[loganalysis] Re: Swatch Rules

From: Gary (hotmail) (heitmangaat_private)
Date: Mon Aug 13 2001 - 09:09:04 PDT

Next message: Ron Russell: "[loganalysis] Re: Central syslog server best practices?"

Previous message: Nistor.Lubomir@Star-21.De: "[loganalysis] AW: syslog, was Re: greetingz"
In reply to: Jason Lewis: "Swatch Rules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would be willing to try more experiments with configs, etc. if you are
going to keep a list of examples and such ...

I, too, would have really liked to get some "how it works" when I started,
but soon settled for email alerts ... Which *is* handy of course, but I
always wondered if there weren't some fancier uses out there (?)

Thanks for examples!

-gary

----- Original Message -----
From: "Jason Lewis" <jlewisat_private>
To: <loganalysisat_private>
Sent: Sunday, August 12, 2001 12:44 AM
Subject: Swatch Rules


> I have been looking for good resources for example swatch scripts.  I
> haven't had a lot of luck.  I know that examples are included.....but,
they
> are pretty generic.  I am sure there are people out there using swatch to
do
> things I never thought of.
>
> I will get the ball rolling with a couple I use, maybe others will want to
> share.
>
> These alert on Alteon alerts and notices.
>
> watchfor   /ALERT.*WebOS/
>         echo normal
>         mail =youat_private,subject= ALTEON: Alert
> throttle 05:00
>
> watchfor   /NOTICE.*WebOS.*<[^telnet]/
>         echo normal
>         mail =youat_private,subject= ALTEON: Notice
> throttle 05:00
>
> This alerts on PIX failover.
>
> watchfor /failover/
>         echo bold
>         mail =youat_private,subject=Failover on PIX
>
> This alerts on failed su attempts. This can get annoying if you have a lot
> of boxes and users.
>
> watchfor   /'su root' failed/
>         echo bold
>         mail =youat_private,subject=Failed root password for su
>      throttle 01:00
>
> This alerts on file system full.  The throttle is 30 minutes, you can
really
> get a lot if this is less than 30 minutes.
>
> watchfor   /file system full/
>         echo bold
>         mail=youat_private,subject=File system Full
>         throttle 30:00
>
> If there is enough interest and contribution, I will put it all together
on
> the web for reference.
>
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Ron Russell: "[loganalysis] Re: Central syslog server best practices?"
Previous message: Nistor.Lubomir@Star-21.De: "[loganalysis] AW: syslog, was Re: greetingz"
In reply to: Jason Lewis: "Swatch Rules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 15:05:23 PDT