Summary: swatch Suggestions

From: Bob Woodward (bobw@kramer.filmworks.com)
Date: Tue Feb 25 1997 - 15:00:58 CST


I'm really kind of shocked at the limited response I got for this question
from the group. Maybe I was mistaken on how popular swatch is.

Two people have responded with things to monitor, one which gave the kind
of examples I was looking for, the other with generic concept suggestions.
One person suggested that I, instead of swatch, use Big Brother and cited
ease of installation and configuration. (I've been planing on checking
into that, too.) One person asked that I summarize, which I'm pretty sure
I said I would in my original request and am doing so in this message. And
a last person who asked what swatch was.

Thank you all 5 for your message. I hope I still get a few more over the
next few days with specific examples of what they are swatch-ing. People
who responded are:

Ric Anderson <ric@rtd.com>
bshaw@bobasun.spdc.ti.com (Bob Shaw)
"Richard C. Mills" <rmills@atl1.america.net>
Sue Gray <Sue.Gray@unisa.edu.au>
"Coffindaffer, Virginia@MacPO1" <CoffindafferVirginia@wangfed.com>

The 'Big Brother' reference included a URL reference of
http://www.iti.qc.ca/iti/users/sean/

For swatch suggestions, these were the comments (and GREATLY appriciated!)

>From authlog:
REPEATED LOGIN FAILURES

>From messages:
/su root/ && /succeeded/
/file system full/

>From sulog:
/\+/ && /-root/
/\+/
/\s\-\s/

>From syslog:
all external connections from outside our domain connecting to our machine

Different information is kept in different machines depending on how your
system is set up. Also what you want to monitor will depend on what is
important for security on your site. Start by looking at the text based
logs in /var/adm/ and /var/log/ - work out what sort of things might be
relevant to look for here. There is also a good postscript document
included with the swatch source that helps as a start to understanding.

I'd suggest monitoring the log from your Uninterruptable Power Supply
unless you already have monitor software to set off alarms if the
power goes bad.

I'd also monitor the TCP wrapper logs to make sure no unotherized
connections go unnoticed, and the logs from your router, so you
will get notification of line problems (presuming you are on the
end of a Frame Relay or dedicated T1 or T3).

Other possibilities:
        /var/adm/loginlog (see man -s4 loginlog for info).
        /var/adm/messages (scanning for device errors)

Excellent suggestions. Again, thanks.

----------
Bob Woodward, Seattle FilmWorks (bobw@filmworks.com)
Data Processing Department (206) 281-1390 ext. 475

Visit our Web Site to learn about getting your pictures via downloads on
the Internet!
Point your browser to "http://www.filmworks.com".



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:47 CDT