David Taveras wrote:
Hello,
We have a site with about 2000 visits per day, and now the logging is
getting extremely hard to review, as security is number one the ideal
situation for me would be to be able to classify the output into
groups so that I as a sysadmin can be aware of all, know if there is a
increase of hits for a particular rule, and most important is to know
when Iam getting (or tried to) getting SQL/PHP injected.
I have a script that goes through my error_log and when it finds
entries I class as bad, blocks that IP through pfctl additions to a
block list.
You could do something similiar to scan for relevant entries in error
and access logs.
Those entries could be written into appropriate log files for each
"category".
Only you will be able to determine what is of interest and what to ignore.
I only needed a few weeks (but little actual time) to finish tweaking my
'scanner', as I watched the logs.
