Hi Gerald I took a look at logcheck.sh, and attempted to add in /var/log/httpd/access file for analysis. Without entering anything in any of the ignore files I would have expected logcheck to add the complete log of last 15 minutes.
Instead it appended the entire (>11mb) access log file to the email message, stretching back a few days. This isnt the behaviour I would expect, I can only guess that it could be something to do with the date format or position on the line? For completeness I've added a part of the logs below, all of the /var/log/xxx files seem to follow the same format with the date /time being at the start of the line. Am I barking up the wrong tree and being daft? Is there something that I have missed? Ideally, I'd like to scan through the httpd access log and pick out certain strings like "cmd.exe" "default.ida", etc. and throw them back, whilst ignoring all the legitimate GET and POST entries. Any help greatly appreciated. Thanks Rob /var/log/messages:- Nov 28 00:03:45 myserver kernel: Packet log: input DENY eth0 PROTO=17 xxx.xxx.xxx.xxx:137 xxx.xxx.xxx.255:137 L=78 S=0x00 I=7322 F=0x0000 T=64 (#28) Nov 28 00:03:45 myserver kernel: Packet log: input DENY eth0 PROTO=17 xxx.xxx.xxx.xxx:138 xxx.xxx.xxx.255:138 L=211 S=0x00 I=7323 F=0x0000 T=64 (#28) Nov 28 00:08:45 myserver kernel: Packet log: input DENY eth0 PROTO=17 xxx.xxx.xxx.xxx:137 xxx.xxx.xxx.255:137 L=78 S=0x00 I=7324 F=0x0000 T=64 (#28) /var/log/httpd/access myserver.mydomain.com 213.86.98.27 - - [28/Nov/2001:01:05:22 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253 "-" "-" myserver.mydomain.com 213.86.98.27 - - [28/Nov/2001:01:05:23 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 235 "-" "-" myserver.mydomain.com 213.86.98.27 - - [28/Nov/2001:01:05:23 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 253 "-" "-" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rob Moore Sent: 22 November 2001 11:07 To: [EMAIL PROTECTED] Subject: RE: [cobalt-security] httpd log analyzer >> You can configure logcheck to do this. oops, I should rtfm then! Cheers Gerald! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald Waugh Sent: 22 November 2001 10:45 To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] httpd log analyzer > Now, my question: has anyone seen anything like this to monitor the apache > httpd log files (/var/log/httpd/...) to report any violations, eg. code red > scans, etc. and email the > results? It should not alter the log files in any way as that would affect > the webalizer > splitting, etc. > You can configure logcheck to do this. edit /usr/local/etc/logcheck.sh and configure to do what ever you desire. Gerald _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
