This tutorial by user junovitch shows us how to use security/logcheck to keep tabs on your FreeBSD system.

security/logcheck is a useful tool to help keep tabs on your system logs. Per the port’s pkg-descr:

Logcheck is fairly easy to initially set up but can take some time to trim down the list of what you consider “normal” to reduce the amount of noise produced. The purpose of this little guide will be to cover that initial setup, provide a few examples of configuration, and hopefully be a small stash of good examples from others.

  1. Install security/logcheck
    pkg install logcheck
  2. Monitoring /var/log/auth.log makes sense as a best practice, modify newsyslog.conf(5) to allow the logcheck group access to /var/log/auth.log and then fix permissions on the current file.
    perl -pwi -e 'if (/auth\.log/) {s/auth\.log\t\t/auth.log\troot:logcheck/; s/600/640/; }' /etc/newsyslog.conf
    chown root:logcheck /var/log/auth.log
    chmod 640  /var/log/auth.log
  3. Finally, copy the default file for crontab(1) from the installed example and fix permissions.
    cp /usr/local/share/examples/logcheck/ /var/cron/tabs/logcheck
    chmod 600 /var/cron/tabs/logcheck

At this point, Logcheck is fully setup and will email you every hour.

  • Don’t like the default interval? Change it.
    crontab -u logcheck -e
  • Don’t like all the emails accumulating for the logcheck user? Add an entry to /etc/mail/aliases.
    logcheck:  jason
  • Not enough noise? Enable logging to /var/log/all.log to get even more detail.
    perl -pwi -e 'if (/all\.log/)  {s/#\*\.\*/\*\.\*/;}' /etc/syslog.conf
    perl -pwi -e 'if (/all\.log/)  {s/all\.log\t\t/all.log\troot:logcheck/;   s/600/640/; }' /etc/newsyslog.conf
    touch /var/log/auth.log
    chown root:logcheck /var/log/all.log
    chmod 640 /var/log/all.log
    service syslogd restart

    Now set Logcheck to check /var/log/all.log instead of /var/log/messages.

    cat > /usr/local/etc/logcheck/logcheck.logfiles << 'EOF'