Title: Monitoring log files in Linux

KBTAG: kben10000032
URL: http://www.securityportal.com/lskb/10000000/kben10000032.html
Date created: 14/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Monitoring log files in Linux
Keywords: Logging, IntrusionDetection

Summary:

Log files are not much good unless you actually check them once in a while, this is an almost impossible task for most of us however due to the sheer volume of log files. There are a variety of tools to automate these tasks however.

More information:

If possible log events to a central location, this allows you to easily see attack patterns that might not be so obvious when looking at files individually, as well you need to automate the task, however you will either end up with many false positives (requiring human intervention to sort out), or if you filter to much you might miss important events. You should also check knowledge base article kben10000027, "Secure alternatives for system logging in Linux". Things to look out for include:

Downloads:

Psionic Logcheck

Psionic Logcheck will go through the messages file (and others) on a regular basis (invoked via crontab usually) and email out a report of any suspicious activity. It is easily configurable with several ‘classes’ of items, active penetration attempts which is screams about immediately, bad activity, and activity to be ignored (for example DNS server statistics or SSH re-keying). Psionic Logcheck is available from: http://www.psionic.com/abacus/logcheck/.

colorlogs

colorlogs will color code log files allowing you to easily spot suspicious activity. Based on a config file it looks for keywords and colors the lines (red, cyan, etc.), it takes input from STDIN so you can use it to review log files quickly (by using “cat”, “tail” or other utilities to feed the log file through the program). You can get it at: http://www.resentment.org/projects/colorlogs/.

WOTS

WOTS collects log files from multiple sources and will generate reports or take action based on what you tell it to do. WOTS looks for regular expressions you define and then executes the commands you list (mail a report, sound an alert, etc.). WOTS requires you have Perl installed and is available from: http://www.vcpc.univie.ac.at/~tc/tools/.

swatch

swatch is very similar to WOTS, and the log files configuration is very similar. You can download swatch from: ftp://ftp.stanford.edu/general/security-tools/swatch/.