Auditing Linux Server Logs with Open Source Utilities
Server Training - Ubuntu Server Administration

Auditing Linux Server Logs with Open Source Utilities


One necessary part of a Linux administrator's job is to audit system logs. This helps ensure that things continue running smoothly, and it also helps to uncover any suspicious, possibly illegal activity on the network.

But, it's a job that nobody really looks forward to. It's tedious, and it's boring. Thankfully, Linux offers tools that can help out.

The major Linux distros each offer a choice of utilities that will parse the system logs, and mail a summary to the administrator. Each is set up to cull important events, and discard stuff that isn't quite so important. All of these utilities have a different focus, so it's hard for us to say which is the best. Your best bet would be to try out a few different ones, and see which you like best. To see what your distro has to offer, just open your favorite package manager, and search for the keyword "log".

If you're running a distro that's derived from Red Hat Enterprise--CentOS, StartCom, etc.--you'll find "logwatch", and a few other tools, in the official repositories. You'll also find some other log-audit tools in the RPMForge repositories. (See directions elsewhere on this site for adding the RPMForge repositories to your system.)

 

Log audit utilities in RPMForge


Debian and Ubuntu both offer a wide choice of log-audit utilities in their official repositories. If you're running Ubuntu Server, which comes without a graphical interface, you can use Aptitude to search for them.


Searching for log audit programs with Aptitude

 

You'll also need to install a Mail Transfer Agent, so that these tools can mail you the results of their log scans. If you don't have one installed already, your package manager will let you know, and handle the job for you.

 

Installing

 

By default, the reports will only be sent to your account on the local machine. If you'd rather have the reports sent to your normal email account, just add the proper entry in the /etc/aliases file, and then run the "newaliases" command.

Your new entry in the aliases file should look something like this:

# Person who should get root's mail
root: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

 

Now, you should start receiving audit reports via email. Here's on example of a simple one, on a day when not much was happening. Note how it's arranged in nice, easy-to-read sections.

 

 ################### Logwatch 7.3 (03/24/06) #################### 
        Processing Initiated: Tue Dec 11 04:02:08 2007
        Date Range Processed: yesterday
                              ( 2007-Dec-10 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: centos5
  ################################################################## 
 
 --------------------- pam_unix Begin ------------------------ 

 su-l:
    Unknown Entries:
       session closed for user root: 2 Time(s)
       session opened for user root by donnie(uid=500): 2 Time(s)
 
 
 ---------------------- pam_unix End ------------------------- 

 
 --------------------- sendmail Begin ------------------------ 

 
 
 SMTP SESSION, MESSAGE, OR RECIPIENT ERRORS
 ------------------------------------------
 
 WARNING!!!!  Possible Attack:
    Attempt from centos5 [127.0.0.1] with:
       command=HELO/EHLO, count=3: 1 Time(s)
 	Total:  1 Time(s) 
 ---------------------- sendmail End ------------------------- 

 
 --------------------- SSHD Begin ------------------------ 

 
 Users logging in through sshd:
    donnie:
       192.168.0.109: 3 times
 
 ---------------------- SSHD End ------------------------- 

 
 --------------------- XNTPD Begin ------------------------ 

 
 Total synchronizations 4 (hosts: 3)
 
 ---------------------- XNTPD End ------------------------- 

 
 --------------------- Disk Space Begin ------------------------ 

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/mapper/VolGroup00-LogVol00
                        18G  4.4G   13G  26% /
 /dev/hda1              99M   16M   78M  17% /boot
 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End #########################

 

 

Ah-oh, it appears that we've had a security violation. Guess we'd better check it out, huh?