Mails anomalies in the system logfiles to the administrator.
Logcheck helps spot problems, anomalies and security violations
in your logfiles automatically and will send the summaries to you
via e-mail. Logcheck is run as a cron job.
# cd /usr/ports/security/logcheck # make install clean # rehash
Edit /usr/local/etc/logcheck/logcheck.conf, set SENDMAILTO parameter.
According to /usr/local/etc/logcheck/logcheck.logfiles logcheck parses /var/log/messages and /var/log/auth.log. /var/log/messages permissions are OK. Let's adjust auth.log permissions:
# cd /var/log # chgrp logcheck auth.log # chmod g+r auth.log
Edit /etc/newsyslog.conf, set mode of auth.log to 640.
Ntp on my system write to log file messages like "kernel time sync status changed" very often. To make logcheck ignore these messages edit /usr/local/etc/logcheck/ignore.d.server/ntp. Change
kernel time sync (disabled|enabled)
kernel time sync (disabled|enabled|status change)