[Logcheck-devel] Logcheck Talk / Logcheck.org / Pylogcheck

Todd Troxell ttroxell at debian.org
Wed Feb 16 07:48:47 UTC 2005 

On Tue, Feb 15, 2005 at 10:35:09AM +0100, maximilian attems wrote:
> On Mon, 14 Feb 2005, Todd Troxell wrote:
> 
> > I thought I'd let you know I'm doing a lightning talk on Logcheck for a
> > local security conference[0].  Marcus Ranum, the guy who originally wrote
> > frequentcheck.sh, on which logcheck was originally based is going to talk too!
> 
> sounds nice.
> 
> you might want to read the online chapter of
> http://www.oreilly.com/catalog/linuxss2/
> the last chapter has a pointer to logcheck with respect to its design
> limitations.

Awesome, thanks for the pointer.

> > Thirdly, I've been experimenting with logcheck in Python.  I have a _very_
> > experimental but working version in my own CVS[1].  I do not know if you guys
> > like Python, but I am happy to import this into alioth and would welcome
> > contributions if there is interest.  As I said though, at the moment it is
> > very hackish.  My email address is hard coded, and I do not want your logs.
> > <:
> 
> python illeterate myself sorry,
> but it would be nice to have some sort speed comparisation?

My frist few runs showed it to be slightly faster than the current logcheck.
With cached regular expressions, assuming this is possible, the time would 
be cut in half.

I'll post more results on this eventually.  So far it's just been something
to play with when I get bored <:

> concerning logtail i still prefer to have it in c,
> but no code here to show yet.

I think this would probably be a good idea, though I'd like to run some
experimental benchmarks on this.  I started writing something like this[0] a
while back, but was so concerned with doing it correctly that I never
actually made it functional <: 

[0] http://cvs.rapidpacket.com/cgi-bin/viewcvs.cgi/clogtail/

> concerning current state could you kick 1.2.35 into sarge this
> weekend?
> would leave us enough time for testing and adding some rule bits.
> the logtail.News item should probably be rewritten abit?

Yes, sounds like a good plan, and there probably should be changes to
logtail.News.

Cheers,
-- 
[   Todd J. Troxell                                         ,''`.
      Student, Debian GNU/Linux Developer, SysAdmin, Geek  : :' :
      http://debian.org || http://rapidpacket.com/~xtat    `. `' 
                                                             `-     ]

More information about the Logcheck-devel mailing list