Re: Good logging and real-t

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: John-David Childs: "What the heck is this???"
• Previous message: giorgos adamopoulos: "Re: some thoughs"
• In reply to: Yalda Mirzai: "Re: Good logging and real-t"
• Next in thread: Alexander O. Yuriev: "Re: Good logging and real-t"

Mine's not nearly that complex or comprehensive. It monitors the logs
that are collected from syslog.

here's how it works:

You have tcp-wrappers (or the like) generating log activity via syslog
to some remote, trusted, limited access host. These logs are then watched
by the log watcher. When something appears in the logs matching user-defined
criteria (on a user defined polling interval, typically 5 seconds) they
are then displayed on the screen colored by priority.

 Bypasses are certainly possible. However, the intruder would have to gain
access, become root, somehow login to the remote restricted access machine
(which by the way has rlogin, telnet, rexec, and shell stuff turned off)
kill the program watching the logs (which would certainly make it disappear
off the screen) and then restart it, all without the user noticing, and within
5 seconds..

On the plus side, all you need to start using it are some log files,
syslog (ubiquitous) and a restricted access machine that accepts syslog logs.

It's a useful tool, though perhaps not as rigorous as some would like.

--
____________________________________________________________________________
Doug Hughes                                     Engineering Network Services
System/Net Admin                                Auburn University
                        doug@eng.auburn.edu

• Next message: John-David Childs: "What the heck is this???"
• Previous message: giorgos adamopoulos: "Re: some thoughs"
• In reply to: Yalda Mirzai: "Re: Good logging and real-t"
• Next in thread: Alexander O. Yuriev: "Re: Good logging and real-t"