Hi Wolfgang, My understanding of how Logsurfer works is that first messages are compared to the ruleset (with the short-circuiting, etc, that we know and love), then the same messages are compared to the set of contexts and added to any that match. Note that the ruleset and the set of contexts are treated independantly! So, the problem is that you want to add all non-ignored messages to a context that matches '.*', but Logsurfer is going to add every message to this context (including "ignore"d messages). Under SEC and my tool, LoGS (which is in the pre-alpha development stages), contexts work very differently. In order for a message to be added to a context, it must be explicitly put there by a rule that matches the message, so at the bottom of your ruleset, you could have a default rule (that matches everything that wasn't previously matched by another rule) to put your messages into your context. Also, be aware that because Logsurfer deals with contexts in this way, as the number of contexts grows, the time required to process a given message also grows! SEC and (recent versions of) LoGS don't have this problem. Good luck!, Jim James E. Prewett Jim@private download@private Systems Team Leader http://www.hpc.unm.edu/~download/ Designated Security Officer OpenPGP key: pub 1024D/31816D93 HPC Systems Engineer III UNM HPC 505.277.8210 On Wed, 9 Feb 2005, Wolfgang Braun wrote: > Hello > > I try to configure logsurfer to do my bidding alas not very sucessful. I > hope someone can lend me a hand with this. > > What I want to do is this: > > 1) Ignore uninteresting patterns like cronjobs etc. Doing fine with this. > > 2) Report possibly suspicious activities with context information. I > think I got the hang of contexts, but not fully, which leads to > > 3) Collect unknown (not yet matched) events in a context and have it > mailed to me regulary. I'm as far as this at the end of my > logsurfer.conf: > > 'mark' - - - 0 > continue > report '/usr/bin/mail braun -s"test-context"' "." > > 'mark' - - - 0 > continue > delete '.' > > 'mark' - - - 0 > open '.' - 500 3600 0 > report '/usr/bin/mail braun -s"test-context"' "." > > > The idea is to open context '.' and have it filled up with anything not > yet matched and mail it to me regulary (max 500 lines, every hour at > maximum). I figured the syslogd 'mark' would be a nice way to trigger the > report, clear the context and reopen it again. > > Seems to work ok (except I get some empty mails) but I noticed that the > context also contains log lines that matched previous 'ignore' rules. > > Is there a way to do this as I intend it to work? My main problem is > that the context also contains the previously matched/ignored log lines. > > Input would be highly appreciated. > > > regards > -- > Wolfgang Braun, Dipl.-Inform. (FH) > <wolfgang.braun@private> > gpg-key: 1024D/4B32CE55 > gpg-fingerprint: 7F0F DE82 94A5 B476 0E08 4972 AC95 31A3 4B32 CE55 > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Feb 09 2005 - 08:54:20 PST