syslog reporting tool

[blumie]

hello
I am looking for a tool which evaluates syslog messages . It should be able to recognize attacks, like it ids do.Contrary to a ids, it should consider only the Syslog messages.
It should have real-time capability and it should support several devices of different types (Firewalls, routers etc..) at one time.
At the end, it shows the messages in a Web interface, in which all messages can be looked ab (divided by device) . If there are critical messages it should be able to generate a message (e.g. a SMS, E-Mail, ...).

do you now a suitable tool ? or do you now a way what I can do or a site where this is described ?

thanks for your help
sincerely
kaspar

 

[pansophic]

I don't believe that it will do exactly what you want, but I have used logcheck and logwatch for many years. They are available with many Linux distributions or can be downloaded from sourceforge.net.

They can watch logs and send alerts based on a set of static filters, but they both run from a cron job, which means that a good attacker can get in and modify logging before the cron job runs.

There is an application called Samhain that is event driven, so it is real-time, but it is more of a file integrity checker. I picked it up because it is capable of detecting the installation of an LKM rootkit, but I use it in conjunction with logcheck, not as a replacement.

All should be available at:

http://sourceforge.net/

pansophic