scanlogd detects port scans and writes one line per scan via the syslog mechanism. If a source address sends multiple packets to different ports in a short time, the event will be logged. In order to do its job, scanlogd needs a way to obtain raw IP packets that either come to the system scanlogd is running on, or travel across a network segment that is directly connected to the system.
At least 7 different privileged or 21 non-privileged ports, or a weighted combination of those, have to be accessed with no longer than 3 seconds between the accesses to be treated as a scan. If more than 5 scans are detected within 20 seconds, that event will be logged and logging will be stopped temporarily.
Logging is done with a facility of daemon and a priority level alert.
scanlogd should be started as root since it needs access to a packet capture interface. By default, it switches to running as user scanlogd after the packet capture interface is initialized.
A look at standard log files and where it’s stored, this information can be changed from /etc/syslog.conf
In the event of a port scan I will be looking at /var/log/daemon.log