nightmorph 10/10/12 17:39:24 Modified: logcheck.xml Log: add troubleshooting section and log file scanning, bug 340657
Revision Changes Path 1.2 xml/htdocs/doc/en/logcheck.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/logcheck.xml?rev=1.2&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/logcheck.xml?rev=1.2&content-type=text/plain diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/logcheck.xml?r1=1.1&r2=1.2 Index: logcheck.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/logcheck.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- logcheck.xml 13 Jul 2010 20:29:06 -0000 1.1 +++ logcheck.xml 12 Oct 2010 17:39:24 -0000 1.2 @@ -1,6 +1,6 @@ <?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> -<!-- $Header $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/logcheck.xml,v 1.2 2010/10/12 17:39:24 nightmorph Exp $ --> <guide> <title>Logcheck Guide</title> @@ -20,8 +20,8 @@ <!-- See http://creativecommons.org/licenses/by-sa/2.5 --> <license/> -<version>1</version> -<date>2010-07-13</date> +<version>2</version> +<date>2010-10-12</date> <chapter> <title>Getting Started With logcheck</title> @@ -130,6 +130,16 @@ </pre> <p> +You also have to tell <c>logcheck</c> which log files to scan +(<path>/etc/logcheck/logcheck.logfiles</path>). +</p> + +<pre caption="Basic /etc/logcheck/logcheck.logfiles setup"> +<comment>(This is an example for syslog-ng)</comment> +/var/log/messages +</pre> + +<p> Finally, enable the logcheck cron job. </p> @@ -161,4 +171,54 @@ </body> </section> </chapter> + +<chapter> +<title>Troubleshooting</title> +<section> +<title>General tips</title> +<body> + +<p> +You can use the logcheck's <c>-d</c> switch to display more debugging +information. Example: +</p> + +<pre caption="Debugging logcheck"> +# <i>su -s /bin/bash -c '/usr/sbin/logcheck -d' logcheck</i> +D: [1281318818] Turning debug mode on +D: [1281318818] Sourcing - /etc/logcheck/logcheck.conf +D: [1281318818] Finished getopts c:dhH:l:L:m:opr:RsS:tTuvw +D: [1281318818] Trying to get lockfile: /var/lock/logcheck/logcheck.lock +D: [1281318818] Running lockfile-touch /var/lock/logcheck/logcheck.lock +D: [1281318818] cleanrules: /etc/logcheck/cracking.d/kernel +... +D: [1281318818] cleanrules: /etc/logcheck/violations.d/su +D: [1281318818] cleanrules: /etc/logcheck/violations.d/sudo +... +D: [1281318825] logoutput called with file: /var/log/messages +D: [1281318825] Running /usr/sbin/logtail2 on /var/log/messages +D: [1281318825] Sorting logs +D: [1281318825] Setting the Intro +D: [1281318825] Checking for security alerts +D: [1281318825] greplogoutput: kernel +... +D: [1281318825] greplogoutput: returning 1 +D: [1281318825] Checking for security events +... +D: [1281318825] greplogoutput: su +D: [1281318825] greplogoutput: Entries in checked +D: [1281318825] cleanchecked - file: /tmp/logcheck.uIFLqU/violations-ignore/logcheck-su +D: [1281318825] report: cat'ing - Security Events for su +... +D: [1281318835] report: cat'ing - System Events +D: [1281318835] Setting the footer text +D: [1281318835] Sending report: 'localhost 2010-08-09 03:53 Security Events' to root +D: [1281318835] cleanup: Killing lockfile-touch - 17979 +D: [1281318835] cleanup: Removing lockfile: /var/lock/logcheck/logcheck.lock +D: [1281318835] cleanup: Removing - /tmp/logcheck.uIFLqU +</pre> + +</body> +</section> +</chapter> </guide>
