[Gllug] log analysis

Luke Hopkins streaklug at streaknet.co.uk
Tue Sep 14 11:49:15 UTC 2004


I find logwatch (http://www2.logwatch.org:81/) does this particularly
well.
Happy to mail you a sample output if you like.

Luke

-----Original Message-----
From: gllug-bounces at gllug.org.uk [mailto:gllug-bounces at gllug.org.uk] On
Behalf Of Craig Millar
Sent: 08 September 2004 22:58
To: gllug at gllug.org.uk
Subject: [Gllug] log analysis


Hi all,
Was wondering if i could whip up a bash script and cron it to send me a 
weekly email of anything unusual it turns up in my logs. I do like to go

through the logs from time to time and keep an eye out for anything 
untoward, ie intrusion attempts or anything glaringly wrong of which I 
should be aware.

My questions on the matter are twofold, firstly my logs do tend to have 
a lot of worthless data in them, ie. routine activities such as ip 
tables accepts of dns lookups and so on: is it better to be thorough and

log everything and dilute the meaningful data, or rather tighten up on 
what is logged and hopefully end up with only the important stuff?

Secondly, what are your thoughts on what I should be looking for? 
Obviously I get the usual script kiddies and their attempts to root my 
box with the usual "user admin, pass admin" combo, but I would have 
thought that these can be safely ignored, going under the possibly 
dangerous assumption that these are the efforts of some lamer with no 
real idea of how to compromise a system. Is there anything particularly 
that you like to keep an eye out for, in that it would suggest that 
someone is making a concerted and potentially successful attempt to 0wn 
my humble machine?

Thanks,
Craig
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list