[loganalysis] Re: Swatch Rules

From: E. Todd Atkins (todd.atkinsat_private)
Date: Mon Aug 13 2001 - 07:54:44 PDT

Next message: Nistor.Lubomir@Star-21.De: "[loganalysis] AW: syslog, was Re: greetingz"

Previous message: Marcus J. Ranum: "[loganalysis] Re: Central syslog server best practices?"
In reply to: Jason Lewis: "Swatch Rules"
Next in thread: Gary (hotmail): "[loganalysis] Re: Swatch Rules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would be happy to maintain an examples area on the swatch web site, so 
I encourage all of you to send examples to me. I know that many of you 
are using swatch in some interesting ways.

- Todd

Jason Lewis wrote:

> I have been looking for good resources for example swatch scripts.  I
> haven't had a lot of luck.  I know that examples are included.....but, they
> are pretty generic.  I am sure there are people out there using swatch to do
> things I never thought of.
> 
> I will get the ball rolling with a couple I use, maybe others will want to
> share.
> 
> These alert on Alteon alerts and notices.
> 
> watchfor   /ALERT.*WebOS/
>         echo normal
>         mail =youat_private,subject= ALTEON: Alert
> 	throttle 05:00
> 
> watchfor   /NOTICE.*WebOS.*<[^telnet]/
>         echo normal
>         mail =youat_private,subject= ALTEON: Notice
> 	throttle 05:00
> 
> This alerts on PIX failover.
> 
> watchfor /failover/
>         echo bold
>         mail =youat_private,subject=Failover on PIX
> 
> This alerts on failed su attempts. This can get annoying if you have a lot
> of boxes and users.
> 
> watchfor   /'su root' failed/
>         echo bold
>         mail =youat_private,subject=Failed root password for su
>    	  throttle 01:00
> 
> This alerts on file system full.  The throttle is 30 minutes, you can really
> get a lot if this is less than 30 minutes.
> 
> watchfor   /file system full/
>         echo bold
>         mail=youat_private,subject=File system Full
>         throttle 30:00
> 
> If there is enough interest and contribution, I will put it all together on
> the web for reference.
> 
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
> 
> 


-- 
Todd Atkins
  Network Security Coordinator
  UCSB/Office of Information Technology
  Voice: (805) 893-5077 Fax: (805) 893-5051
  http://www.oit.ucsb.edu/~eta


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Nistor.Lubomir@Star-21.De: "[loganalysis] AW: syslog, was Re: greetingz"
Previous message: Marcus J. Ranum: "[loganalysis] Re: Central syslog server best practices?"
In reply to: Jason Lewis: "Swatch Rules"
Next in thread: Gary (hotmail): "[loganalysis] Re: Swatch Rules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:05:00 PDT