From owner-freebsd-hackers  Wed Feb 19 02:26:39 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id CAA16503
          for hackers-outgoing; Wed, 19 Feb 1997 02:26:39 -0800 (PST)
Received: from perki0.connect.com.au (perki0.connect.com.au [192.189.54.85])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA16498
          for <hackers@freebsd.org>; Wed, 19 Feb 1997 02:26:33 -0800 (PST)
Received: from nemeton.UUCP (Unemeton@localhost) by perki0.connect.com.au with UUCP id VAA13707
  (8.7.6h/IDA-1.6); Wed, 19 Feb 1997 21:26:30 +1100 (EST)
X-Authentication-Warning: perki0.connect.com.au: Unemeton set sender to giles@nemeton.com.au using -f
Received: from localhost.nemeton.com.au (localhost.nemeton.com.au [127.0.0.1])
	by nemeton.com.au (8.8.5/8.8.5) with SMTP id VAA19543;
	Wed, 19 Feb 1997 21:25:37 +1100 (EST)
Message-Id: <199702191025.VAA19543@nemeton.com.au>
To: Michael Smith <msmith@atrad.adelaide.edu.au>
cc: hackers@freebsd.org
Subject: Re: License to kill annoying syslog feature? 
In-reply-to: <199702190339.OAA09285@genesis.atrad.adelaide.edu.au> 
Date: Wed, 19 Feb 1997 21:25:37 +1100
From: Giles Lean <giles@nemeton.com.au>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Wed, 19 Feb 1997 14:09:33 +1030 (CST)  Michael Smith wrote:

> 1)  Only log stuff to the 'wildcard' file entry if it hasn't matched another
>     rule already.
> 
>  or
> 
> 2)  Add another meta-config entry like !, say %, which implies that

I've seen (2) done somewhere, sometime.  Probably on a security
related site but my brain is not working too well right now and won't
cough up the location.  (If you've a cool change there in Adelaide,
please SEND IT ON!)

I prefer (2) since it is obviously different when looking at
syslog.conf.

Rather than patch syslogd I usually solve the problem by logging most
everything and only looking at stuff that swatch picks out for me.
I've a cleaned up re-written swatch that I use for this that is
careful about reaping zombies:

	http://www.nemeton.com.au/software.html

The 'logsurfer' program from the German (?) CERT team looks a better
bet still; it can handle multiline messages and "remember" what is
happening.

For logsurfer go and search at:

        http://www.cert.dfn.de/

(I can't find a URL less than three lines long to cut and paste ... grr.)

Regards,

Giles