[Gllug] log analysis

[Craig Millar]

Hi all,
Was wondering if i could whip up a bash script and cron it to send me a 
weekly email of anything unusual it turns up in my logs. I do like to go 
through the logs from time to time and keep an eye out for anything 
untoward, ie intrusion attempts or anything glaringly wrong of which I 
should be aware.

My questions on the matter are twofold, firstly my logs do tend to have 
a lot of worthless data in them, ie. routine activities such as ip 
tables accepts of dns lookups and so on: is it better to be thorough and 
log everything and dilute the meaningful data, or rather tighten up on 
what is logged and hopefully end up with only the important stuff?

Secondly, what are your thoughts on what I should be looking for? 
Obviously I get the usual script kiddies and their attempts to root my 
box with the usual "user admin, pass admin" combo, but I would have 
thought that these can be safely ignored, going under the possibly 
dangerous assumption that these are the efforts of some lamer with no 
real idea of how to compromise a system. Is there anything particularly 
that you like to keep an eye out for, in that it would suggest that 
someone is making a concerted and potentially successful attempt to 0wn 
my humble machine?

Thanks,
Craig
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug