[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sentry
Subject:    [Abacus] logcheck - collecting login information
From:       Robert Wagner <rwagner () shelton-tech ! com>
Date:       2000-09-22 17:51:11
[Download RAW message or body]

I am interested in having the information in /var/log/secure sent to me with
the hourly alerts.  The log file has entries in it like:

Sep 18 09:50:22 tone in.telnetd[17560]: connect from 192.168.1.126
Sep 18 09:50:26 tone in.fingerd[17563]: connect from 192.168.1.126

Since we don't have people logging into the system on a regular basis, this
information is an ALERT to me.  (I don't think many people would want this
detail - POP3 users hitting their mail server or regular login information).

I already have logcheck sending me the regular information every hour.  Can
I just add "connect from" to the logcheck.violations file?  Since it appears
the user already has the password to connect, I still want to get their IP
information.  They may even have access to erase the log files - so I need
these sent to me as opposed to staying on the system.

Redhat 6.2, Logcheck 1.1.1

[prev in list] [next in list] [prev in thread] [next in thread]