Re: log analyze applications
On 27 Feb 2002, eim wrote: * logcheck (System Log Analyzer) [SNIP] network activity and so on... everything works quite well, the only problem is: they generate *REALLY* much mail traffic with lots of output which I can't read all. So my question is, has anyone a good solution for checking syslogs, netlogs, etc. in order to have a simple and strict overview of system activities ? Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? The most smarter you can find is you brain. Logcheck is very useful and does not send many e-mails if you know how to configure correctly. In other words, if you don't want to see some messages, so add theses messages in appropriate ignore file... Here, each week, in one log file, I have approxymately 800 000 lines, and I use logchecker to search some words (and discard other words) to put in report and e-mail it to me, and (it's luck or it's a good configuration?) each e-mail which I had recieved are useful for me. Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log analyze applications
On Wed, Feb 27, 2002 at 04:22:31PM +0100, eim wrote: Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? I saw a presentation at the LISA sysadmin conference a couple years ago about something called SHARP, the syslog heuristic analysis and response program. It definitely sounded interesting, and was written to address exactly this type of problem. You can find the paper at http://www.csis.gvsu.edu/sharp/. I believe it contains the URL where you can find the source to SHARP. Note that I've never actually *run* SHARP, but the idea sounds very good. I'm not sure how developed the package is. Depending on how much effort you're willing to put into it, this could be an interesting option to consider. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05812/pgp0.pgp Description: PGP signature
Re: log analyze applications
eim wrote: * logcheck (System Log Analyzer) * snort (Intrusion Detection System) * ippl (IP protocols logger) The only application of those three I use is logcheck, and it does require tuning. Here's what I've done (using logcheck/testing): Made two new files, /etc/logcheck/ignore.local and /etc/logcheck/violations.ignore.local. Soft-linked them into /etc/logcheck/ignore.d and /etc/logcheck/violations.ignore.d respecitively. As logcheck traffic comes in, if there's stuff I could go without being notified about I'll add regexps to ignore.local or violations.ignore.local to weed them out. It's an ongoing/tuning process, but within a couple of days I've pruned out the redundant messages (like netsaint's monitors or ntpdate adjusting the clock in increments of less than a second) and I get logcheck mail maybe once a week even though I check every hour. I've also tweaked logcheck to change the subject line to differentiate between 'unusual', 'possible violation' and 'possible attack', so I can defer reading the merely unusual warnings. I've been getting logcheck mail more ever since Pacific-Rim and East European users have been trying to ftp to or nfs-mount from my machine (even though I don't have these services running). I considered pruning that out, but I actually want to know so I can block the responsible ISPs on my firewall -- yet another (t|pr)uning process. I tried running portsentry, but see my above message about too many false positives. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log analyze applications
Thanks folks, for all suggestions ! Well, I'm going to tune my logcheck now and of course I'll keep eyes open, and brain smart, for further solutions... ...anyway nothing is better than a good tuned application :) Thanks again, have a nice time, - Ivo On Wed, 2002-02-27 at 16:22, eim wrote: log analyze applications Hallo to everyone on the debian-security list. I've got some questions related to log analyzing applications, actually on my debian server boxes I've installed and configured software like... * logcheck (System Log Analyzer) * snort (Intrusion Detection System) * ippl (IP protocols logger) All these apps. check my system for security alerts, malfunctions, network activity and so on... everything works quite well, the only problem is: they generate *REALLY* much mail traffic with lots of output which I can't read all. So my question is, has anyone a good solution for checking syslogs, netlogs, etc. in order to have a simple and strict overview of system activities ? Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? Thanks for any suggestions ! - Ivo Marino -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log analyze applications
On 27 Feb 2002, eim wrote: * logcheck (System Log Analyzer) [SNIP] network activity and so on... everything works quite well, the only problem is: they generate *REALLY* much mail traffic with lots of output which I can't read all. So my question is, has anyone a good solution for checking syslogs, netlogs, etc. in order to have a simple and strict overview of system activities ? Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? The most smarter you can find is you brain. Logcheck is very useful and does not send many e-mails if you know how to configure correctly. In other words, if you don't want to see some messages, so add theses messages in appropriate ignore file... Here, each week, in one log file, I have approxymately 800 000 lines, and I use logchecker to search some words (and discard other words) to put in report and e-mail it to me, and (it's luck or it's a good configuration?) each e-mail which I had recieved are useful for me. Eric
Re: log analyze applications
On Wed, Feb 27, 2002 at 04:22:31PM +0100, eim wrote: Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? I saw a presentation at the LISA sysadmin conference a couple years ago about something called SHARP, the syslog heuristic analysis and response program. It definitely sounded interesting, and was written to address exactly this type of problem. You can find the paper at http://www.csis.gvsu.edu/sharp/. I believe it contains the URL where you can find the source to SHARP. Note that I've never actually *run* SHARP, but the idea sounds very good. I'm not sure how developed the package is. Depending on how much effort you're willing to put into it, this could be an interesting option to consider. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp4B5i4lIJ7R.pgp Description: PGP signature
Re: log analyze applications
eim wrote: * logcheck (System Log Analyzer) * snort (Intrusion Detection System) * ippl (IP protocols logger) The only application of those three I use is logcheck, and it does require tuning. Here's what I've done (using logcheck/testing): Made two new files, /etc/logcheck/ignore.local and /etc/logcheck/violations.ignore.local. Soft-linked them into /etc/logcheck/ignore.d and /etc/logcheck/violations.ignore.d respecitively. As logcheck traffic comes in, if there's stuff I could go without being notified about I'll add regexps to ignore.local or violations.ignore.local to weed them out. It's an ongoing/tuning process, but within a couple of days I've pruned out the redundant messages (like netsaint's monitors or ntpdate adjusting the clock in increments of less than a second) and I get logcheck mail maybe once a week even though I check every hour. I've also tweaked logcheck to change the subject line to differentiate between 'unusual', 'possible violation' and 'possible attack', so I can defer reading the merely unusual warnings. I've been getting logcheck mail more ever since Pacific-Rim and East European users have been trying to ftp to or nfs-mount from my machine (even though I don't have these services running). I considered pruning that out, but I actually want to know so I can block the responsible ISPs on my firewall -- yet another (t|pr)uning process. I tried running portsentry, but see my above message about too many false positives.
Re: log analyze applications
Thanks folks, for all suggestions ! Well, I'm going to tune my logcheck now and of course I'll keep eyes open, and brain smart, for further solutions... ...anyway nothing is better than a good tuned application :) Thanks again, have a nice time, - Ivo On Wed, 2002-02-27 at 16:22, eim wrote: log analyze applications Hallo to everyone on the debian-security list. I've got some questions related to log analyzing applications, actually on my debian server boxes I've installed and configured software like... * logcheck (System Log Analyzer) * snort (Intrusion Detection System) * ippl (IP protocols logger) All these apps. check my system for security alerts, malfunctions, network activity and so on... everything works quite well, the only problem is: they generate *REALLY* much mail traffic with lots of output which I can't read all. So my question is, has anyone a good solution for checking syslogs, netlogs, etc. in order to have a simple and strict overview of system activities ? Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? Thanks for any suggestions ! - Ivo Marino -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org/~eim http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«