3 layers:

• default
  • there are no include rules
  • exclude rules are in one of ignore.d.workstation, ignore.d.server, or ignore.d.paranoid
    • exclude rule directory is based on "report level" in logcheck.conf
  • subject line option in logcheck.conf is EVENTSUBJECT
• security/violations
  • include rules are in violations.d
  • exclude rules are in violations.ignore.d
  • subject line option in logcheck.conf is SECURITYSUBJECT
• attack/cracking
  • include rules are in cracking.d
  • exclude rules are in cracking.ignore.d
  • subject line option in logcheck.conf is ATTACKSUBJECT