>From what I understand, logcheck.sh is meant to check the whole file. The behaviour you are experiencing is correct.
Next time you run logcheck it should only check entries since the last run (it keeps a marker somewhere). Good day David > I took a look at logcheck.sh, and attempted to add in /var/log/httpd/access > file for analysis. Without entering anything in any of the ignore files I > would > have expected logcheck to add the complete log of last 15 minutes. > > Instead it appended the entire (>11mb) access log file to the email message, > stretching back a few days. This isnt the behaviour I would expect, I can > only > guess that it could be something to do with the date format or position on > the line? > > For completeness I've added a part of the logs below, all of the > /var/log/xxx files > seem to follow the same format with the date /time being at the start of the > line. > > -----Original Message----- > > Now, my question: has anyone seen anything like this to monitor the apache > > httpd log files (/var/log/httpd/...) to report any violations, eg. code > red > > scans, etc. and email the > > results? It should not alter the log files in any way as that would affect > > the webalizer > > splitting, etc. > > > You can configure logcheck to do this. > edit /usr/local/etc/logcheck.sh and configure > to do what ever you desire. > > Gerald _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
