Firewall Wizards mailing list archives
Re: Logging
From: Roger Marquis <marquis () roble com>
Date: Thu, 26 Oct 2000 13:20:09 -0700 (PDT)
sim <simeonuj () eetc com> wrote:
I have a Sparc 10 running Redhat 6.2 as a firewall for a small network. Inside the network is a logserver that syslog sends most of the logs to. I am wondering if anyone has any suggestions as to what needs to be logged or a starting point for this kind of information.
It really doesn't matter what Unix operating system you're running, they all come with basically the same syslogd. What I always recommend is logging _everything_, everything except perhaps cron and mark. Here's our default syslog.conf (from ftp://ftp.roble.com/unix/syslog.conf.example): ------------------------------------------------------------------- kern.debug /var/log/kern.messages daemon.debug /var/log/daemon.messages user.debug /var/log/user.messages syslog,cron.info /var/cron/log auth.debug /var/log/auth.messages news.debug /var/log/news.messages mail.debug /var/log/mail.messages uucp.debug /var/log/uucp.messages local0.debug /var/log/local0.messages local1.debug /var/log/local1.messages local2.debug /var/log/local2.messages local3.debug /var/log/local3.messages local4.debug /var/log/local4.messages local5.debug /var/log/local5.messages local6.debug /var/log/local6.messages local7.debug /var/log/local7.messages ftp.debug /var/log/ftp.messages authpriv,lpr.debug /var/log/misc.messages *.debug,syslog,cron.none @remote-loghost ------------------------------------------------------------------- If you have applications, devices, or other log sources that can be configured to write to different log facilities it is a good idea to use LOG_LOCAL[0-7] for those leaving the others for the OS. If you log everything you'll also need to rotate the logfiles whenever they grow beyond a certain size. This is because syslogd opens and closes the logfile with each entry. Logfiles larger than a MB or two can impact system performance. A root cron script will take care of this (see ftp://ftp.roble.com/unix/cron/hourly). ------------------------------------------------------------------- LOGDIR=/var/log #### rotate logfiles -gt 1MB for i in $LOGDIR/*messages ; do if [ "`du -ks $i| awk '{print $1}'`" -gt 1000 ]; then #echo "rotating $i" if [ -f $i.8 ]; then cp $i.8 $i.9 ;fi if [ -f $i.7 ]; then cp $i.7 $i.8 ;fi if [ -f $i.6 ]; then cp $i.6 $i.7 ;fi if [ -f $i.5 ]; then cp $i.5 $i.6 ;fi if [ -f $i.4 ]; then cp $i.4 $i.5 ;fi if [ -f $i.3 ]; then cp $i.3 $i.4 ;fi if [ -f $i.2 ]; then cp $i.2 $i.3 ;fi if [ -f $i.1 ]; then cp $i.1 $i.2 ;fi if [ -f $i.0 ]; then cp $i.0 $i.1 ;fi cp $i $i.0 cp /dev/null $i fi done chgrp sysadmin $LOGDIR/*messages* chmod 640 $LOGDIR/*messages* ------------------------------------------------------------------- You may also want to keep old logs on-line for ad-hoc greping. One way to manage this is by rotating everything monthly (see ftp://ftp.roble.com/unix/cron/monthly): ------------------------------------------------------------------- #### rotate OLD logs, keep 6 {month}'s worth in $LOGDIR/OLD #### (in addition to the compressed archives) cd $LOGDIR for file in `ls OLD/*messages*.5` ; do cp $file "` echo $file|sed 's/.5$/.6/' `" done for file in `ls OLD/*messages*.4` ; do cp $file "` echo $file|sed 's/.4$/.5/' `" done for file in `ls OLD/*messages*.3` ; do cp $file "` echo $file|sed 's/.3$/.4/' `" done for file in `ls OLD/*messages*.2` ; do cp $file "` echo $file|sed 's/.2$/.3/' `" done for file in `ls OLD/*messages*.1` ; do cp $file "` echo $file|sed 's/.1$/.2/' `" done for file in `ls OLD/*messages*.0` ; do cp $file "` echo $file|sed 's/.0$/.1/' `" done # # archive this {month}'s and # clean up for the next # cd $LOGDIR for file in `ls *messages` ; do for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 ; do if [ -s ${file}.${i} ]; then ls -ltgF ${file}.${i} cat ${file}.${i} >> ${file}.tmp fi rm -f ${file}.${i} done if [ -s ${file} ]; then ls -ltgF ${file} cat ${file} >> ${file}.tmp cp /dev/null ${file} fi if [ -s ${file}.tmp ]; then cp ${file}.tmp OLD/${file}.0 ls -ltgF OLD/${file}.0 fi rm -f ${file}.tmp ls -ltgF ${file} done ------------------------------------------------------------------- Depending on the size of your loghost's disks you'll want to check that these logfiles don't cause a diskfull situation. ------------------------------------------------------------------- MAILTO=admin DF="df -k" PARTS="`$DF | grep '/dev/' |grep -v cdrom | awk '{print $NF }' | sed 's/^M/ /g' `" for part in $PARTS ; do FD="`${DF} $part | grep -v Filesystem | sed 's/%//g' | awk '{print $5}'`" if [ $FD -gt 98 ]; then mail -s "$BN ALERT: $part at $FD%" $MAILTO < /dev/null elif [ $FD -gt 90 ]; then mail -s "$BN WARNING: $part at $FD%" $MAILTO < /dev/null elif [ $FD -gt 85 ]; then mail -s "$BN NOTICE: $part at $FD%" $MAILTO < /dev/null fi done ------------------------------------------------------------------- Also, since syslog uses UDP you'll want to use switches between loghost and logclients wherever possible. With this level of granularity it is easy to step through each log and get a quick idea of what's happening on your systems. I use a script for this (ftp://ftp.roble.com/unix/readlog). Some network management and IDS software will also process syslog data. This is especially nice since much of this information isn't easily obtainable via SNMP. Esecurity (www.esecurityinc.com) seems to have a nice package which understands syslog and other log file types (despite their minimalist /javascript disabled website). Anyone on this list have experience with Esecurity? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Logging sim (Oct 26)
- Re: Logging James W. Abendschan (Oct 27)
- <Possible follow-ups>
- Re: Logging Roger Marquis (Oct 27)