RE: searching logs for key phrases

Brendan Faulds (bfaulds@oznet02.ozemail.com.au)
Thu, 28 Nov 1996 16:36:31 +-1100
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Konrad Rzeszutek: "Re: DL fils on WWW pages from FTP"
Previous message: Troy: "Re: searching logs for key phrases"
------ =_NextPart_000_01BBDDE8.7F1D5300
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

There is a log/event monitoring application developed by Axent =
technologies called Intruder Alert. (http://www.axent.com). It comes =
with pre buit 'policies' on phrases to watch for. You can also take =
action based on certain criteria

Regards

Brendan Faulds
GLOBAL BUSINESS SOLUTIONS

----------
From:   Mike Kienenberger[SMTP:mkienenb@arsc.edu]
Sent:   Wednesday, 27 November 1996 9:07
To:     ids@uow.edu.au
Subject:        searching logs for key phrases

What key phrases do people scan log files for?

At our site, we log everything we can to a central "more secure" logging =
=20
server.  We divide our logging up into three files: SYSLOG.mail for all =
mail, =20
SYSLOG.auth for authentication, and SYSLOG for everything else.

On our IRIX 5.3 systems, I've found that searching for the following are =
helpful
:

VRFY            /usr/adm/*SYSLOG.mail   check mail logs for VRFY =
commands
EXPN            /usr/adm/*SYSLOG.mail   check mail logs for EXPN =
commands
" command "     /usr/adm/*SYSLOG.mail   check mail logs for debug/wiz =
commands

deni                    /usr/adm/*SYSLOG.auth   check for denied net =
cmds in SYS
LOG
fail                    /usr/adm/*SYSLOG.auth   check for failed login =20
attempts (passwords
                                                                        =
at =20
the login prompt; brute force attacks, etc)

Does anyone have other things you look for on a regular basis?

I'm eventually hoping that we'll start using one of the log filter =
packages =20
out there on
the net.  Anyone compared the various log filtering packages out there?  =
Do any=20
of
the packages come with preset standard patterns to search for?

Thanks!
---
Mike Kienenberger    Arctic Region Supercomputing Center
Systems Analyst      (907) 474-6842
mkienenb@arsc.edu    http://www.arsc.edu



------ =_NextPart_000_01BBDDE8.7F1D5300
Content-Type: application/ms-tnef
Content-Transfer-Encoding: base64

