eim wrote: > * logcheck (System Log Analyzer) > * snort (Intrusion Detection System) > * ippl (IP protocols logger)
The only application of those three I use is logcheck, and it does require tuning. Here's what I've done (using logcheck/testing): Made two new files, /etc/logcheck/ignore.local and /etc/logcheck/violations.ignore.local. Soft-linked them into /etc/logcheck/ignore.d and /etc/logcheck/violations.ignore.d respecitively. As logcheck traffic comes in, if there's stuff I could go without being notified about I'll add regexps to ignore.local or violations.ignore.local to weed them out. It's an ongoing/tuning process, but within a couple of days I've pruned out the redundant messages (like netsaint's monitors or ntpdate adjusting the clock in increments of less than a second) and I get logcheck mail maybe once a week even though I check every hour. I've also tweaked logcheck to change the subject line to differentiate between 'unusual', 'possible violation' and 'possible attack', so I can defer reading the merely unusual warnings. I've been getting logcheck mail more ever since Pacific-Rim and East European users have been trying to ftp to or nfs-mount from my machine (even though I don't have these services running). I considered pruning that out, but I actually want to know so I can block the responsible ISPs on my firewall -- yet another (t|pr)uning process. I tried running portsentry, but see my above message about too many false positives.
