[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en: logcheck.xml

[gentoo-doc-cvs] gentoo commit in xml/htdocs/doc/en: logcheck.xml

[Joshua Saddler (nightmorph)]

nightmorph    10/10/12 17:39:24

  Modified:             logcheck.xml
  Log:
  add troubleshooting section and log file scanning, bug 340657

Revision  Changes    Path
1.2                  xml/htdocs/doc/en/logcheck.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/logcheck.xml?rev=1.2&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/logcheck.xml?rev=1.2&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/doc/en/logcheck.xml?r1=1.1&r2=1.2

Index: logcheck.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/logcheck.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- logcheck.xml	13 Jul 2010 20:29:06 -0000	1.1
+++ logcheck.xml	12 Oct 2010 17:39:24 -0000	1.2
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/logcheck.xml,v 1.2 2010/10/12 17:39:24 nightmorph Exp $ -->
 
 <guide>
 <title>Logcheck Guide</title>
@@ -20,8 +20,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
 <license/>
 
-<version>1</version>
-<date>2010-07-13</date>
+<version>2</version>
+<date>2010-10-12</date>
 
 <chapter>
 <title>Getting Started With logcheck</title>
@@ -130,6 +130,16 @@
 </pre>
 
 <p>
+You also have to tell <c>logcheck</c> which log files to scan
+(<path>/etc/logcheck/logcheck.logfiles</path>).
+</p>
+
+<pre caption="Basic /etc/logcheck/logcheck.logfiles setup">
+<comment>(This is an example for syslog-ng)</comment>
+/var/log/messages
+</pre>
+
+<p>
 Finally, enable the logcheck cron job.
 </p>
 
@@ -161,4 +171,54 @@
 </body>
 </section>
 </chapter>
+
+<chapter>
+<title>Troubleshooting</title>
+<section>
+<title>General tips</title>
+<body>
+
+<p>
+You can use the logcheck's <c>-d</c> switch to display more debugging
+information. Example:
+</p>
+
+<pre caption="Debugging logcheck">
+# <i>su -s /bin/bash -c '/usr/sbin/logcheck -d' logcheck</i>
+D: [1281318818] Turning debug mode on
+D: [1281318818] Sourcing - /etc/logcheck/logcheck.conf
+D: [1281318818] Finished getopts c:dhH:l:L:m:opr:RsS:tTuvw
+D: [1281318818] Trying to get lockfile: /var/lock/logcheck/logcheck.lock
+D: [1281318818] Running lockfile-touch /var/lock/logcheck/logcheck.lock
+D: [1281318818] cleanrules: /etc/logcheck/cracking.d/kernel
+...
+D: [1281318818] cleanrules: /etc/logcheck/violations.d/su
+D: [1281318818] cleanrules: /etc/logcheck/violations.d/sudo
+...
+D: [1281318825] logoutput called with file: /var/log/messages
+D: [1281318825] Running /usr/sbin/logtail2 on /var/log/messages
+D: [1281318825] Sorting logs
+D: [1281318825] Setting the Intro
+D: [1281318825] Checking for security alerts
+D: [1281318825] greplogoutput: kernel
+...
+D: [1281318825] greplogoutput: returning 1
+D: [1281318825] Checking for security events
+...
+D: [1281318825] greplogoutput: su
+D: [1281318825] greplogoutput: Entries in checked
+D: [1281318825] cleanchecked - file: /tmp/logcheck.uIFLqU/violations-ignore/logcheck-su
+D: [1281318825] report: cat'ing - Security Events for su
+...
+D: [1281318835] report: cat'ing - System Events
+D: [1281318835] Setting the footer text
+D: [1281318835] Sending report: 'localhost 2010-08-09 03:53 Security Events' to root
+D: [1281318835] cleanup: Killing lockfile-touch - 17979
+D: [1281318835] cleanup: Removing lockfile: /var/lock/logcheck/logcheck.lock
+D: [1281318835] cleanup: Removing - /tmp/logcheck.uIFLqU
+</pre>
+
+</body>
+</section>
+</chapter>
 </guide>