Pick a Free OS

User login

Navigation

Home

Intrusion Detection Systems, Part IV: Logcheck

Mon, 02/12/2001 - 16:56 |  admin
Email: 
trevor@freeos.com

/var/log/kernlog

/var/log/syslog

These are the files that Logcheck should monitor consistently for any untoward incidents on a system. Assuming Logcheck is running through the Cron daemon every 5 minutes, we would then have Logcheck parse all the log files important to us and mail us incident reports if there are any.

CD into the directory logcheck-1.1.1/systems/linux and edit the file llogcheck.sh in your favorite text editor. The default configuration of Logcheck only generates alerts for the files as mentioned below. In addition, as you can see, it has been tailored for an out of the box Red Hat installation. So all you Red Hat guys, have almost no tweaking to do. Others please tweak the script to monitor the log files as per the your severity rating.

Here is part of our ~/logcheck-1.1.1/systems/linux/logcheck.sh script,

# LOG FILE CONFIGURATION SECTION

# You might have to customize these entries depending on how

# you have syslogd configured. Be sure you check all relevant logs.

# The logtail utility is required to read and mark log files.

# See INSTALL for more information. Again, using one log file

# is preferred and is easier to manage. Be sure you know what the

# > and >> operators do before you change them. LOG FILES SHOULD

# ALWAYS BE chmod 600 OWNER root!!

# Linux Red Hat Version 3.x, 4.x

$LOGTAIL /var/log/messages > $TMPDIR/check.$$

$LOGTAIL /var/log/secure >> $TMPDIR/check.$$

$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

which monitors the files /var/log/messages, /var/log/secure and /var/log/maillog. So, make the changes to reflect the logs you would want to monitor.

Having made the appropriate changes to your configuration file, have a look at the Configuration Section at the start of the llogcheck.sh file. It consists of paths to all the installation directories and the paths to place the binaries in. Under normal circumstances, you would not have to edit any of the settings for most of the Linux distributions around. We would suggest that you have a look at the settings but leave it alone.

Various Configuration Files

We now look at the various Logcheck configuration files. The description of each configuration file has been obtained from the documentation downloaded along with Logcheck.

logcheck.sh -- The main script. This file controls all processing and looks at log files with simple grep commands. This file is executed on a timed basis from cron and reports findings to the sysadmin.

Login to post comments |   |  Tags: Articles - Howtos, Linux

Contact Us | Terms of Use | Trademarks | Privacy Statement
Copyright © Freeos.com | Contact Us: info@freeos.com