Mike Kienenberger wrote: > > What key phrases do people scan log files for? > > At our site, we log everything we can to a central "more secure" logging > server. We divide our logging up into three files: SYSLOG.mail for all mail, > SYSLOG.auth for authentication, and SYSLOG for everything else. > > On our IRIX 5.3 systems, I've found that searching for the following are helpf ul > : > > VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands > EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands > " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz commands > > deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYS > LOG > fail /usr/adm/*SYSLOG.auth check for failed login > attempts (passwords > at > the login prompt; brute force attacks, etc) > > Does anyone have other things you look for on a regular basis? > > I'm eventually hoping that we'll start using one of the log filter packages > out there on > the net. Anyone compared the various log filtering packages out there? Do an y > of > the packages come with preset standard patterns to search for? > > Thanks! > --- > Mike Kienenberger Arctic Region Supercomputing Center > Systems Analyst (907) 474-6842 > mkienenb@arsc.edu http://www.arsc.edu YES, I would also watch the sulog for superuser attempts and failures since this is a rather high priority access level as well. -- Troy Billington SysOp: InfoLine BBS systems (305) 598-2679 Miami, Fl "http://www.hutton.net/infoline"