Re: Logcheck Keyword Files
Mark Bucciarelli said at 08/06/04 17:24:
I'm thinking about using the logcheck [1] program for intrusion detection,
and was wondering if anyone here uses it. If so, have you modified the
keyword filter files?
I'd advise creating a 'local' definition in /etc/logcheck/ignore.d/ and
friends rather than editing packaged files. Avoids getting prompted to
replace them when you upgrade.
I'd also recommend using log2mail for those times when you want to be
notified quickly of something in a log file (like a raid disk dying).
Backport the unstable version though. IIRC I had problems with the stable
version.
Ronny
--
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com
Reply to: