Re: Debian Sarge Logcheck Query
----- Original Message -----
From: "Brian Brazil" <bbrazil@netsoc.tcd.ie>
To: <debian-user@lists.debian.org>
Sent: Tuesday, February 17, 2004 5:47 AM
Subject: Re: Debian Sarge Logcheck Query
> Just a thought - if you don't get any messages how do you know that your
> machine hasn't been compromised and logcheck disabled? Maybe make use of
> syslogd's MARK. (It's ignored in one of the default files).
>
Hi again Brian,
I get your point there and if my Debian box was hosting an iptables firewall
(I used to but don't need to now) then I would certainly look into this,
however I am now sufficiently protected behind my ADSL router's built in NAT
firewall, and I'm happy to leave it at that for the time being.
If I ever get back to using iptables here at home, then I will certainly
want to know that my system hasn't been compromised.
>
> Something I thew together quickly after I first set up logcheck was a
> Perl script to let me use perl regular expressions which are a lot more
> powerful. Also instead of [0-9] you can use \d. This was my main reason
for
> writing it as I had at least 50 perl specific regex features without
realising
> that they wouldn't work. Oh the pain...
> http://netsoc.tcd.ie/~bbrazil/perlgrep
> This is specific to logcheck. Only tested with Woody.
>
> Brian
>
Where there's scripts, there's always pain, at least from my limited
exposure to them anyway...
I'll have a look at your script though, although I more than likely won't
understand most of it :-)
Thanks again for your help!
Pete
Reply to: