[ale] Logcheck vs Logwatch
Bob Toxen
bob at verysecurelinux.com
Mon Dec 20 15:51:07 EST 2004
On Mon, Dec 20, 2004 at 11:58:36AM -0500, attriel wrote:
> > 186 messages sent is nothing. If you had been "hacked to use as a
> > spam relay" you'd see 10,000-1,000,000 messages sent. Keep an eye
> > on the logs (preferably using Logcheck instead of LogWatch), but I
> > don't see this as evidence of any problems.
> How is Logcheck better than Logwatch? I'm setting up a system with a
> loghost machine (w/o external access; it accepts ONLY syslog UDP packets,
> on an internal network) and I was looking at logwatch and logcheck (and
> swatch), and decided that logwatch seemed to be a better mechanism for
> getting information and statistics for at least basic filtering, and
> figured anything "unexpected" could be then tracked more manually
I use log file monitoring programs for security monitoring and don't
really care about statistics as there are better indications of compromise.
After using both, especially my enhanced Logcheck a LOT, my opinion is that
LogWatch tells me things that I don't care about, does not explain what it
sees, and fails to tell me important things.
The ONLY value to LogWatch, IMO, is that it gives stats on how many times
someone tries and fails to log in and thus likely is a hacker. Logcheck
usually will allow me to see this two though it does not give a count of
a given IP trying to crack a given account name. Of course, I've
substantially enhanced Logcheck for my use.
> Is logcheck (that's the logsentry one right?) really better?
> --attriel
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
More information about the Ale
mailing list