[gentoo-user] Practical log reviewing

[gentoo-user] Practical log reviewing

[Grant]

Does anyone know of a practical way to review all the various logs on
the system each day?  Does it just come down to a brisk scroll through
the previous day's rotated logs?

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Practical log reviewing

[Collins Richey]

On 8/21/06, Grant <emailgrant@gmail.com> wrote:
> Does anyone know of a practical way to review all the various logs on
> the system each day?  Does it just come down to a brisk scroll through
> the previous day's rotated logs?
>

Isn't that why logwatch was created?


-- 
Collins Richey
     If you fill your heart with regrets of yesterday and the worries
     of tomorrow, you have no today to be thankful for.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Practical log reviewing

[gentuxx]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Grant wrote:
> Does anyone know of a practical way to review all the various logs on
> the system each day?  Does it just come down to a brisk scroll through
> the previous day's rotated logs?
> 
> - Grant

Depending on what you're requirements are, try OSSEC-HIDS
(www.ossec.net).  I've been using it for a couple weeks now and it's
pretty handy.  The longer I use it, the more I add to it, the better it
is.  Unfortunately there isn't an ebuild for it (yet).  But it's really
easy to install.  Plus it does a lot more than just log monitoring.

As far as other tools that might be available, you could try swatch or
any of the other ploethera of tools that are out there.  It really
depends on why you want to review your logs: curiosity? security?
regulation compliance?

- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE6n/ATPA54hjTSp4RAvenAKDa0tboAerF4tFVOocd8mAWu1waOwCgnpfJ
nG8xqnZsCBY+hALJX1wzX9I=
=QEmq
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Practical log reviewing

[reader]

gentuxx <gentuxx@gmail.com> writes:

> Depending on what you're requirements are, try OSSEC-HIDS
> (www.ossec.net).  I've been using it for a couple weeks now and it's
> pretty handy.  The longer I use it, the more I add to it, the better it
> is.  Unfortunately there isn't an ebuild for it (yet).  But it's really
> easy to install.  Plus it does a lot more than just log monitoring.

You say it is easy to install and so it is,  But once installed it
isn't at all clear what this thing does.

I'm guessing somewhere in all the hoopla it presents you with some
analysis of logs.

Its not one bit clear from there site how to get to that point.

Sorry for the rant but I was sort of surprised to find no real
overview that tells what this tool does in some detail.

This is the overview on the home page:

 OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It
 performs log analysis, integrity checking, rootkit detection,
 time-based alerting and active response.

After that there is a manual the describes running the tool, but I
never see any detailed summary of what it really does and how to
access the analysis.

I've gone way OT here but I hoped you might write to me privately and
describe in some detail what you do with it...

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Practical log reviewing

[Stefan Wimmer]

* reader@newsguy.com <reader@newsguy.com> [2006-08-22 04:57] :
>  You say it is easy to install and so it is,  But once installed it
>  isn't at all clear what this thing does.
> 
>  I'm guessing somewhere in all the hoopla it presents you with some
>  analysis of logs.
> 
>  Its not one bit clear from there site how to get to that point.
>  Sorry for the rant but I was sort of surprised to find no real
>  overview that tells what this tool does in some detail.
> 
>  This is the overview on the home page:
>  [...]
>
>  After that there is a manual the describes running the tool, but I
>  never see any detailed summary of what it really does and how to
>  access the analysis.
> 
>  [...]

Did you have a look at the FAQ (http://www.ossec.net/en/faq.html) as well? I 
admit that this package is quite mighty and might be overkill for what you want 
but the FAQ at least explains a few terms ...

HTH
swimmer

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Practical log reviewing

[Grant]

> > Does anyone know of a practical way to review all the various logs on
> > the system each day?  Does it just come down to a brisk scroll through
> > the previous day's rotated logs?
> >
>
> Isn't that why logwatch was created?

I emerged logwatch, but even though the man pages reference the
command 'logwatch' it is a 'command not found'.  I ran 'logwatch.pl'
which I spotted from the emerge's output, but there was no ouput from
that script at all.

