Very Computer

Due to recent severe problem with my Linux box (it actually turned out
I ran out of hard drive space and didn't notice it), I've gotten
serious about security and the syslog because I though I was hacked.
Anyway, I'm just curious what everyone's favorite program is for
viewing the logs on their computer. There's a program called system
log viewer that came with my distro and it really sucks.  I get better
results using cat /var/log/syslog | grep xxxx | less.  What do all of
you security gurus use?

On a side note, my syslog is getting rather large (3mb).  Can I trim
away and tar the old stuff  or use some script to keep the log from
growing so large in the future?

Thanks for any help.

various derivatives of
cat /var/log/whichever | grep "whatever" (or | grep -v whatever )

--
I will serve no algorithm before it's time.

Quote:>Due to recent severe problem with my Linux box (it actually turned out
>I ran out of hard drive space and didn't notice it), I've gotten
>serious about security and the syslog because I though I was hacked.
>Anyway, I'm just curious what everyone's favorite program is for
>viewing the logs on their computer. There's a program called system
>log viewer that came with my distro and it really sucks.  I get better
>results using cat /var/log/syslog | grep xxxx | less.  What do all of
>you security gurus use?

  One xterm has 'tail -f /var/log/messages' and another
runs 'tail -f /var/log/httpd/access_log'
  Sometimes I run them with grep, but usually just let
all output appear.

  Also, I allowed Bastille to redirect /var/log/messages
to /dev/tty7 and /var/log/maillog to /dev/tty8
(X runs on /dev/tty9)

Quote:>On a side note, my syslog is getting rather large (3mb).  Can I trim
>away and tar the old stuff  or use some script to keep the log from
>growing so large in the future?

'man logrotate'
'man cron'

  Most distributions include crontabs for log rotation.
Often, they're set for the wee hours of the morning.
If you run your machine 24x7, then your logs should
rotate.
  Otherwise, if you aren't running something like
anacron, your logs build up.  

--
Steve Ackman                            
http://twovoyagers.com
Registered Linux User #79430
http://www.netmeister.org/news/learn2quote.html

Quote:>Due to recent severe problem with my Linux box (it actually turned out
>I ran out of hard drive space and didn't notice it), I've gotten
>serious about security and the syslog because I though I was hacked.
>Anyway, I'm just curious what everyone's favorite program is for
>viewing the logs on their computer. There's a program called system
>log viewer that came with my distro and it really sucks.  I get better
>results using cat /var/log/syslog | grep xxxx | less.  What do all of
>you security gurus use?

I use logcheck, which runs from cron, and filters log data with regex's.
Quite handy, and very flexible.

Then I use something called 'chainlysis', which is specific for
iptables and/or ipchains.

Others:

http://www.psionic.com/download (logcheck)

Ian's http://freshmeat.net/projects/firelogd/

http://freshmeat.net/projects/fwlogwatch/

Quote:>On a side note, my syslog is getting rather large (3mb).  Can I trim
>away and tar the old stuff  or use some script to keep the log from
>growing so large in the future?

Man logrotate. Man tmpwatch, in case disk size problems are related to
tmp files. Also, have /var mounted on its own partition is a good idea.

--
Hal B




--

On 12 Sep 2001 19:37:30 -0700, Mike Hoover sez:

Quote:>Due to recent severe problem with my Linux box (it actually turned out
>I ran out of hard drive space and didn't notice it), I've gotten
>serious about security and the syslog because I though I was hacked.
>Anyway, I'm just curious what everyone's favorite program is for
>viewing the logs on their computer. There's a program called system
>log viewer that came with my distro and it really sucks.  I get better
>results using cat /var/log/syslog | grep xxxx | less.  What do all of
>you security gurus use?

So what's wrong with cat | grep | less?  It's always worked fine for
me!  That's the beautiful thing about Linux... there's no need to
run stupid resource-hogging utilities when you can handle
everything with the basic kernel commands.

Quote:>On a side note, my syslog is getting rather large (3mb).  Can I trim
>away and tar the old stuff  or use some script to keep the log from
>growing so large in the future?

rm * -f once a month works wonders for me; then I restart syslog.  I
figure, once I've analyzed the living daylights out of my logs and
there aren't any surprises, I don't really care about keeping 6 months
of login/logout entries, mail logs, ipchain DENY logs from the
countless port 80 scans from Red Alert, etc.

Anyway, sure, go ahead and tar or gzip or lha or whatever your
old logs.  I'm sure if you wanted to you could throw together a
script in cron.monthly or whatever that would create a date-based
archive of the log files, rm them, and restart syslog... but for
something you only do once a month or so, you might as well
do it manually so you can have more control over what gets
archived, deleted, etc.

Peter B. Steiger
Cheyenne, WY
----
If you reply by email, send it to pbs at com dot
canada (or vice-versa).  All adverti*ts will be
returned to your postmaster, eh!

Quote:> So what's wrong with cat | grep | less?  It's always worked fine for
> me!

Waste of a process, that's what. `grep | less' would be quite adequate.
(Obviously, this is a world-threatening serious heinous offence... Erm...)

Quote:> That's the beautiful thing about Linux... there's no need to run stupid
> resource-hogging utilities when you can handle everything with the basic
> kernel commands.

Er, what's a kernel command?

Quote:> >On a side note, my syslog is getting rather large (3mb). Can I trim away
> >and tar the old stuff or use some script to keep the log from growing so
> >large in the future?

> rm * -f once a month works wonders for me; then I restart syslog.

Erk. Use logrotate, that's what it exists for, and is at least as flexible,
and saves you reiterating the same boring things over & over. Someone's
been here before you...

Quote:> I figure, once I've analyzed the living daylights out of my logs and
> there aren't any surprises, I don't really care about keeping 6 months of
> login/logout entries, mail logs, ipchain DENY logs from the countless
> port 80 scans from Red Alert, etc.

This does not scale. You should care about packets that trickle in over the
course of days or weeks, not just the last few hours' worth. To that end,
I'd recommend that wonderful multi-format firewall-log analyzer,
_fwlogwatch_.

~Tim
--
   20:38:18 up 47 days, 10:36, 17 users,  load average: 0.15, 0.05, 0.01

http://piglet.is.dreaming.org     |From the village chimneys