Mine's not nearly that complex or comprehensive. It monitors the logs that are collected from syslog. here's how it works: You have tcp-wrappers (or the like) generating log activity via syslog to some remote, trusted, limited access host. These logs are then watched by the log watcher. When something appears in the logs matching user-defined criteria (on a user defined polling interval, typically 5 seconds) they are then displayed on the screen colored by priority. Bypasses are certainly possible. However, the intruder would have to gain access, become root, somehow login to the remote restricted access machine (which by the way has rlogin, telnet, rexec, and shell stuff turned off) kill the program watching the logs (which would certainly make it disappear off the screen) and then restart it, all without the user noticing, and within 5 seconds.. On the plus side, all you need to start using it are some log files, syslog (ubiquitous) and a restricted access machine that accepts syslog logs. It's a useful tool, though perhaps not as rigorous as some would like. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu