Re: log analyze applications
eim wrote:
> * logcheck (System Log Analyzer)
> * snort (Intrusion Detection System)
> * ippl (IP protocols logger)
The only application of those three I use is logcheck, and it does
require tuning.
Here's what I've done (using logcheck/testing):
Made two new files, /etc/logcheck/ignore.local and
/etc/logcheck/violations.ignore.local. Soft-linked them into
/etc/logcheck/ignore.d and /etc/logcheck/violations.ignore.d
respecitively.
As logcheck traffic comes in, if there's stuff I could go without being
notified about I'll add regexps to ignore.local or
violations.ignore.local to weed them out. It's an ongoing/tuning
process, but within a couple of days I've pruned out the redundant
messages (like netsaint's monitors or ntpdate adjusting the clock in
increments of less than a second) and I get logcheck mail maybe once a
week even though I check every hour. I've also tweaked logcheck to
change the subject line to differentiate between 'unusual', 'possible
violation' and 'possible attack', so I can defer reading the merely
unusual warnings.
I've been getting logcheck mail more ever since Pacific-Rim and East
European users have been trying to ftp to or nfs-mount from my machine
(even though I don't have these services running). I considered pruning
that out, but I actually want to know so I can block the responsible
ISPs on my firewall -- yet another (t|pr)uning process.
I tried running portsentry, but see my above message about too many
false positives.
Reply to: