[c-nsp] Any good filters for syslog output (Tuc at T-B-O-H)

Andy Saykao andy.saykao at staff.netspace.net.au
Wed Dec 17 18:32:31 EST 2008


You can use OSSEC (http://www.ossec.net/) to monitor your log files for
you. It's pretty easy to set up and then you can set up your own custom
filters like below. When OSSEC finds a match in the log it will email
you.

For example we have OSSEC monitoring a few syslog messages like:

<rule id="100002" level="3">
    <match>%SEC-6-IPACCESSLOG</match>
    <description>Unauthorized access.</description>
</rule>

<rule id="100003" level="10">
    <match>Privilege level set to 15</match>
    <description>User has entered enable mode.</description>
</rule>

Hope that helps.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.



More information about the cisco-nsp mailing list