[ale] Logcheck vs Logwatch

Bob Toxen bob at verysecurelinux.com
Mon Dec 20 22:03:54 EST 2004 

On Mon, Dec 20, 2004 at 03:57:44PM -0500, Dow_Hurst wrote:
> Isn't the enhanced logcheck included with your book on the CD?  Or is it
> the default logcheck?  If it is, then Aaron could use that as a starting
> base for customization.
Quite so.  The enhanced logcheck is on the CD in the back of the 2nd Ed.
of my book.
> Dow

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002


> -----Original Message-----
> From: Bob Toxen <bob at verysecurelinux.com>
> Sent: Dec 20, 2004 3:47 PM
> To: attriel at d20boards.net, Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: Re: [ale] Logcheck vs Logwatch
> 
> On Mon, Dec 20, 2004 at 11:58:36AM -0500, attriel wrote:
> > > 186 messages sent is nothing.  If you had been "hacked to use as a
> > > spam relay" you'd see 10,000-1,000,000 messages sent.  Keep an eye
> > > on the logs (preferably using Logcheck instead of LogWatch), but I
> > > don't see this as evidence of any problems.
> 
> > How is Logcheck better than Logwatch?  I'm setting up a system with a
> > loghost machine (w/o external access; it accepts ONLY syslog UDP packets,
> > on an internal network) and I was looking at logwatch and logcheck (and
> > swatch), and decided that logwatch seemed to be a better mechanism for
> > getting information and statistics for at least basic filtering, and
> > figured anything "unexpected" could be then tracked more manually
> I use log file monitoring programs for security monitoring and don't
> really care about statistics as there are better indications of compromise.
> 
> After using both, especially my enhanced Logcheck a LOT, my opinion is that
> LogWatch tells me things that I don't care about, does not explain what it
> sees, and fails to tell me important things.
> 
> The ONLY value to LogWatch, IMO, is that it gives stats on how many times
> someone tries and fails to log in and thus likely is a hacker.  Logcheck
> usually will allow me to see this two though it does not give a count of
> a given IP trying to crack a given account name.  Of course, I've
> substantially enhanced Logcheck for my use.
> 
> > Is logcheck (that's the logsentry one right?) really better?
> 
> > --attriel
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> 
> No sig.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list