Your message dated Sat, 16 Aug 2025 12:58:51 +0100
with message-id
<caj3buot+xupnf30v4bjiei209evv9amjqnxwaq7jzy0xedm...@mail.gmail.com>
and subject line Re: logcheck: Please add suricata rules to logcheck
has caused the Debian Bug report #862638,
regarding logcheck: Please add suricata rules to logcheck
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862638: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862638
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: logcheck
Version: 1.3.18
Severity: wishlist
Dear Maintainer,
I am very happy with logcheck. It is great working and very usefull. However,
it would be nice, if you could add a ruleset for suricata (a successor to the
well known snort IDS), so I get alerted, when something fishy is going on. In
my case logcheck is run every 30 minutes, so I am very fast aware, when an
attack is going on. On the other hand, I found no realtime alert option with
suricata. Best way, IMO, would be a ruleset for suricata logs, which do alert
me by mail (as logcheck normally do).
I search in the web, but things like snorby, scirius, evebox etc. did not fit
the things I am searching for.
Thank you for reading this and thanks for logcheck, it is great!
Best regards
Hans
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386
(i686)
Kernel: Linux 4.9.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages logcheck depends on:
ii adduser 3.115
ii cron [cron-daemon] 3.0pl1-128+b1
ii lockfile-progs 0.1.17+b1
ii logtail 1.3.18
ii mime-construct 1.11+nmu2
ii postfix [mail-transport-agent] 3.1.4-4
ii rsyslog [system-log-daemon] 8.24.0-1
Versions of packages logcheck recommends:
ii logcheck-database 1.3.18
Versions of packages logcheck suggests:
pn syslog-summary <none>
-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Keine Berechtigung:
'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Keine Berechtigung:
'/etc/logcheck/logcheck.logfiles'
-- no debconf information
--- End Message ---
--- Begin Message ---
On Sun, 12 May 2024 19:48:12 +0100 Richard Lewis
<[email protected]> wrote:
> On Mon, 15 May 2017 10:42:03 +0200
>
> > I am very happy with logcheck. It is great working and very usefull.
> > However, it would be nice, if you could add a ruleset for suricata (a
> > successor to the well known snort IDS), so I get alerted, when something
> > fishy is going on.
>
> It's a shame no-one replied to this bug from 2017 - let's change that now.
>
> >In my case logcheck is run every 30 minutes, so I am very fast aware, when
> >an attack is going on. On the other hand, I found no realtime alert option
> >with suricata. Best way, IMO, would be a ruleset for suricata logs, which do
> >alert me by mail (as logcheck normally do).
>
> Unfortunately more information is needed to help this.
>
> Is the request to use logcheck to scan non-log files created by
> suricata? you can definitely do that but would need to write your own
> rules to ignore things that are not "fishy".
> ...but i dont think logcheck-database should ship such rules unless
> there is clear demand. It looks like suricata can send its own alerts
> so not sure this is even needed in 2024?
>
> If there are messages produced by suricata in the journal that
> logcheck should be filtering, then we need to know what those are?
>
> (In the absence of more information we would likely close this bug as
> unactionable)
A year later: closing: i cant see any information in this report with
which to write rules for suricata, and it's not clear what is being
asked for.
If there is something to do, please provide the messages that are produced
--- End Message ---
