Re: searching logs for key phrases

Boyd Johnson (boydj@brooktree.com)
Mon, 2 Dec 1996 11:22:44 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Vos, Arjan: "RE: searching logs for key phrases"
Previous message: Darren Reed: "Re: Audit trails"
In reply to: Guido van Rooij: "Re: searching logs for key phrases"
Next in thread: Tracy R. Reed: "Re: searching logs for key phrases"

"Previously Guido van Rooij said:"
> 
> Mike Kienenberger wrote:
> > 
> > VRFY            /usr/adm/*SYSLOG.mail   check mail logs for VRFY commands
> > EXPN            /usr/adm/*SYSLOG.mail   check mail logs for EXPN commands
> > " command "     /usr/adm/*SYSLOG.mail   check mail logs for debug/wiz comman
ds
> > 
> > deni           /usr/adm/*SYSLOG.auth   check for denied net cmds in SYSLOG
> > fail           /usr/adm/*SYSLOG.auth   check for failed login  
> > attempts (passwords at the login prompt; brute force attacks, etc)
> > 
> > Does anyone have other things you look for on a regular basis?
> 
> It is in general a bad idea to scan for interesting things. What should
> be done in stead is filter out the non-interesting ones.
> 
> -Guido

That is excellent advice, but there is a basic flaw in it.  If a line
containing a disguised non-interesting keyword (in a From address, etc)
is filtered out in a line with a red-flag keyword in it you will never
see the line.  I don't have a solution other than using both methods
together.
Boyd

-- 
=Boyd Johnson boydj@brooktree.com  Rockwell Corp, Brooktree Div, San Diego, Ca.=

Next message: Vos, Arjan: "RE: searching logs for key phrases"
Previous message: Darren Reed: "Re: Audit trails"
In reply to: Guido van Rooij: "Re: searching logs for key phrases"
Next in thread: Tracy R. Reed: "Re: searching logs for key phrases"