Again, let me point you to PureSecure, http://www.demarc.com/. It does intrusion detection, system monitoring, etc.
Analog is also useful for that, but not so much as a monitoring tool. If you do find something suspicious, you can use Analog to drill through the logs, isolating hosts (HOSTINCLUDE), periods (FROM/TO) and files (FILEINCLUDE) until you get the reports you need. This is a multi-step process. Of course you can get basic details from Analog: a large amount of traffic in a short time in the Hourly, Quarter-Hourly or Five-Minute reports; a host that is more active than others; repeated failed attempts to access secured areas of your site; etc. -- Jeremy Wadsack Wadsack-Allen Digital Group Sibi John ([EMAIL PROTECTED]; Friday, November 01, 2002 11:51 AM): > I totally understand your point. But the main reason i want to do this is say if i >needed to see if there were any hacker intrusion attempts on my site today, I would >like see who was making what > kind of requests at what time, and not just on a particular file, any requests to my >website.. is something like that possible in analog. > ~~~~~~~~~~~~~~~~~~~~ > Sibi John. > Systems Adminstrator. > Deerfield Capital Management. > ~~~~~~~~~~~~~~~~~~~~~ > -----Original Message----- > From: Jeremy Wadsack [mailto:jwadsack@;wadsack-allen.com] > Sent: Friday, November 01, 2002 12:27 PM > To: [EMAIL PROTECTED] > Subject: Re: [analog-help] Help a newbie again !! > Sibi John ([EMAIL PROTECTED]; Friday, November 01, 2002 9:05 AM): >> 1.) Is there any way to get logs for a particular day on the fly >> . say by choosing a particular day on the report itself.?? i.e not >> going to analog.cfg to change dates ?? > You can use -F/-T from the command line. These are equivalent to FROM > and TO in a config file. >> Also for the faliure report or say for the report request. is there >> any way in which i could customize the failure report so that i >> could get the username / ip address / access time . along with file >> name , number of requests.. which i already get in the report ? > As Aengus just said: > If a file has been requested 1,000 times do you want 1,000 IP addresses > listed against it? > http://www.analog.cx/docs/faq.html#faq128 > You can always generate a full report for a single file by using > FILEINCLUDE filename. The Host Report in this case will just list the > Hosts that requested that file. But you can only report on a single file > at a time. >> 2.) On a different note, i am not sure if this is possible but >> has anybody setup analog to provide graphs to availability and >> uptime for a server. > The web server log files do not really provide this information. You > could look at all the requests and, using some heuristic, figure out > when there have been no requests for a "long" period of time (for some > definition of long). But that's just an estimate. And web/browser > caches and such could affect this. > If you really want availability and uptime, use a server monitoring > solution like the one included in PureSecure, http://www.demarc.com/. +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/analog-help@;lists.isite.net/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
