Re: Logcheck, Logsentry, LogRider etc.
Am Montag, 31. März 2003 00:27 schrieb Jan-Hendrik Palic:
> I am using logcheck, personally installed on my Debian-Server/WS,
> because, there are no debian-packages .. :(
I don't know about sarge and woody, but logcheck in sid, roughly preconfigured
for debian systems.
> But the big issue with logcheck is, that you can get mails with
> log-entries, but logcheck cannot provide the time to each log-message.
> So .. it is quite unusable for a professional use...
How should a logfile mailer do so? The timestamp must be inside the log file
being parsed, where else should that info come from? Any "professionally
usable" program should be able to time-stamp each of it's log message. Then
logcheck sends things like
Mar 30 23:34:58 hammer portsentry[1165]: attackalert: TCP SYN/Normal scan from
host: 210.73.84.27/210.73.84.27 to TCP port: 21
Mar 30 23:34:58 hammer portsentry[1165]: attackalert: Host 210.73.84.27 has
been blocked via wrappers with string: "ALL: 210.73.84.27 : DENY"
The only thing is, it's a bit of work to configure it, like any log mailer.
You get spammed by reports and disable uninteresting stuff until you only get
the interesting stuff. It's one or two weeks long 2-3 minutes of adding
ignore entries and one minute from time to time to cope with what updated
programs write into the log ;)
--
Thomas Ritter
Fight against TCPA - http://www.againsttcpa.com/index.shtml
Reply to: