$LOGTAIL /var/log/messages > $TMPDIR/check.$$ $LOGTAIL /var/log/warn >> $TMPDIR/check.$$ $LOGTAIL /var/log/mail >> $TMPDIR/check.$$
These entries direct logcheck to append messages from various system log files to a temporary file for later analysis. It is important to realize that the first $LOGTAIL entry copies the log file since the last read and the last two concatenate / var/log/warn and / var/log/mail into the temporary file. The $LOGTAIL environment variable is used to call the logtail application, which will read in a text file and output only new data since it was last passed through logtail. This stops you from receiving old warnings about log activity.
When the temporary file has been created, the whole file is compared against the hacking and violation files we talked about before.
It is a relatively involved process to get logcheck customized, and we have done the hard work for you to get it working with the SUSE RPM we build in Chapter 12. We recommend you use this RPM as opposed to using the source distribution available unless you know what you are doing.
Listing 7-10 displays an example of e-mail sent to the root user by the logcheck script. Take note that under the heading Security Violations are two entries referring to failed login attempts via SSH.
Was this article helpful?