1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
--- docs/logcheck.8.orig 2009-12-15 15:03:22.000000000 -0500
+++ docs/logcheck.8 2009-12-15 15:03:41.000000000 -0500
@@ -0,0 +1,115 @@
+.\" This manpage has been automatically generated by docbook2man
+.\" from a DocBook document. This tool can be found at:
+.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
+.\" Please send any bug reports, improvements, comments, patches,
+.\" etc. to Steve Cheng <steve@ggi-project.org>.
+.TH "Logcheck" "8" "15 December 2009" "" ""
+
+.SH NAME
+logcheck \- program to scan system logs for interesting lines
+.SH SYNOPSIS
+
+\fBlogcheck\fR [ \fBOPTIONS\fR ]
+
+.SH "DESCRIPTION"
+.PP
+The \fBlogcheck\fR program helps spot problems and
+security violations in your logfiles automatically and will send the
+results to you periodically in an e-mail. By default logcheck runs as
+an hourly cronjob just off the hour and after every reboot.
+.PP
+\fBlogcheck\fR supports three level of filtering:
+"paranoid" is for high-security machines running as few services
+as possible. Don't use it if you can't handle its verbose messages.
+"server" is the default and contains rules for many different daemons.
+"workstation" is for sheltered machines and filters most of the messages.
+The ignore rules work in additive manner. "paranoid" rules are also
+included at level "server" and "workstation".
+.PP
+The messages reported are sorted into three layers, system events,
+security events and attack alerts. The verbosity of system events is
+controlled by which level you choose, paranoid, server or workstation.
+However, security events and attack alerts are not affected by this.
+.SH "EXAMPLES"
+.PP
+\fBlogcheck\fR can be invoked directly thanks
+to su(8) or sudo(8), which change the user ID. The following example checks the logfiles
+without updating the offset and outputs everything to STDOUT.
+.PP
+sudo -u logcheck \fBlogcheck\fR -o -t
+.SH "OPTIONS"
+.PP
+A summary of options is included below.
+.TP
+\fB-c CFG \fR
+Overrule default configuration file.
+.TP
+\fB-d \fR
+Debug mode.
+.TP
+\fB-h \fR
+Show usage information.
+.TP
+\fB-H \fR
+Use this hostname string in the subject of logcheck mail.
+.TP
+\fB-l LOG \fR
+Run logfile through logcheck.
+.TP
+\fB-L CFG \fR
+Overrule default logfiles list.
+.TP
+\fB-m \fR
+Mail report to recipient.
+.TP
+\fB-o \fR
+STDOUT mode, not sending mail.
+.TP
+\fB-p \fR
+Set the report level to "paranoid".
+.TP
+\fB-r DIR \fR
+Overrule default rules directory.
+.TP
+\fB-R \fR
+Adds "Reboot:" to the email subject line.
+.TP
+\fB-s \fR
+Set the report level to "server".
+.TP
+\fB-S DIR \fR
+Overrule default state directory.
+.TP
+\fB-t \fR
+Testing mode does not update offset.
+.TP
+\fB-T \fR
+Do not remove the TMPDIR.
+.TP
+\fB-u \fR
+Enable syslog-summary.
+.TP
+\fB-v \fR
+Print current version.
+.TP
+\fB-w \fR
+Set the report level to "workstation".
+.SH "FILES"
+.PP
+%%ETCDIR%%/logcheck.conf is the main configuration file.
+.PP
+%%ETCDIR%%/logcheck.logfiles is the list of files to monitor.
+.PP
+%%DOCSDIR%%/README.logcheck-database for hints on how to write, test and maintain rules.
+.SH "EXIT STATUS"
+.PP
+0 upon success; 1 upon failure
+.SH "SEE ALSO"
+.PP
+\fBlogtail\fR(8)
+.SH "AUTHOR"
+.PP
+logcheck is developed by Debian logcheck Team at alioth:
+http://alioth.debian.org/projects/logcheck/.
+.PP
+This manual page was written by Jon Middleton.
|
