[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] [RaQ4] Good logchecker.ignore file for RaQ4i

Hi,

I've set up logchecker to, well, check my logs. After setting up, I got a
lot of reports, especialy about the system (swatch?) opening and closing
various services. I got them out using the logcheck.ignore file, by adding
lines like

..:00:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session opened
..:00:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session closed
..:15:0.*proftpd.* \(localhost\[127.0.0.1\]\) - FTP session opened

etc.
to only filter out the lines at the expected times from the expected hosts
etc.

But still I get a lot of messages which are not very threatening to me,
like:

Jan 29 10:17:37 server01 sshd[20088]: Accepted rsa for admin from <ipadres>
port <portadres>

The problem here is that this is interesting information if someone else
logged on as admin at that time.

Other lines state stuff like: user so and so used pop, user so and so used
ftp etc. etc.

My thought is: these lines (accept maybe for the line concerning admin
logons) are only interesting of the concern a failed logon. Ofcourse the
problem with all log output is that if there is too much "usual stuff"  in
it, you forget to look for the strange stuff.

So that's why I'm looking for a good logchecker.ignore file for my RaQ 4i.
If someone has thought about which lines should, and which should not be
reported just to get all the high risk warnings, I would be grateful if
(s)he would elaborate on this.

Thanks,
Jelmer Jellema
-----------------------------------------------------------------
  Jelmer Jellema - Spin in het Web
  www.spininhetweb.nl
  Spin in het Web: Alle Touwtjes In Handen
-----------------------------------------------------------------

Spin in het Web is de producent van:
www.visinhetnet.nl: Niet Het Laatste Nieuws