9 Apr
2014
9 Apr
'14
12:52 a.m.
trentbuck@gmail.com (Trent W. Buck) writes:
logcheck has magic to remember the inode & offset of the last scan; if the inode hasn't changed, it starts from where it left off (otherwise from 0).
Or you could just use logcheck -- add your DENIED.*\.(com|biz|net)/ regexp to its "security alerts" list of regexps.
Oh, but squid doesn't log via syslog(3) by default. So you'd need to tell logcheck to also read squid/access.log and to whitelist "expected" lines from that.