Abstract Logcheck is software package that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck utilizes a program called logtail that remembers the last position it read from in a log file and uses this position on subsequent runs to process new information. All source code is available for review and the implementation was kept simple to avoid problems. This package is a clone of the frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm) firewall package. TIS has granted permission for me to clone this package. -- crowlandat_private http://www.lh.umu.se/%7Ebjorn/mhonarc-files/linux-securitity Thanks, Ron DuFresne On Tue, 11 Jan 2000, Pete Storm wrote: > Hi all, > > Does anyone know of a tool out there that will allow > me to correlate incidents between several different > logs? For example, if I see an attempt to pull off a > php exploit on my IDS it stands to reason that I'll > see a similar log entry on my web server. What I'm > looking for is something that will pull these two > records out of the individual logs and place them in > an "incident" log as a related event. > > The current problem is that we're talking about > hundreds of thousands of log entries. Suppose I could > Perl it, but I was kinda hoping there might be a > commercial/shareware tool out there already that could > do it so much better than I could. > > thanks, > phs > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:12 PDT