[1060] in linux-security and linux-alert archive
Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)
daemon@ATHENA.MIT.EDU (Daniel Roedding)
Sat Aug 24 19:16:56 1996
To: proberts@clark.net (Paul D. Robertson)
Date: Thu, 22 Aug 1996 10:06:14 +0200 (MDT)
From: "Daniel Roedding" <daniel@fiction.pb.owl.de>
Cc: louis@sacc.org.za, JLarmour@origin-at.co.uk, fparato@gti.net,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.GSO.3.95.960820103622.21528A-100000@explorer2> from "Paul D. Robertson" at Aug 20, 96 10:44:11 am
Hi!
Paul D. Robertson:
> There are several Perl packages for managing firewall logs in this regard,
and:
> [REW: Anybody know a name we can tell to the search engines to find
> one of those perl packages?]
A small piece of awk script does this work for me. It takes regexps
from a configuration file and is used in the form
tail -f /var/adm/debug | logfilter <configfile> | log2ticket ...
The syslogd has to be configured to log everything to /var/adm/debug,
logfilter filters out unwanted messages and gives the rest to log2ticket,
which is a small C program that reads stdin and generates trouble
tickets. If messages are coming in to log2ticket, the program waits
up to n seconds (configurable) for further messages to prevent multiple
tickets to be generated in case of a message flood. Every open ticket
has to be closed in a certain time span, otherwise an "escalation pro-
cedure" is started by the ticket management system.
The programs are real simple and should run on a dedicated, "mostly
closed" system that is able to perform worst-case actions on the host
where the log entries are generated (e. g. shutting down inetd servi-
ces). This is *not* a complete firewall component, but a kit to build
such.
The sources for all this are less than 20 k, if there's interest
for it, I could write a small installation info and make it FTPable.
Daniel
--
Daniel Roedding daniel@fiction.pb.owl.de INTJ
Padertown City +49-5251-541965 voice, 541334 data http://www.owl.de