[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] httpd log analyzer
- Subject: Re: [cobalt-security] httpd log analyzer
- From: "Gerald Waugh" <gerald@xxxxxxxxx>
- Date: Wed, 28 Nov 2001 08:55:47 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> I took a look at logcheck.sh, and attempted to add in
/var/log/httpd/access
> file for analysis. Without entering anything in any of the ignore files I
> would
Just for my complete understanding send me the lines you changed in
logcheck.sh
with a couple lines above and below the change.
# Linux Red Hat Version 3.x, 4.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
$LOGTAIL /var/log/kernel >> $TMPDIR/check.$$
******* Added to this section???????????
$LOGTAIL /var/log/httpd/access >> $TMPDIR/check.$$
> have expected logcheck to add the complete log of last 15 minutes.
> Instead it appended the entire (>11mb) access log file to the email
message,
> stretching back a few days. This isnt the behaviour I would expect, I can
> only guess that it could be something to do with the date format or
position on
> the line?
I don't recall at the moment, but I think it will do the complete file,
providing the file
has never been checked before.
> For completeness I've added a part of the logs below, all of the
> /var/log/xxx files
> seem to follow the same format with the date /time being at the start of
the
> line.
>
> Am I barking up the wrong tree and being daft? Is there something that I
> have missed?
>
> Ideally, I'd like to scan through the httpd access log and pick out
certain
> strings
> like "cmd.exe" "default.ida", etc. and throw them back, whilst ignoring
all
> the legitimate
> GET and POST entries.
I would add the things you are looking for in the following file:
# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations