Why are cron jobs appearing in logcheck reports?

Question

I've just installed logcheck and configured it to send mail to me whenever it finds problems. It runs every hour by default at HH:02 and is mailing me stuff like this:

Jan 31 20:05:01 Linux CRON[3186]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 31 20:09:01 Linux CRON[4462]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Jan 31 20:15:01 Linux CRON[6777]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 31 20:17:01 Linux CRON[7782]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jan 31 20:20:01 Linux CRON[8528]: (smmsp) CMD (test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp)
Jan 31 20:25:01 Linux CRON[9778]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 31 20:35:01 Linux CRON[12717]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 31 20:39:01 Linux CRON[14959]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Jan 31 20:40:01 Linux CRON[15312]: (smmsp) CMD (test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp)
Jan 31 20:45:01 Linux CRON[16669]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 31 20:55:01 Linux CRON[20718]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Jan 31 21:00:01 Linux CRON[21969]: (smmsp) CMD (test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp)
Jan 31 21:00:01 Linux CRON[21974]: (root) CMD (/usr/sbin/rdate 128.2.136.71 | logger -t NTP)
Jan 31 21:02:01 Linux CRON[22567]: (logcheck) CMD (   if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)

I don't understand why it's complaining about these, they look like standard system cron jobs to me. Can anyone shed some light on this?

Thanks

score 4 · Accepted Answer · answered Jan 31 '10 at 22:20

Well, logcheck is rather simplistic: It will grab all logfiles it is configured to monitor, filter out what it considers "normal", then send you everything else.

logcheck uses a database ("logcheck-database") of rules to classify log entries into "attack", "security" etc. events, to mail them to you.

If it sends you events you're not interested in, you'll have to tune the database to exclude those. This will necessarily be somewhat system-specific, so can't work out-of-the-box.

That said, logcheck is a bit simplistic and IMHO not very suitable for monitoring many servers. If you want serious monitoring, I recommend to check out monitoring software. I've had good success with ZenOSS, but there are many others (search on serverfault).

Why are cron jobs appearing in logcheck reports?

1 Answers1