Linux logging and logfiles monitoring with swatch



Similar documents
Topics. CIT 470: Advanced Network and System Administration. Logging Policies. System Logs. Throwing Away. How to choose a logging policy?

Syslog & xinetd. Stephen Pilon

syslog - centralized logging

Linux System Administration. System Administration Tasks

Analys och spårning. Text based logs Analysing and working with logs Surveillance and tracking

CSE/ISE 311: Systems Administra5on Logging

Logging with syslog-ng, Part One

CERT-In Indian Computer Emergency Response Team Handling Computer Security Incidents

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Lab 2: Secure Network Administration Principles - Log Analysis

Linux Syslog Messages in IBM Director

SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

URL:

logstash The Book Log management made easy James Turnbull

Protecting Host from Net

HIPAA Compliance Use Case

CSE 265: System and Network Administration

System Administration

Guidelines for Auditing and Logging

CTPView Management System

Red Condor Syslog Server Configurations

Step One: Installing Rsnapshot and Configuring SSH Keys

EMC VNX Version 8.1 Configuring and Using the Audit Tool on VNX for File P/N Rev 01 August, 2013

Administration of Soft IOCs under Linux

Presented by Henry Ng

Cisco Setting Up PIX Syslog

logstash The Book Log management made easy James Turnbull

Backing Up Your System With rsnapshot

The Ins and Outs of System Logging Using Syslog

Apache and Virtual Hosts Exercises

Nixu SNS Security White Paper May 2007 Version 1.2

Avira AntiVir MailGate 3.2 Release Notes

Avaya Syslog Implementation Guide

SendMIME Pro Installation & Users Guide

Connectivity using ssh, rsync & vsftpd

VMware vcenter Log Insight Security Guide

BACKUP YOUR SENSITIVE DATA WITH BACKUP- MANAGER

WHM Administrator s Guide

Connecting to Linux From Other Systems

Configuring System Message Logging

Configuring LocalDirector Syslog

Network Monitoring & Management Log Management

NTP and Syslog in Linux. Kevin Breit

Project Artillery Active Honeypotting. Dave Kennedy Founder, Principal Security Consultant

BF2CC Daemon Linux Installation Guide

Getting Started in Red Hat Linux An Overview of Red Hat Linux p. 3 Introducing Red Hat Linux p. 4 What Is Linux? p. 5 Linux's Roots in UNIX p.

Network Monitoring & Management Log Management

Security Correlation Server Quick Installation Guide

NAS 272 Using Your NAS as a Syslog Server

HowTo: Logging, reporting, log-analysis and log server setup Version 2007nx Release 3. Log server version 2.0

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

LINUX SECURITY COOKBOOK. DanieIJ. Barren, Richard E Silverman, and Robert G. Byrnes

What is included in the ATRC server support

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

Security Correlation Server Quick Installation Guide

SERVER HARDENING. Presented by: Daniel Waymel and Corrin Thompson at TexSAW 2014 at the University of Texas at Dallas

Network Monitoring & Management Log Management

Do it Yourself System Administration

Linux Shell Scripting Cookbook

Backup of ESXi Virtual Machines using Affa

Syslog (Centralized Logging and Analysis) Jason Healy, Director of Networks and Systems

Hervey Allen. Network Startup Resource Center. PacNOG 6: Nadi, Fiji. Security Overview

The KSystemLog Handbook. Nicolas Ternisien

Automated Offsite Backup with rdiff-backup

Device Integration: Checkpoint Firewall-1

Development of a System Log Analyzer

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 5 Manage Backup and Recovery

Computer Security DD2395

128 CERT Exercises Toolset Document for students

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

Security Advice for Instances in the HP Cloud

Avira Update Manager User Manual

File Transfer Examples. Running commands on other computers and transferring files between computers

Enterprise Content Management System Monitor. Server Debugging Guide CENIT AG Bettighofer, Stefan

