Bugtraq mailing list archives

Re: syslog idea

From: jlacour () usr com (John LaCour)
Date: Fri, 07 Oct 94 09:42:54 CDT


[The hobbit sez...]

This brought to mind the idea of a "syslog monitor", or a process that would 
just hang out someplace and stat the various log files periodically,
using some mechanism to warn of excessive size, mysterious shrinkage, and 
maybe some other warning signs.


While you're at it, lets write a program to monitor the syslog monitor.  In case
any one kills it, sends it signals, its pid changes, etc.

Another idea is to find out how the intruders are getting in (or getting root) 
and plugging those holes.

I suppose a program similiar to the monitor program would be nice for measuring 
system performance and the like - probably thats what 'watcher' is intended for.

If you're really concerned about intruders messing with your files, use tripwire
or something like that.  Of course, tripwire may not be ideal for dynamic files 
like pacct and lastlog, but alas your binaries are more important than your 
logs.

John

Current thread:

Re: syslog idea John LaCour (Oct 07)
- Re: syslog idea Fred Kuhns (Oct 10)
- <Possible follow-ups>
- Re: syslog idea Dror Matalon (Oct 07)
  - Time for moderation? Douglas W. Goodall (Oct 07)
    - Seg Michael Bresnahan (Oct 07)
    - Re: Time for moderation? Greg Donovan (Oct 07)
    - Re: Time for moderation? Andrew Hughes (Oct 08)
    - CC's Aleph One (Oct 07)
    - Re: Time for moderation? John Hawkinson (Oct 07)
    - Re: Time for moderation? Supak Lailert \ (Oct 07)
    - Re: Time for moderation? Herve Schauer (Oct 09)

(Thread continues...)