Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity, it utilizes a program called logtail that remembers the last position it read from the log file.
It can be used in several ways, from analyzing security or unusual activity in the syslog, to monitoring Apache log files for errors caused by PHP scripts or other problems. By default it will check the log files every hour and if any problem is detected it will send an e-mail to the administrator with information from the log file.
Installing this utility is simple since it’s included in the stable repository on Debian/Ubuntu Linux distributions, all you need to do is use the apt-get command to install it like this:
# apt-get install logcheck
This will automatically install tool and all its dependencies or you can download logcheck-1.1.2.tar.gz version from sourceforge. The first thing you will have to do is change the e-mail address that the utility will send mails to in /etc/logcheck/logcheck.conf using your favorite text editor modify the REPORTLEVEL to the level you wish (workstation is less verbose, server is the default, and paranoid is very verbose) and SENDMAILTO to your e-mail address like this:
# vim /etc/logcheck/logcheck.conf
Configuration files can be found in the /etc/logcheck directory, after you configure the mail and the report level the next step you should take is to look at /etc/logcheck/logcheck.files, this file contains a list of log files to be monitored, each log file should be on a separate line like this:
Now the utility will check those log files every hour and if something is wrong it will send a report via email that will look like this:
logcheck works by using the files in /etc/logcheck/ignore.d.server (or any other report level you select) to check the log files, if it finds lines that don't match the rules in the ignore files, it will include them in the email report as a potential problem. It will report anything unusual in the log files, from hard disk errors, to failed authentication attempts, to kernel problems.