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Red Hat Certifications: Red Hat Certified System Administrator (RHCSA)

Log Correlation Engine Backup Strategy

Back Up Linux And Windows Systems With BackupPC

Linux VPS with cpanel. Getting Started Guide

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

SEAGATE BUSINESS NAS ACCESSING THE SHELL. February 1, 2014 by Jeroen Diel IT Nerdbox

Rsync: The Best Backup System Ever

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

An Introduction to Event Modeling and Correlation. Stephen Rondeau Institute of Technology

Protec8ng Host from Net

1 Logging in unix, linux, OS-X

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Scalable Logging Solutions on Cloud

Smartphone Pentest Framework v0.1. User Guide

Sophos Anti-Virus for Linux user manual

Linux Security Ideas and Tips

Linux Server Configuration Guidelines

How to Push CDR Files from Asterisk to SDReporter. September 27, 2013

Configuring System Message Logging

Navigating the Rescue Mode for Linux

Working with ESX(i) Log Files

MONIT. UNIX Systems Management

SWsoft Plesk 8.2 for Linux/Unix Backup and Restore Utilities. Administrator's Guide

Transcription:

Linux logging and logfiles monitoring with swatch, wire.less.dk edit: November 2009, Pacnog6 http://creativecommons.org/licenses/by-nc-sa/3.0/ 1

Agenda Linux logging The most important logs Swatch and other log watchers 2

Linux Logging two daemons that control logging: klogd (sysklogd) and syslogd. klogd deals with kernel messages. syslogd deals with other system messages, such as applications. You can configure the behavior of both by editing the files /etc/syslog.conf and /etc/sysconfig/syslog 3

Linux Logging directory default directory for most logs is /var/log logrotating (now default in Ubuntu) is essential, else you will strangulate your own resources (= have beautiful backlog, but run out of space) Backup important logfiles to external place by using rsync or scp 4

Linux Essential log files /var/log/messages: General system and kernel messages /var/log/auth.log: Authenication logs /var/log/kern.log: Kernel logs /var/log/cron.log: Crond logs (cron job) /var/log/maillog: Mail server logs ᄑ /var/log/httpd/ or /var/log/apache: Apache access and error logs directory, typically: access.log, error.log /var/log/boot.log : System boot log /var/log/secure: Authentication log /var/log/utmp or /var/log/wtmp : Login records file /var/log/dkpg.log: package management + individual applications' ItrainOnline logfiles MMTK (may also be kept in applications directories, outside /var/log) 5

Linux Logging directory Most important tools for looking at logfiles: # less # more # tail # grep archiving tools (tar, gunzip, etc) rsync, scp for backing up If you prefer graphical tools, webmin is handy for looking at logfiles 6

Log monitoring Swatch & logwatch & others Having extensive logfiles is great, however uou also need to make sense of them Not realistic to manually keep track of things Use log watching utilities to give you automated warnings, alerts, etc, and to act upon suspicious activity 7

Log monitoring DenyHosts / Fail2Ban DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. Fail2Ban's main function is to block selected IP addresses that may belong to hosts that are trying to breach the system's security. It determines the hosts to be blocked by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time 8

Log monitoring Swatch swatch is a perl utility that can monitor just about any type of log. It uses regular expressions to look for patterns that you define, and act upon matches. Standard actions include output to standard out, sounds, emails - but you can trigger any command you wish to making this extremely powerful. 9

Log monitoring Swatch Swatch expects config file at /etc/swatchrc Swatch syntax: see #man swatch Simple example for a swatch config entry: watchfor /ALERT:/ echo bold red exec echo "$_ swatch just spit out a alert warning" mail -s swatch-alert sebastian@less.dk You can use throttle and threshhold (=timeouts) to prevent all 10 Sebastian too many Büttrich alerts

That was it... Thank you! sebastian@less.dk http://wire.less.dk, wire.less.dk edit: November 2009 http://creativecommons.org/licenses/by-nc-sa/3.0/ 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information