| |
|
|||
| MONITOR LOGS WITH LOGSURFER+ A number of tools exist for monitoring log files. One well-known and commonly used tool is swatch, which can send out alerts based on certain strings that show up in a log file. But due to some of its limitations, developers created another tool called LogSurfer. Based on swatch, LogSurfer yields a lot more power. LogSurfer+ is a version of LogSurfer that adds even more capabilities. Setting up LogSurfer+ can take a little work because you need to create rules that are relevant to your network. To begin, download the tool from the LogSurfer and LogSurfer+ Resources Web page; then, compile and install it. http://www.crypt.gen.nz/logsurfer/ After installation, you can begin creating rules. Rules are based on regular expressions matching various actions that you can assign, such as "ignore," "exec" (run a program), "rule" (dynamically create a new rule), and more. Here's a simple example of a rule to ignore log messages of "last message repeated xx times": 'last message
repeated' - - - 0 '^.{15,}
(.*) sshd\[.* session opened for user (.*)' - - - 0 The variables you see (i.e., $2, $4, etc.) stand for matched regular expressions So, $2 corresponds to the second matched regexp, and $4 corresponds to the fourth matched regexp, which corresponds to the machine name and username in the matched log line rule. This is an example of a rule making a new context rule. LogSurfer+ can be a little difficult to set up initially, especially if you're unfamiliar with regular expressions. For other samples and in-use rules, check out emf's LogSurfer configuration Web page, which contains a number of example rules. http://www.obfuscation.org/emf/logsurfer.html |
||||