[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Easy way to get check ipflog for relevant alerts?
> Is there some kind of filter, or nicer interface which check ipflog in
> It seems there is a lot of alerts in there, but it takes some time to get
> through ones i am not interested in (like 127.0.0.1 alerts).
> Any thoughts?
I like a combination of two things:
Which is a set of shell scripts that can do serious reduction on logs of
any sort. I think someone's working on a proper port, but it's hardly any
work at all to install, compared with the tuning.
It's what Marcus Ranum calls "artificial ignorance,"
eg. it squawks about *anything* you haven't told it to shut up about.
It can generate a *lot* of mail until you get the rules right for
your specific environment.
You have to know egrep pretty well to use it effectively.
It's easy to be too inclusive in a suppression rule, and later
miss things you'd really rather have heard about.
A perl log-summarizer for ipmon.
Does a *very* nice job of summarizing ipmon's output.
Actually decodes all those twisty little ICMP messages.
May have an overly generous "high port" catchall category.
I tend to run the raw output of logcheck into my mail, and the run plog on
a section if it interests me, or I can't remember what "icmp 3/13" really
Hope these are of use to you.