Hello I try to configure logsurfer to do my bidding alas not very sucessful. I hope someone can lend me a hand with this. What I want to do is this: 1) Ignore uninteresting patterns like cronjobs etc. Doing fine with this. 2) Report possibly suspicious activities with context information. I think I got the hang of contexts, but not fully, which leads to 3) Collect unknown (not yet matched) events in a context and have it mailed to me regulary. I'm as far as this at the end of my logsurfer.conf: 'mark' - - - 0 continue report '/usr/bin/mail braun -s"test-context"' "." 'mark' - - - 0 continue delete '.' 'mark' - - - 0 open '.' - 500 3600 0 report '/usr/bin/mail braun -s"test-context"' "." The idea is to open context '.' and have it filled up with anything not yet matched and mail it to me regulary (max 500 lines, every hour at maximum). I figured the syslogd 'mark' would be a nice way to trigger the report, clear the context and reopen it again. Seems to work ok (except I get some empty mails) but I noticed that the context also contains log lines that matched previous 'ignore' rules. Is there a way to do this as I intend it to work? My main problem is that the context also contains the previously matched/ignored log lines. Input would be highly appreciated. regards -- Wolfgang Braun, Dipl.-Inform. (FH) <wolfgang.braun@private> gpg-key: 1024D/4B32CE55 gpg-fingerprint: 7F0F DE82 94A5 B476 0E08 4972 AC95 31A3 4B32 CE55 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Feb 09 2005 - 08:38:56 PST