eJ8+IjMAAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAENgAQAAgAAAAIAAgABBJAG
AAABAAABAAAADAAAAAMAADADAAAACwAPDgAAAAACAf8PAQAAADsAAAAAAAAAgSsfpL6jEBmdbgDd
AQ9UAgAAAABpZHNAdW93LmVkdS5hdQBTTVRQAGlkc0B1b3cuZWR1LmF1AAAeAAIwAQAAAAUAAABT
TVRQAAAAAB4AAzABAAAADwAAAGlkc0B1b3cuZWR1LmF1AAADABUMAQAAAAMA/g8GAAAAHgABMAEA
AAARAAAAJ2lkc0B1b3cuZWR1LmF1JwAAAAACAQswAQAAABQAAABTTVRQOklEU0BVT1cuRURVLkFV
AAMAADkAAAAACwBAOgEAAAACAfYPAQAAAAQAAAAAAAAD4igBCIAHABgAAABJUE0uTWljcm9zb2Z0
IE1haWwuTm90ZQAxCAEEgAEAIwAAAFJFOiBzZWFyY2hpbmcgbG9ncyBmb3Iga2V5IHBocmFzZXMA
YAwBBYADAA4AAADMBwsAHAAQACQAHwAEAFEBASCAAwAOAAAAzAcLABwAEAAhACEABABQAQEJgAEA
IQAAADU2MTEyMzUyRkQ0OEQwMTE4MDU0MDBBMDI0MDU4MTNCALAGAQOQBgDMBgAAEAAAAAsAIwAA
AAAAAwAmAAAAAAALACkAAAAAAAMANgAAAAAAQAA5AEAIYxzu3LsBHgBwAAEAAAAjAAAAUkU6IHNl
YXJjaGluZyBsb2dzIGZvciBrZXkgcGhyYXNlcwAAAgFxAAEAAAAWAAAAAbvc7hxbUiMRV0j9EdCA
VACgJAWBOwAAAwAGEG5QCv4DAAcQLQUAAB4ACBABAAAAZQAAAFRIRVJFSVNBTE9HL0VWRU5UTU9O
SVRPUklOR0FQUExJQ0FUSU9OREVWRUxPUEVEQllBWEVOVFRFQ0hOT0xPR0lFU0NBTExFRElOVFJV
REVSQUxFUlQoSFRUUDovL1dXV0FYRU4AAAAAAgEJEAEAAAB7BQAAdwUAAFwKAABMWkZ1ftn0z/8A
CgEPAhUCqAXrAoMAUALyCQIAY2gKwHNldDI3BgAGwwKDMgPFAgBwckJxEeJzdGVtAoMztwLkBxMC
gzQSzBTFfQqAiwjPCdk7F58yNTUCgAcKgQ2xC2BuZzEwMy8UUAsKFFEL8mMAQCBUEmgEkGUgBAAg
YSDhFzBnL2V2CfAFQARgrQMAdAWwC4BnHQBwC1CgaWNhdGkCICANsIsdgBcwcAmAIGJ5FLCueB2S
E9ARcG4XIWcIkFMEIB7QbGwfsUkCMHIedQSBFLAhcAAgLiAogmgCQHA6Ly93IzCULmEgIi4FoG0p
IpAeSQVAI9EHkQPwdGggExNQHMBidR4AICdwJwbwHsAhAScgHxFwaPxyYRGwBCAeECSwHuARcOog
AhByIpBZCGAhMQOg7QdAcycQAZBrHMAA0B7z7mImsR/AHxFjImELcSEwHwUQE9AHIQqFCoVSZWeV
CxFzKwxCF6BuZAOREEZhdWwsN0dMTwhCQUwtIFVTSU4ERVMF8U9MVVRJOE9OUysMCvQesDE4gjAC
0WktMTQ0DfDnDNAx8wtZMTYKoANgIHF9BUAtNBcKhzLLDDAzlka9A2E6NR4zlgyCBdBpKNGqSwiQ
bgnwYgSQZwSQAFtTTVRQOm1rJTk0QBGRYy4JgHVdvzS/Nc0GYAIwNv84C1cJgAU5UHMtcHksIDI3
HQewbx2ABtAiETE5OcA2IDk6MDc7bzXNLFRvPa84C2ksMEB1bm8jUDshI2B1QY88fnX8Ymoz0UOv
OAsRsArAEXDvHkIdMQQgJ5EgKNAf8CaFczAfMSMzNjKXG9Uzllf/EYAFQEvpHzAnEB+gH5AhcH9K
oCgiHTEngAMQB5EnkT99KwxBBUAIYUqgKqFAEHfnHMBRkh1xcnkk4B5CVCE/KCInAR0QKgAhwQdA
ICKXBGAcsRGwYwhwZSIdIu8g8B5RK2YRsHJUoSKQP3F5HzBpdkWAHMBTgldmdf5wHNACMCiRJpAJ
4FHESNDIU1lTLpBHLgDAAxH/S6IhUR3AXCFAECtmW6UtwP8k4VxjXkEdkR7FQBAAcB/AX1ukS5NU
mR9wEbAuKwxPAwOgU4JJUklYIDUsLjNKoBOzc0AQSSf7HYAngXVf0STgT7FKuEuif17hJ4EhYEXQ
HkMcsRyQbCxwZi3QCoU6KwxWUgxGWVfQaTgvdXNywC9hZG0vKluqV9D7EXAFkGtc00tIaPMj0QOB
4Sw3RVhQTmk/ak9rX/9Lk23zbQ1XQG0FcuFuv2/P32vcDbAlUB1QA/B6bP4Khf8NsAMAbjpuf3SG
XjN1VnZ07wMAH7E5UCRBbSwwWnFbkvcKhVvRCoVmdRR/L3o/e0//fsIfsSDSA6ArZh7gE9EFMO0E
ICgKsAQQdwWwLDeFT/+GX4dviH9/gk+xK2ZmAoLU+zORg/E7H9Ah4BPQJ4IqAJuDogDQa2PxEcBj
KSsMbERvB5EAcHkCIGcBYf9kQTOwHJFawR5BBCCOgCgAvRcwb3v0HxEdEBegZy3Q3wrBKXEEAFJt
ZCBtVIICMPZ1IVEf8GgfkB5CZNNUIP4nXLETwArABUB0AB5CjpJ8b2aKdlHCKrElAIyRYf85sAQg
K2YIYCBRHJMCIIoZ+3zBWMFBjnQj0QqxH7FmAv52CsAfAHQAlkkeQpcHmBfeP1fQjhCOUpeXZooZ
lwf/JGIktxGxlNItYQsglvGDwf8EoCbjSrRSLwXAHIAAcIywfiEKhTSION9/ggcQKRFj/yvSHwJI
YB+gSuCLQV5AHkL+Qx2RBJBdVmOkmdEHQBOxCX+EKDlBYCkgNDfANC02ODQyCoU6T/9/giLKOuUr
DE0PMpcVYk7pCwqFFsEAsrAAAwAQEAAAAAADABEQAAAAAEAABzDANsqx7dy7AUAACDDANsqx7dy7
AR4APQABAAAABQAAAFJFOiAAAAAANCg=

------ =_NextPart_000_01BBDDE8.7F1D5300--
Next message: Konrad Rzeszutek: "Re: DL fils on WWW pages from FTP"
Previous message: Troy: "Re: searching logs for key phrases"