12. Check both local and remote logs

Check the copy of your system logs (and kernel logs) on your remote syslog server (or, if no remote copy is available, your local logs, though these will almost certainly have been tampered with if your intruder has root access):

Also, check for differences between your local logs and the copy on your syslog server —

...previousup (conts)next...



About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple