[ale] Logcheck vs Logwatch

Dow_Hurst dhurst at mindspring.com
Mon Dec 20 16:00:36 EST 2004


Isn't the enhanced logcheck included with your book on the CD?  Or is it the default logcheck?  If it is, then Aaron could use that as a starting base for customization.
Dow


-----Original Message-----
From: Bob Toxen <bob at verysecurelinux.com>
Sent: Dec 20, 2004 3:47 PM
To: attriel at d20boards.net, Atlanta Linux Enthusiasts <ale at ale.org>
Subject: Re: [ale] Logcheck vs Logwatch

On Mon, Dec 20, 2004 at 11:58:36AM -0500, attriel wrote:
> > 186 messages sent is nothing.  If you had been "hacked to use as a
> > spam relay" you'd see 10,000-1,000,000 messages sent.  Keep an eye
> > on the logs (preferably using Logcheck instead of LogWatch), but I
> > don't see this as evidence of any problems.

> How is Logcheck better than Logwatch?  I'm setting up a system with a
> loghost machine (w/o external access; it accepts ONLY syslog UDP packets,
> on an internal network) and I was looking at logwatch and logcheck (and
> swatch), and decided that logwatch seemed to be a better mechanism for
> getting information and statistics for at least basic filtering, and
> figured anything "unexpected" could be then tracked more manually
I use log file monitoring programs for security monitoring and don't
really care about statistics as there are better indications of compromise.

After using both, especially my enhanced Logcheck a LOT, my opinion is that
LogWatch tells me things that I don't care about, does not explain what it
sees, and fails to tell me important things.

The ONLY value to LogWatch, IMO, is that it gives stats on how many times
someone tries and fails to log in and thus likely is a hacker.  Logcheck
usually will allow me to see this two though it does not give a count of
a given IP trying to crack a given account name.  Of course, I've
substantially enhanced Logcheck for my use.

> Is logcheck (that's the logsentry one right?) really better?

> --attriel

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale


No sig.



More information about the Ale mailing list