should go in separate files, so as not to interfere with the standard Debian files. These extra rules typically go in *-csl rule files. Try to keep the part before -csl the same name as the file that a rule would normally go in, if there is one, for clarity's sake. Note that logcheck uses run-parts to determine which rule files to use, which means that if a filename contains a dot, it will not be used. (This is so .dpkg-dist files and such do not get processed.)