> I took a look at logcheck.sh, and attempted to add in /var/log/httpd/access > file for analysis. Without entering anything in any of the ignore files I > would
Just for my complete understanding send me the lines you changed in logcheck.sh with a couple lines above and below the change. # Linux Red Hat Version 3.x, 4.x $LOGTAIL /var/log/messages > $TMPDIR/check.$$ $LOGTAIL /var/log/secure >> $TMPDIR/check.$$ $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$ $LOGTAIL /var/log/kernel >> $TMPDIR/check.$$ ******* Added to this section??????????? $LOGTAIL /var/log/httpd/access >> $TMPDIR/check.$$ > have expected logcheck to add the complete log of last 15 minutes. > Instead it appended the entire (>11mb) access log file to the email message, > stretching back a few days. This isnt the behaviour I would expect, I can > only guess that it could be something to do with the date format or position on > the line? I don't recall at the moment, but I think it will do the complete file, providing the file has never been checked before. > For completeness I've added a part of the logs below, all of the > /var/log/xxx files > seem to follow the same format with the date /time being at the start of the > line. > > Am I barking up the wrong tree and being daft? Is there something that I > have missed? > > Ideally, I'd like to scan through the httpd access log and pick out certain > strings > like "cmd.exe" "default.ida", etc. and throw them back, whilst ignoring all > the legitimate > GET and POST entries. I would add the things you are looking for in the following file: # File of security violation patterns to specifically look for. # This file should contain keywords of information administrators should # probably be aware of. May or may not cause false alarms sometimes. # Generally, anything that is "negative" is put in this file. It may miss # some items, but these will be caught by the next check. Move suspicious # items into this file to have them reported regularly. VIOLATIONS_FILE=/usr/local/etc/logcheck.violations _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
