Using Logcheck

Logcheck is a tool to parse system logs and send summaries by email. It filters out logs with a regular expressions database to suppress common/normal entries.

Are you reading / checking your log files? Too many servers? logcheck will help you in this task and eliminates the noise.

Installing on Debian

# apt-get install logcheck
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
lockfile-progs logtail
Suggested packages:
Recommended packages:
The following NEW packages will be installed:
lockfile-progs logcheck logtail
0 upgraded, 3 newly installed, 0 to remove and 6 not upgraded.
Need to get 110kB of archives.
After unpacking 428kB of additional disk space will be used.
Do you want to continue [Y/n]?

Also install logcheck-database which contains lots of rules

# apt-get install logcheck-database

Config files

  • /etc/logcheck/logcheck.conf
    • SENDMAILTO=”root” – your email address
  • /etc/logcheck/logcheck.logfiles
    • configure which logfiles to analyze
  • /etc/cron.d/logcheck
    • logcheck cron (by default, logcheck runs every hour)

You can try it by executing the following command:

# su -s /bin/bash -c "/usr/sbin/logcheck" logcheck

Your mailbox should now contains a report from logcheck if some unusual log entries have been found.


  • Thanks to this post I have realised that I hadn’t installed logcheck-database.

    Without that, the emails sent by logcheck will contain lots and lots of pointless lines (for example those about cron tasks).

    Kind regards,


  • Phil Jones

    Thanks, never knew about this.

    Hopefully gentoo will build it into the portage soon, had to do a manual build.

    Awesome blog keep it up

  • CharlyBr

    @Phil Jones, thanks for the support.