14.3. Logcheck

One important task in the security world is to regularly check the log files. Often the daily activities of an administrator don't allow him the time to do this task and this can bring about problems.

These installation instructions assume

These are the packages available at Logcheck Homepage Site: http://www.psionic.com/abacus/logcheck/, and you must be sure to download: logcheck-1.1.1.tar.gz available as of this writing.

Important: Please do not forget to read the README and/or INSTALL with in the tarball you have downloaded if the version number is not the same as we have suggested and follow the instructions since there are chances of some changes either bythe way of additions or deletions are likely to be there.

Before you uncompress and install from the tarballs it is a good idea to make a list of files on the system before you install Logcheck, and one afterwards, and then compare them using diff to find out what files were placed where. Simply run find /* > Logcheck1 before and find /* > Logcheck2 after you install the software, and use diff Logcheck1 Logcheck2 > Logcheck-Installed to get a list of what changed.

To compile, you need to decompress the tarball (tar.gz).

           [root@deep] /#cp logcheck-version.tar.gz /var/tmp/
           [root@deep] /#cd /var/tmp
           [root@deep ]/tmp#tar xzpf logcheck-version.tar.gz

To Compile and Optimize you must modify the Makefile file of Logcheck to specify installation paths, compilation flags, and optimizations for your system. We must modify this file to be compliant with Red Hat's file system structure and install Logcheck script files under our PATH Environment variable.

  1. Move into the new Logcheck directory and edit the Makefile, vi Makefile and change the following lines by type the following commands on your terminal:

           CC = cc
      To read:
           CC = egcs

           CFLAGS = -O
      To read:
                 CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions

           INSTALLDIR = /usr/local/etc
      To read:
           INSTALLDIR = /etc/logcheck

           INSTALLDIR_BIN = /usr/local/bin
      To read:
           INSTALLDIR_BIN = /usr/bin

           INSTALLDIR_SH = /usr/local/etc
      To read:
           INSTALLDIR_SH = /usr/bin

           TMPDIR = /usr/local/etc/tmp
      To read:
           TMPDIR = /etc/logcheck/tmp

    7. The above changes will configure the software to use egcs compiler, optimization flags specific to our system, and locate all files related to Logcheck software to the destination target directories we have chosen to be compliant with the Red Hat file system structure.

  2. Edit the Makefile file vi +67 Makefile and change the following line:
           @if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
    To read:
           @if [ ! -d $(TMPDIR) ]; then /bin/mkdir -p $(TMPDIR); fi
    The above change -p will allow the installation program to create parent directories as needed.

  3. Install Logcheck on your system.
           [root@deep ]/logcheck-1.1.1#make linux
    The above command will configure the software for the Linux operating system, compile all source files into executable binaries, and then install the binaries and any supporting files into the appropriate locations. Please don't forget to cleanup later:
           [root@deep] /#cd /var/tmp
               [root@deep ]/tmp#rm -rf logcheck-version/ logcheck-version_tar.gz
    The rm command as used above will remove all the source files we have used to compile and install Logcheck. It will also remove the Logcheck compressed archive from the /var/tmp directory.