######################################################################
SYNOPSIS
--------
Logcheck compares recent log entries with a series of sets of egrep
pattern-matching rules that flag them as urgent or filter them out
as routine, and mails the results to the administrator.
======================================================================
SCHEDULING
----------
By default logcheck runs every hour just off the hour, and after
every reboot.  If this produces too many mailings then you can
reduce the frequency, but it's often better to tune the filtering
rules instead (see below on REPORTLEVELS).  On the other hand if you
need to be sure of spotting security incidents while they're
happening then the shorter the interval the better, as long as runs
don't start overlapping.
======================================================================
LOG ENTRIES
-----------
These are taken from a specified set of logfiles (usually syslog and
auth.log); a special Perl utility named "logtail" is used which
"bookmarks" its place in the logs, so that events aren't reported
twice in successive logcheck runs.  The offset records are stored as
(eg) "/var/lib/logcheck/offset.var.log.syslog"; lines to be
considered by logcheck are copied into tempfiles in the working
directory "/var/tmp/logcheck".  See the corresponding README for
logtail for further notes on complications such as log-rotation.
======================================================================
RULES DIRECTORIES
-----------------
Installing "logcheck" should also have pulled in the package
"logcheck-database", which provides pattern-matching "rules" files;
see the corresponding README for that package for details of how
they are organised.
======================================================================
REPORTLEVEL
-----------
The config-file setting new users are most likely to need to modify
is that of REPORTLEVEL.  This is a three-way division between high,
medium and low "security ratings", not to be confused with the three
filtering layers used by the logcheck-database directories.
Reportlevels only affect the handling of the leftover log-messages
of the final "System Events" layer, functioning rather like
verbosity settings:

"paranoid" is "high verbosity" - meaning that only the minimal set
	of filters in ignore.d.paranoid should be applied.  This is
	appropriate for high-security machines such as firewalls,
	which should anyway be running as few services as possible.

"server" means that logcheck should then also go on to apply the
	more selective set of filters in ignore.d.server; as the
	name implies, this is intended to cut out the routine
	messages such as "so-and-so logged in".

"workstation" means that as well as applying the ignore.d.paranoid
	and ignore.d.server filters, logcheck should run through
	ignore.d.workstation.  This filters a great many everyday
	log messages (such as anything matching "kernel:"), and is
	only appropriate for relatively sheltered, non-critical
	machines.

Don't set the REPORTLEVEL to "paranoid" if the result is more output
than you can handle - messages that aren't going to be read might as
well have stayed in "/var/log/*".  However, as long as you're
prepared to tune logcheck's output with local filters, a verbose
REPORTLEVEL can be a valuable debugging aid even on an unnetworked
home PC; see the logcheck-database README section on WRITING RULES.
######################################################################