- Grant
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Practical log reviewing

[Troy Curtis Jr]

Logwatch is really designed to be run as a cronjob which sends you an
email after it has parsed through your logs.  The configuration for
logwatch is located in the /etc/log.d/ directory.  In that directory
you will find many scripts and configuration options for a wide range
of different log files.  You will want to start with
/etc/log.d/conf/logwatch.conf. By default it send the email message
with the log analysis to root (you can set it to whatever you like if
you have your mailer configured correctly).

You should probably get a meaningful analysis with all the defaults,
just check your root accounts mail.

I have been using logwatch for many months now and have been very
happy with it.  Hope this helps point you in the right direction.
(Also check /etc/cron.daily/logwatch for the default cronjob).

Troy

BTW the obfuscated perl email address that gentux uses has to be the
coolest sig ever!


On 8/22/06, Grant <emailgrant@gmail.com> wrote:
> > > Does anyone know of a practical way to review all the various logs on
> > > the system each day?  Does it just come down to a brisk scroll through
> > > the previous day's rotated logs?
> > >
> >
> > Isn't that why logwatch was created?
>
> I emerged logwatch, but even though the man pages reference the
> command 'logwatch' it is a 'command not found'.  I ran 'logwatch.pl'
> which I spotted from the emerge's output, but there was no ouput from
> that script at all.
>
> - Grant
> --
> gentoo-user@gentoo.org mailing list
>
>


-- 
"Beware of spyware. If you can, use the Firefox browser." - USA Today
Download now at http://getfirefox.com
Registered Linux User #354814 ( http://counter.li.org/)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Practical log reviewing

[Michael Sullivan]

On Tue, 2006-08-22 at 21:04 -0500, Troy Curtis Jr wrote:
> Logwatch is really designed to be run as a cronjob which sends you an
> email after it has parsed through your logs.  The configuration for
> logwatch is located in the /etc/log.d/ directory.  In that directory
> you will find many scripts and configuration options for a wide range
> of different log files.  You will want to start with
> /etc/log.d/conf/logwatch.conf. By default it send the email message
> with the log analysis to root (you can set it to whatever you like if
> you have your mailer configured correctly).
> 
> You should probably get a meaningful analysis with all the defaults,
> just check your root accounts mail.
> 
> I have been using logwatch for many months now and have been very
> happy with it.  Hope this helps point you in the right direction.
> (Also check /etc/cron.daily/logwatch for the default cronjob).
> 
> Troy
> 
I've been having a little trouble with the logwatch script on my server
box; particularly the FTP section.  If there is nothing for FTP in the
logs for the current day, and there was in the same date a year ago, it
shows the activity from a year ago.  I use logrotate and have logs going
back quite awhile - I guess that's where it's getting the informationf
from.  It's just been doing that for about a month now.  I haven't
gotten around to looking at the logwatch config yet.  It kinda freaked
me out the first time it happened, until I looked at the dates.  Just
this morning, my logwatch was dated August 22, 2006, but it had records
of files uploaded with my account from Aug 22, 2005...
> BTW the obfuscated perl email address that gentux uses has to be the
> coolest sig ever!
> 
> 
> On 8/22/06, Grant <emailgrant@gmail.com> wrote:
> > > > Does anyone know of a practical way to review all the various logs on
> > > > the system each day?  Does it just come down to a brisk scroll through
> > > > the previous day's rotated logs?
> > > >
> > >
> > > Isn't that why logwatch was created?
> >
> > I emerged logwatch, but even though the man pages reference the
> > command 'logwatch' it is a 'command not found'.  I ran 'logwatch.pl'
> > which I spotted from the emerge's output, but there was no ouput from
> > that script at all.
> >
> > - Grant
> > --
> > gentoo-user@gentoo.org mailing list
> >
> >
> 
> 
> -- 
> "Beware of spyware. If you can, use the Firefox browser." - USA Today
> Download now at http://getfirefox.com
> Registered Linux User #354814 ( http://counter.li.org/)

-- 
gentoo-user@gentoo.org mailing list