* swatch swatch <swatch_5at_private> [2003-01-07T11:58-0800]: > # Bad login attempts > watchfor /Failed/ > echo bold > exec echo $0 | mail -s 'Authentication Failure' > meat_private I currently use the following template for "important things" rules: watchfor /.../ mail=user,subject=LW: CATEGORY (info|notice|warn): description throttle 30:00,use=regex LW is short for "Log Watch", which makes mail subject filtering/sorting easy for either humans or code. CATEGORY is something like 'mail' or 'printing' or 'security' to easily distinguish messages into various large groups (mail, printing, etc.). The three levels provide additional rating to the message, and the description provides details of the match in the subject. This leads to inbox contents along the lines of: LW: disk (notice): RAIDZONE drive warning LW: user (info): password update LW: security (warn): bad su I have found throttling very important, especially when something goes beserk and you end up with 10,000 new messages in your inbox come morning. (Having your log notification service DoS your email service and thus generate additional email warnings could be a Bad Thing.) -- Jeremy Mates http://www.sial.org/ OpenPGP: 0x11C3D628 (4357 1D47 FF78 24BB 0FBF 7AA8 A846 9F86 11C3 D628) _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 08:49:07 PST