Hi there, I'm trying to get rid of non-vital logging info, with the aid of logsurfer. The accent is not on mailing suspicious stuff, more on keeping logfiles manageably small. However I find the docs that come with logsurfer inadequate, quite confusing even. I had hoped for more examples... Can anyone here share [parts of-] his/her logsurfer.conf for clarity and / or as examples ? The way to "ignore" certain messages is clear and simple, so is the way to alert when something evil is happening. What I don't really understand is how the "context" rules work. Let's say for instance I'd like to get rid of the 'named' starting messages: Oct 30 16:21:09 hostname named[16988]: starting (/etc/named.conf). [...] Oct 30 16:21:09 hostname named[16988]: hint zone "" (IN) loaded (serial 0) Oct 30 16:21:09 hostname named[16988]: master zone "localhost" (IN) [...] Oct 30 16:21:09 hostname named[16988]: master zone "0.0.127.in-addr.arpa" Oct 30 16:21:09 hostname named[16988]: master zone "foobar" (IN) [...] Oct 30 16:21:09 hostname named[16988]: master zone "8.9.10.in-addr.arpa" Oct 30 16:21:09 hostname named[16988]: listening on [10.9.8.7].53 (eth8) Oct 30 16:21:09 hostname named[16988]: Forwarding source address [...] Oct 30 16:21:09 hostname named[16989]: Ready to answer queries. In that case we'd like a rule that, if it sees a 'named .* starting (/etc/named.conf)' will open a context (and eventually ignore all inside) for all following rules from the same PID, UNLESS there is a '.* rejected due to errors .*' statement in one of those lines. My problem is, A) I don't know how to implement this, and B) This is not safe because it could drop other types of, possibly fatal, errors. Yet the only alternative is, "make 1 rule per line". Not only is that quite a mess and a LOT of work, but it makes it impossible to look at the context to see whether a message is benign or not; "With invalid flags" sounds like a serious warning, but looking at the context it's just 1 line out of many when squid is attempting to start. Oct 29 18:17:24 hostname squid[950]: 0 With invalid flags. Does anyone have relevant experience(s) with logsurfer that he /she is willing to share and / or discuss here (or off-list if perhaps perceived off-topic) ? Maybe even agree on a generic "safe_to_use"(...) ruleset for SuSE machines ? Any help or comments are greatly appreciated, Maarten -- Maarten J. H. van den Berg ~~//~~ network administrator van Boetzelaer van Bemmel - Amsterdam - The Netherlands http://vbvb.nl T+31204233288 F+31204233286 G+31651994273
Maarten J H van den Berg schrieb am Tue, 30 Oct 2001 17:08:42 +0100:
Can anyone here share [parts of-] his/her logsurfer.conf for clarity and / or as examples ?
I'd like to second that request! I tried to get into logsurfer, but its flexibility brings complexity as well. Having some real-life examples would really help. Thanks in advance, Jochen -- ---------------------------------------------------------------- *Jochen Lillich*, Dipl.-Inform. (FH) Consultant/Trainer @ /TeamLinux GbR/ Tel. +49 7255 76784-12 http://www.teamlinux.de ----------------------------------------------------------------
On Sat, Nov 24, 2001 at 04:01:53PM +0100, Jochen Lillich wrote:
Maarten J H van den Berg schrieb am Tue, 30 Oct 2001 17:08:42 +0100:
Can anyone here share [parts of-] his/her logsurfer.conf for clarity and / or as examples ?
I'd like to second that request! I tried to get into logsurfer, but its flexibility brings complexity as well. Having some real-life examples would really help.
Try http://www.swobspace.de/ext/firewall/contrib/logsurfer/logsurfer.conf
It's a german homepage, sorry, but downloading the config file is better
than posting.
wob
--
participants (3)
-
Jochen Lillich
-
Maarten J H van den Berg
-
Wolfgang Barth