I’ve been a big fan of logcheck for monitoring my servers, when properly configured it works very well and is pretty flexible. Unless you are using a centralized logging system such as Splunk most of us are guilty of not thoroughly checking our logs. I like to use logcheck to perform a simple audit of what my systems are up to, it’s not perfect but certainly better then nothing.
My configuration has been tweaked a bit, adding some custom regex’s for ignoring a few common items. I found a nice debugging tip on a old posting from the logcheck-devel mailing list which mentions using egrep to test new rules:
cat <logfile> | egrep -v -f /etc/logcheck/ignore.d.workstation/regex
This has saved me a lot of time and frustration when making the final tweaks to a regex. However, recently I had some difficulties ignoring what seemed to be particularly stubborn security events. From best I could tell, grep suggested that my expression was filtering properly, yet logcheck was still reporting on these events. Finally reading through the README I discovered patterns cancelling security alarms must be places in violations.ignore.d, not ignore.d.workstation/server. Something to be mindful of.