Re: Easy way to get check ipflog for relevant alerts?

[John Ladwig <jladwig@mango.lioness.net>]

> Is there some kind of filter, or nicer interface which check ipflog in
> /var/log/?
>
> It seems there is a lot of alerts in there, but it takes some time to get
> through ones i am not interested in (like 127.0.0.1 alerts).
> Any thoughts?

I like a combination of two things:

logcheck    http://www.psionic.com/abacus/logcheck/

Which is a set of shell scripts that can do serious reduction on logs of
any sort.  I think someone's working on a proper port, but it's hardly any
work at all to install, compared with the tuning.

  Advantage:  
    It's what Marcus Ranum calls "artificial ignorance,"
    eg. it squawks about *anything* you haven't told it to shut up about.

  Disadvantages:  
    It can generate a *lot* of mail until you get the rules right for 
    your specific environment.
    You have to know egrep pretty well to use it effectively.
    It's easy to be too inclusive in a suppression rule, and later
    miss things you'd really rather have heard about.

plog        http://www.antibozo.net/ogata/webtools/plog.pl

A perl log-summarizer for ipmon.

  Advantage:
    Does a *very* nice job of summarizing ipmon's output.
    Actually decodes all those twisty little ICMP messages.

  Disadvantage:
    May have an overly generous "high port" catchall category.


I tend to run the raw output of logcheck into my mail, and the run plog on
a section if it interests me, or I can't remember what "icmp 3/13" really
means. 

Hope these are of use to you.

    -john