logcheck - A tool to Monitor Linux System Log Activity

Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity, it utilizes a program called logtail that remembers the last position it read from the log file.

It can be used in several ways, from analyzing security or unusual activity in the syslog, to monitoring Apache log files for errors caused by PHP scripts or other problems. By default it will check the log files every hour and if any problem is detected it will send an e-mail to the administrator with information from the log file.

Install logcheck

Installing this utility is simple since it’s included in the stable repository on Debian/Ubuntu Linux distributions, all you need to do is use the apt-get command to install it like this:

# apt-get install logcheck

This will automatically install tool and all its dependencies or you can download logcheck-1.1.2.tar.gz  version from sourceforge. The first thing you will have to do is change the e-mail address that the utility will send mails to in /etc/logcheck/logcheck.conf using your favorite text editor modify the REPORTLEVEL to the level you wish (workstation is less verbose, server is the default, and paranoid is very verbose) and SENDMAILTO to your e-mail address like this:

# vim /etc/logcheck/logcheck.conf
logcheck config


Configuration files can be found in the /etc/logcheck directory, after you configure the mail and the report level the next step you should take is to look at /etc/logcheck/logcheck.files, this file contains a list of log files to be monitored, each log file should be on a separate line like this:

logcheck logfiles

Now the utility will check those log files every hour and if something is wrong it will send a report via email that will look like this:

logcheck mail

logcheck works by using the files in /etc/logcheck/ignore.d.server (or any other report level you select) to check the log files, if it finds lines that don't match the rules in the ignore files, it will include them in the email report as a potential problem. It will report anything unusual in the log files, from hard disk errors, to failed authentication attempts, to kernel problems.

3 Comments... add one

  1. Hi,

    Thanks for this wonderful article very helpful. I have a question, do you know if the email that logcheck sends contains only the new occurrences or all.
    Can you please confirm, thanks.

  2. I recently installed Logcheck and tried to get some basic knowledge. I have a couple of questions. Do I need to set up my System To Use E-Mail via

    dpkg-reconfigure exim4-config

    If so do I need to setup SMTP authentication in Exim4 mail server? Keep in mind that I am trying to use Logcheck on my Debain Laptop (I mean I killed Windows and installed Debian).

    Than you for your attention and time


Leave a Comment