Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: important errors to control with swatch

from [Michael Robbert] Network Security [Permanent Link]
Subject: Re: important errors to control with swatch
Date: Tue, 20 Nov 2007 10:48:45 -0700
Maybe this is overkill (or maybe I'm missing the point completely), but wouldn't Splunk ( http://www.splunk.com ) be a good solution, or tool for creating a solution, for this problem?
For those that haven't heard of it, it collects data from many different data sources, syslog being one of them, and provides you with a web based interface to search through them. It allows for complex searches and has the ability to alert on any of the searches. They also have something called SplunkBase, which is a community driven database of what many of these messages mean. It is a commercial product, but they have a free version that will work with up to 500Mb per day of data.
I haven't implemented this myself yet, but I have played around with it and look forward to finding the time to try to really implement it for myself.

Mike Robbert

Hari Sekhon wrote:
I'm also extremely interested in expanding my log watching to include a massive amount of comprehensive pattern matching alerting.

I currently have some but need to expand it. The problem is that this is really a difficult thing to approach because it can only catch known patterns in this fashion. And whitelisting is really not practical in this context as the logs generated are practically infinite and not really able to whitelist them.

I think that there should really be a well maintained project of regexs for this purpose, one official champion for us to build our baselines on... with frequent updates...

Anyone got any ideas or regexs they want to share?

Isaac, you would do well to have things like "I/O Error" for disk problems... "hardware hung"... etc etc, but this list is practically endless, you should look at your logs and decide which ones you'd like to be alerted on.

-h

Hari Sekhon



Isaac Perez Moncho wrote: 
Hello,
I just installed swatch, and used this configuration file for the
checks:
http://www.loganalysis.org/sections/signatures/log-swatch-skendrick.txt

Anyone knows any other common phrase or word that I should find the logs
for hardware and system errors?
Or what you consider important to monitor in the logs?
Thanks


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: important errors to control with swatch, Hari Sekhon
Next by Date:  RE: important errors to control with swatch, Reynold McGuire
Previous by Thread:  Re: important errors to control with swatch, Hari Sekhon
Next by Thread:  Re: important errors to control with swatch, Hari Sekhon
Indexes:  [Date] [Thread] [Top] [All Lists]