[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]







 "http://www.w3.org/TR/html4/loose.dtd">

<li>date: Mon Dec 20 15:51:07 2004</li>
<li>from: bob at verysecurelinux.com (Bob Toxen)</li>
<li>in-reply-to: <<a href="msg00667.html">[email protected]</a>></li>
<li>references: <[email protected]> <<a href="msg00651.html">[email protected]</a>> <<a href="msg00667.html">[email protected]</a>></li>
<li>subject: [ale] Logcheck vs Logwatch</li>

&gt; How is Logcheck better than Logwatch?  I'm setting up a system with a
&gt; loghost machine (w/o external access; it accepts ONLY syslog UDP packets,
&gt; on an internal network) and I was looking at logwatch and logcheck (and
&gt; swatch), and decided that logwatch seemed to be a better mechanism for
&gt; getting information and statistics for at least basic filtering, and
&gt; figured anything &quot;unexpected&quot; could be then tracked more manually
I use log file monitoring programs for security monitoring and don't
really care about statistics as there are better indications of compromise.

After using both, especially my enhanced Logcheck a LOT, my opinion is that
LogWatch tells me things that I don't care about, does not explain what it
sees, and fails to tell me important things.

The ONLY value to LogWatch, IMO, is that it gives stats on how many times
someone tries and fails to log in and thus likely is a hacker.  Logcheck
usually will allow me to see this two though it does not give a count of
a given IP trying to crack a given account name.  Of course, I've
substantially enhanced Logcheck for my use.

&gt; Is logcheck (that's the logsentry one right?) really better?

&gt; --attriel

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
<a  rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a>        [Network&amp;Linux/Unix security consulting]
<a  rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My book:&quot;Real World Linux Security 2/e&quot;]
Quality Linux &amp; UNIX security and SysAdmin &amp; software consulting since 1990.

&quot;Microsoft: Unsafe at any clock speed!&quot;
   -- Bob Toxen 10/03/2002


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00679" href="msg00679.html">[ale] Logcheck vs Logwatch</a></strong>
<ul><li><em>From:</em> barry at alltc.com (Barry Hawkins)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00634" href="msg00634.html">[ale] Hacked to spam??</a></strong>
<ul><li><em>From:</em> johnmills at speakeasy.net (John Mills)</li></ul></li>
<li><strong><a name="00651" href="msg00651.html">[ale] Hacked to spam??</a></strong>
<ul><li><em>From:</em> bob at verysecurelinux.com (Bob Toxen)</li></ul></li>
<li><strong><a name="00667" href="msg00667.html">[ale] Logcheck vs Logwatch</a></strong>
<ul><li><em>From:</em> attriel at d20boards.net (attriel)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00672.html">[ale] Anyone used glabels successfully</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00674.html">[ale] Logcheck vs Logwatch</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00667.html">[ale] Logcheck vs Logwatch</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00679.html">[ale] Logcheck vs Logwatch</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00673"><strong>Date</strong></a></li>
<li><a href="threads.html#00673"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>

Prev by Date: [no subject]
Next by Date: [no subject]
Previous by thread: [no subject]
Next by thread: [no subject]
Index(es):
- Date
- Thread