On Sun, Mar 24, 2002 at 03:57:50PM -0600, Carl Wilhelm Soderstrom wrote: > On Fri, Mar 22, 2002 at 11:54:44AM -0600, Bob Tanner wrote: > > Make sure logcheck is installed, by default it runs through the logs once a day > > and emails you a report. It's very chatty. At Real Time we have had to turn down > > the chattiness. > > the thing I hate about logcheck is that in order to configure it, you need > to be a perl coder, Nah, you just have to grok regular expressions. If you're good with grep, that's more than sufficient. > and spend at least an hour figuring out the organization > of the scripts (give you a hint, the files in /etc/log.d/conf don't actually > configure much. you have to edit the scripts themselves, in > /etc/log.d/scripts) You sure you're thinking of logcheck? I haven't seen the upstream version, but Debian's logcheck consists of logtail (a compiled binary) and logcheck.sh (a shell script which uses egrep to do the actual checking). Only one script (which I've never needed to modify) and no perl at all. Configuration is all in /etc/logcheck and consists of logcheck.conf (which defines who reports should be mailed to) and some lists of regexes that should be ignored or flagged as attacks. (Anything that doesn't match any of the regex lists gets flagged as 'unusual system activity'.) -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss