Many system (and kernel) events cause entries to be made in log files. These can be used to audit a system and track cracking attempts.
Manually scanning log files for signs of cracking attempts or other undesirable behaviour is time-consuming and usually happens well after any intrusion attempts are logged --- too late to prevent a successful attack. These problems are compounded by all good systems administrators who are inherently lazy. To resolve these problems utilities have been developed which scan (tail) logs on your behalf and report significant events by email. We discuss logcheck and swatch.
We also discuss logging of events to a remote host. By default, syslogd and klogd log their messages, as configured by syslog.conf in such places as /var/log/... (Linux) and /var/adm/... (Solaris). Since these files are on the localhost then any hacker can "clean them" in an attempt to cover their tracks. If messages are (also) logged to a remote host then such a clean up becomes more difficult, particularly if the remote host is running a different operating system.
We're all lazy at heart --- all good sysadmins are. I'm much more likely to check my log files if they are "on a plate" in front of me, displayed and continually updated, different log-files available at the click of a tab/button. So I use iblm which can be downloaded from sourceforge.
Below is an account of how I set up cross-logging between my Linux box and my Solaris box. At the time of writing, August 2000, I have one machine running RedHat 6.2 Linux and a second running Solaris 2.8. Details given below, in particular bug/feature notes, may differ for different versions.
The first thing to check is that the syslog daemons, syslogd, have been started with the command-line switches set so that messages from remote hosts are accepted.
/sbin/syslogd -m 0 -r |
/usr/sbin/syslogd |
authpriv.* /var/log/secure auth.* /var/log/auth auth.* @boiler.csu.umist.ac.uk |
mail.warning;mail.info @talby.csu.umist.ac.uk # ...that's right, mail, not auth... auth.notice @talby.csu.umist.ac.uk |
...previous | up (conts) | next... |