I'll cover how to customize logcheck just to
include/exclude specific messages from its report in
this email. If you want to go further as in creating
various other "sections" email me and I'll help ya out.
Logcheck uses four different files out of the box to
generate its report.
logcheck.hacking
logcheck.ignore
logcheck.violations
logcheck.violations.ignore
Note: These filenames change depending on where you
get logcheck from.
Each file lists certain items you want to search for or
other things that you want to exclude in a hierarchy. So
the big daddy is logcheck.hacking. Anything in this file that
is found can't be ignored and will appear in the
"Active System Attack Alerts" section of the report.
Second is the logcheck.violations file which will search
for specific things that might be bad. The results of
logcheck.violations can be overridden by violations.ignore
Things that match violations and not violations.ignore are
placed in the "Security Violations" section of the report.
Finally there is the ignore file that flushes out anything that
you don't want in the "Unusual System Events" category.
The Unusual System Events in my mind is the grand daddy
of them all since its a catch all, and the main reason I chose
logcheck. Instead of just looking for specific strings it basically
just filters out your logs and reports thing which could easily be
missed by other tools such as swatch ( I am not putting down
swatch, it has some very good attributes as well :) )
So basically to recap if you are seeing messages in the
"Security Violations" section that you would rather ignore
edit the violations.ignore file since the ignore won't weed these
out. If you want to include something in that section then
add it to the violations file.
Cheers,
-Steve
At 06:08 PM 17/12/2001 +0000, Joshua Hager wrote:
>If anyone can help, that would be cool.
>I need to know how to edit/customize the
>logcheck.violation file so the threads that it
>recognizes and reports can be customized. I am
>almost positive that this is the file to edit what
>logcheck actually looks for, but if someone knows
>that I am off base, let me know and please offer
>additional information on how to modify the
>strings that logcheck looks for.
>
>Thanks
>
>I can be msg'd at MMB stang on Instant
>Messanger/Gain or you can just post
>here.....whichever is easier
