Subject: pkg/33892: misc/logsurfer: updated version (1.6b) is available
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 07/01/2006 18:55:00
>Synopsis: misc/logsurfer: updated version (1.6b) is available
>Arrival-Date: Sat Jul 01 18:55:00 +0000 2006
>Originator: Sergey Svishchev
From http://www.crypt.gen.nz/logsurfer/ :
Logsurfer+ is a branched version of the standard Logsurfer package from DFN-CERT, it has been modified to add a few features to improve what can be done with it. The following is a list of Logsurfer+ 1.6 features which are in addition to the standard Logsurfer 1.5 release:
* An optional parameter at the end of context definitions ( just before action ) specifying the minimum number of lines collected which needs to be satisfied before performing the action. This min_lines argument can be used for detecting events such as firewall attacks where we are only interested in events which generate more than x log entries ( like packet drops from a single source IP address ).
* Added -t command line option to explicity timeout contexts when exiting, therefore running the action for all contexts. The default is off, so contexts don't all trigger their actions when logsurfer is shut down.
* Changed context rule execution so that we only store lines in a context if the context has an action of 'pipe' or 'report'. In other words, don't store lines in memory which won't ever be used. The number of matching lines in the context is still incremented. This allows contexts to be created which can notify if we don't see an event, such as regular "syslog pings" from hosts.