Old data but still usefull prolly: http://www.securityportal.com/lasg/logging/ Psionic Logcheck Psionic Logcheck will go through the messages file (and others) on a regular basis (invoked via crontab usually) and email out a report of any suspicious activity. It is easily configurable with several 'classes' of items, active penetration attempts which is screams about immediately, bad activity, and activity to be ignored (for example DNS server statistics or SSH rekeying). Psionic Logcheck is available from: http://www.psionic.com/abacus/logcheck/. colorlogs colorlogs will color code log files allowing you to easily spot suspicious activity. Based on a config file it looks for keywords and colors the lines (red, cyan, etc.), it takes input from STDIN so you can use it to review log files quickly (by using "cat", "tail" or other utilities to feed the log file through the program). You can get it at: http://www.resentment.org/projects/colorlogs/. WOTS WOTS collects log files from multiple sources and will generate reports or take action based on what you tell it to do. WOTS looks for regular expressions you define and then executes the commands you list (mail a report, sound an alert, etc.). WOTS requires you have Perl installed and is available from: http://www.vcpc.univie.ac.at/~tc/tools/. swatch swatch is very similar to WOTS, and the log files configuration is very similar. You can download swatch from: ftp://ftp.stanford.edu/general/security-tools/swatch/. there's others to but I need to update that page. Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net