Hi, is there a log analyzer that will report weird and abnormal behavior ?

For example, I had someone trying to do some weird stuff on my web server, by making several querries per seconds during one hour. This is the kind of behavior I would like to be able to be notified without having to view my huge access.log.

Thanks,
Donov

Yepp. Actually there is lots of them - search at freshmeat.net or write one of your own...

Don't you have a specific example ?

Thanks,
Donov

Tripwire, Snort, seriously there are plenty and you will have to go and decide which is right for you anyway so the best advice is to just check out http://freshmeat.net for logging tools.

Originally posted by Strike:
Tripwire, Snort, seriously there are plenty and you will have to go and decide which is right for you anyway so the best advice is to just check out http://freshmeat.net for logging tools.

If I'm not mistaken, Tripwire is a file integrity checker, not a log parsing tool. Doesn't it keep a check of all the files on your system, and let you know if any of them have been modified?

And, isn't snort a packet sniffer? Doesn't it tell you who is trying to access what based on what config options you set?

I've never used tripwire, and I have installed and am playing with snort.. I don't really understand it very well, so maybe I'm just way off on both of those..

Hmm...

------------------
TheLinuxDuck
Wait... that's a penguin?!?!?
:wq

Yes, it appear trip is a file integrity checker and snort a packet sniffer.

What I'm looking for is soemthing that will analyze my access.log to report any curious behavior...

Its not the same.
Do you know any ?

Thanks,
Donov

I wish I did know something to tell you.. I basicaly just wrote myself a simple log analysis tool in perl. It's nothing fancy.. it basicly just looks through a log file, and displays lines I told it not to ignore.

It's better than sorting through a ton of log lines, but it's not very smart.. it won't detect any odd behavior or remember results. It's just a basic type thing.

have you been to freshmeat? Maybe you can find the names of some various log analyzers and ask people here about specific ones, see if anyone else is using them/it...

------------------
TheLinuxDuck
Wait... that's a penguin?!?!?
:wq

There was/is something called logcheck which did 'stuff' with your daily logs. I can't remember exactly, but I thought it looked through logs, did md5 checks and other miscellaneous things, then emailed the results to you..

or was that just a dream? hhrmm..

-r

Log check is one but i think there is also a program called webalizer or something. It has usage statistics and claims to be highly customizable and maybe you could tweak it to send an e-mail to you when the craziness (or whatever it is) starts to happen.

Ah, a log analyzer ... heh, next time I will RTFQ ... I was thinking of an activity logger that would monitor suspicious activity, not an analyzer that would report suspicious logs...

Okay, I'm gonna go hide in a dark cave now .. http://www.linuxnewbie.org/ubb/smile.gif