Intrusion Detection Systems, Part IV: Logcheck
Auditing and logging on any system is of great significance as it makes sure that a serious breach of any kind is always tracked. What is great about Unix is that most modern implementations, use the syslog facility to report extensively--if configured and supported correctly-- all happenings, good or bad on the host system. This allows the creation of an audit trail that can be used very effectively to subvert potential attacks and alert system administrators. However, all this is of no use if the system administrator has no time to look at the logs. One reason for this is the very nature and quantity of logging happening on a machine. We have known Systems Administrators complaining about daily logs on machines, running to the tune of more than 10 - 20 Megs?hardly an enviable task. This is where logcheck will help. Logcheck automates the auditing process and weeds out normal log information, to give you a condensed look at problems and potential troublemakers mailed to wherever you please.
How Logcheck works
The logcheck shell script and logtail.c programs have been written from scratch and are implemented in a manner, which allow two methods of log file auditing:
1) By reporting everything, you tell it to specifically look for via keywords.
2) By reporting everything, you did not tell it to ignore, via keywords.
This ensures that important messages are specifically brought to your attention (via the keywords you look for) and that important messages that you may have overlooked are also reported (by only ignoring items you tell it to). The original frequentcheck.sh script was implemented in a somewhat similar manner. The keywords that we are talking about here are the keywords that on occurrence in the logs, would trigger an alert to the system administrator. The logcheck configuration files come with some of the default keyword entries common to most of the *nix system logs out there. However, we warn you, as the author does, it is up to you as the system administrator, to see that the appropriate keywords are entered in the configuration files to tune up Logcheck for your installation.
The logcheck script is a simple shell-programming model and the logtail.c program uses basic ANSI C compatible functions. The logcheck script should be run at least hourly on your hosts from the cron daemon. This script will check files for unusual activity by scanning the logs using simple grep commands and will mail all findings (if any) to the administrator. If nothing is found you will receive no mail.
Logcheck Installation and Configuration