[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Logcheck Keyword Files

Mark Bucciarelli said at 08/06/04 17:24:

I'm thinking about using the logcheck [1] program for intrusion detection, and was wondering if anyone here uses it. If so, have you modified the keyword filter files?

I'd advise creating a 'local' definition in /etc/logcheck/ignore.d/ and friends rather than editing packaged files. Avoids getting prompted to replace them when you upgrade.

I'd also recommend using log2mail for those times when you want to be notified quickly of something in a log file (like a raid disk dying). Backport the unstable version though. IIRC I had problems with the stable version.

Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Reply to: