Hi, Seeing that we have 1000+ rules, I became curious about utilization. I came up with a cheap program[0] to check. The current output looks like this: *cut* file: rulefiles/linux/ignore.d.server/dhclient: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 124, 124, 0, 0, 0, 0, 0, 0, 124] file: rulefiles/linux/violations.d/logcheck: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] file: rulefiles/linux/ignore.d.server/policyd: [0, 0] file: rulefiles/linux/ignore.d.workstation/winbind: [0] file: rulefiles/linux/violations.ignore.d/logcheck-cyrus: [0, 0, 0] file: rulefiles/linux/ignore.d.paranoid/cron: [0, 0, 18, 0, 0, 0, 0, 0] file: rulefiles/linux/ignore.d.server/nscd: [0] *cut* The array numbers correspond to line numbers in the rulefiles. This output will be improved eventually. It should also calculate the top N and bottom N matched rules. Right now it just looks at /var/log/syslog. This should be getopt'd. Run it from directory logcheck/ [0] http://rapidpacket.com/~xtat/analyzeRules * unfortunately requires Python2.4 for subprocess -- Todd Troxell http://rapidpacket.com/~xtat