>---------- >From: Guido van Rooij[SMTP:Guido.vanRooij@nl.cis.philips.com] >Sent: woensdag 27 november 1996 14:02 >To: ids@uow.edu.au >Subject: Re: searching logs for key phrases >>Mike Kienenberger wrote: >>> >>>VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands >>>EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands >>>" command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz >>>commands >>> >>>deni /usr/adm/*SYSLOG.auth check for denied net cmds >>>in S >>YS >>> LOG >>> fail /usr/adm/*SYSLOG.auth check for failed login >>> attempts (passwords >>> at >>> >>> the login prompt; brute force attacks, etc) >>> >>> Does anyone have other things you look for on a regular basis? >> >>It is in general a bad idea to scan for interesting things. What should >>be done in stead is filter out the non-interesting ones. >> >>-Guido It depends.... Sometimes you'd like to keep all the logging (e.g., think of firewalls), so it's easier to filter out interesting ones. What I've done on my machine (which acts like a firewall and log host for several other machines... please do not start the discussion that it's a bad idea mixing the log host and firewall on one machine :-) is generating new log files nightly (crontab entry) and saving the old ones. I made a script using awk to find events in the syslog file that might be interesting. The logic of the scripts is something like: For each of the machines find the entries in the syslog file that are generated by the machine extract interesting events collect filter rejection messages (as I said, it's also a firewall) ignore standard events extract what's left If anything interesting was found, e-mail me otherwise send confirmation that script was run. In /etc/syslog.conf I added the line "*.debug /var/log/debug". Some events will generate an enry if they happen often enough (such as filter rejects...). Arjan Vos KPMG EDP Auditors