Debian logcheck management

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

Checking system log daily is important.

logcheck gives us summary reports via local mail.


Add the exim4 warning.

Install MUA and logcheck

root# apt install logcheck mutt # or thunderbird (after you have GUI), etc.
root# dpkg-reconfigure exim4-config # make sure the MTA settings.


Exim4 has severe vulnerabilities. Make sure you update it.

It is good to have a AppArmor enforce profile for it, not to allow extra code executions.


If you use software which depends on atime, be careful about noatime mount option.

Logcheck configuration to minimize reports

By default, logcheck produces a lot of system event logs. To reduce that, change the report level.

Debian Stretch 9.9 also installs logcheck-database with logcheck itself.

root# apt install logcheck-database # No longer necessary (>= 9.9).
root# nano /etc/logcheck/logcheck.conf
REPORTLEVEL = "workstation"

Or, write your own local- ignore rules, putting them in /etc/logcheck/ignore.d.workstation, for example.

logcheck ignore database

tier1.jp provides some of it under GNU GPLv2.

If you are interested, see logcheck ignore rule page in this site.

Logcheck mail receive settings

Confirm who would receive the logcheck mail.

If you created a normal user during Debian installation, the user receives the logcheck mails.

Anyway, confirm who. In the example below, user receives them.

user$ egrep "^root" /etc/aliases
root: user

If you want to change which user(s) should receive, edit that section.


You should check the logcheck mails daily. Or it consumes your /var/mail day by day.


If you use Mozilla Thunderbird, Account Setting => Account Actions => Add other account.

tier1.jp recommends mutt for those local mails.


Summary mails "System Event" section logs are not so important.

Just watch auth fail logs, external device related. something like that.

Just reading "Security Events" would help.

published: MODIFIED: