Date: Wed, 19 Feb 1997 21:25:37 +1100 From: Giles Lean <giles@nemeton.com.au> To: Michael Smith <msmith@atrad.adelaide.edu.au> Cc: hackers@freebsd.org Subject: Re: License to kill annoying syslog feature? Message-ID: <199702191025.VAA19543@nemeton.com.au> In-Reply-To: <199702190339.OAA09285@genesis.atrad.adelaide.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19 Feb 1997 14:09:33 +1030 (CST) Michael Smith wrote: > 1) Only log stuff to the 'wildcard' file entry if it hasn't matched another > rule already. > > or > > 2) Add another meta-config entry like !, say %, which implies that I've seen (2) done somewhere, sometime. Probably on a security related site but my brain is not working too well right now and won't cough up the location. (If you've a cool change there in Adelaide, please SEND IT ON!) I prefer (2) since it is obviously different when looking at syslog.conf. Rather than patch syslogd I usually solve the problem by logging most everything and only looking at stuff that swatch picks out for me. I've a cleaned up re-written swatch that I use for this that is careful about reaping zombies: http://www.nemeton.com.au/software.html The 'logsurfer' program from the German (?) CERT team looks a better bet still; it can handle multiline messages and "remember" what is happening. For logsurfer go and search at: http://www.cert.dfn.de/ (I can't find a URL less than three lines long to cut and paste ... grr.) Regards, Giles
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702191025.VAA19543>