Tuning syslog analyzing tool

Kenneth Holter kenneho.ndu at gmail.com
Thu Apr 23 13:12:48 UTC 2009


Thanks, I'll give it a read.

On 4/12/09, Marcos Aurelio Rodrigues <deigratia33 at gmail.com> wrote:
>
> I recommend that you read some papers and guides, starting with NIST
>
> http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf.
>
> []s
> Marcos
>
> On Wed, Apr 8, 2009 at 6:24 AM, Kenneth Holter <kenneho.ndu at gmail.com
> >wrote:
>
> > Hi all.
> >
> >
> > I've set up a loghost that collects and analyzes syslog entries from our
> > linux clients. To analyze the syslog entries we're using swatch, which
> > allows for real-time processing of the entries.
> >
> > What I'd very much like is some advice on which basic syslog entries is
> > should have swatch notify me about. I've already configured swatch to
> alert
> > me about messages containing words like "error", "fatal", "alert" and a
> > few expressions such as "bad username", but I'm sure I should add more.
> The
> > most important aspect, as I see it, is configuring swatch to alert me of
> > any
> > security related issues, so any advice on what to watch for here would be
> > greatly appreciated. Maybe someone have a set of (regular) expressions I
> > could incorporate into our setup?
> >
> >
> > Regards,
> > Kenneth Holter
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



More information about the redhat-list mailing list