[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Logcheck: Filtered log output, toss the crap, keep the rest

To: SILUG Discuss <silug-discuss@silug.org>, cwelug@googlegroups.com
Subject: Logcheck: Filtered log output, toss the crap, keep the rest
From: Nathan Nutter <iam@nnutter.com>
Date: Sat, 8 Aug 2009 03:33:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=HF8vm/pJaX+G33ELAO1nWYjxLcwKQF9MWHlLmYdof5E=; b=aeLLdQ4AWBBmOviptK0Pfi0f5tM/cG8E97g8pkM8U5cL89q4A40uHooaRhZTYp8EBL 49xfws746glY8s5iwivPNjF0RSKalDl3PUq6o++1Dn5vhPNNH8afoiehDF2vWbKo3eU1 SKDwNGuj0/emPw1bjjz8cQ8HUnVPRnfqUFtjo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; b=sm2TmEJLsJfCVk1NocTHVGianZKz1qX57w5B5sQdOBbbEYZkhNy+lUdf6BFnIQR+mA CAF5riLHNLH+RLU35fRakAcKDvs1UiGw31+L+JiDwgYdC3k9SCACDT4tjnbGgaQWw/0E o438Lu6+uTGGanJS/OMXwTcYdQ7b9Slcpo/4I=
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

This sounds kind of cool, has anyone used it? This doesn't seem like it would compromise security in anyway since "unknown" things still come to your attention.

http://debaday.debian.net/2009/07/19/logcheck-brilliantly-simple-log-monitoring/

Logcheck is a simple yet great idea, an almost set-it-and-forget-it way to monitor your server logs for problems of all kinds. You create three pattern (grep regex) lists:

Known bad stuff
Looks bad but isn’t
Known good stuff

Logcheck periodically checks various syslog (or other) log files and picks up where it left off the last time. During each run it takes the new messages and looks for “known bad” things but first removes stuff that “looks bad but isn’t” and saves the messages as “this is known to be bad.” Then it rewinds, removes the known bad it just collected, removes the “known good” and stuff that “looks bad but isn’t” and saves whatever is left as “unknown.” Then it emails you the results.

Over time, as you tune your files, you end up only being alerted to known bad or new (not yet classified) stuff.

Prev by Date: CHKDSK Bug: Not Such A Big Deal
Next by Date: Could anyone bring a Mac OS X (Leopard) disc to tonight's meeting?
Prev by thread: Could anyone bring a Mac OS X (Leopard) disc to tonight's meeting?
Next by thread: CHKDSK Bug: Not Such A Big Deal
Index(es):
- Date
- Thread