Linux Logcheck
Overview
One important task in the security world is to regularly check the log files. Often the daily activities of an administrator don’t allow him the time to do this task and this can bring about problems.
As explained in the Logcheck abstract:
Auditing and logging system events is important! What is more important is that system administrators be aware of these events so they can prevent problems that will inevitably occur if you have a system connected to the Internet. Unfortunately for most Unices it doesn’t matter how much you log activity if nobody ever checks the logs, which is often the case. This is where logcheck will help. Logcheck automates the auditing process and weeds out “normal” log information to give you a condensed look at problems and potential troublemakers mailed to wherever you please. Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck utilizes a program called logtail that remembers the last position it read from in a log file and uses this position on subsequent runs to process new information.
These installation instructions assume
Commands are Unix-compatible.
The source path is 7var/tmp” (other paths are possible).
Installations were tested on Red Hat Linux 6.1 and 6.2.
All steps in the installation will happen in super-user account “root”.
Logcheck version number is 1.1.1
Packages
Logcheck Homepage Site: http://www.psionic.com/abacus/logcheck/ You must be sure to download: logcheck-1.1.1 .tar.gz
Tarballs
It is a good idea to make a list of files on the system before you install Logcheck, and one afterwards, and then compare them using ‘diff’ to find out what files were placed where. Simply run ‘find /* > Logchecki’ before and ‘find I* > Logcheck2′ after you install the software, and use ‘diff Logchecki Logcheck2 > Logcheck-lnstalled’ to get a list of what changed.
Compilation
Decompress the tarball (tar.gz).
[root@deep /]# cp logcheck-version.tar.gz /var/tmp/
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf logcheck-version.tar.gz
Compile and Optimize
You must modify the “Makefile” file of Logcheck to specify installation paths, compilation flags, and optimizations for your system. We must modify this file to be compliant with Red Hat’s file system structure and install Logcheck script files under our PATH Environment variable.
Stepi
Move into the new Logcheck directory and type the following commands on your terminal: