Security Basics mailing list archives
Re: question about security logs
From: matt <matt () learnsecurityonline com>
Date: Fri, 01 Jul 2005 02:52:19 +0100
Tahis Vera wrote:
Hi all, Pardon me if the question is too basic, but I wanted to know whichlogs are the most important to check everyday for security purposes (I'm using Linux Debian). I check auth.log daily, and the accesses for some programs, but I read some articles that say that there are logs that must be checked regularly in the system in order to keep safe and identify possible intrusions/activity in the network. thanks tahis
Hey, On debian the main logs you will need to check are as follows:/var/log/daemon.log - will in form you of information from daemons, such as wierd requests, you may be able to spot attempted intrusions or actual intrusions /var/log/kern.log - will spot kernel problems, failed kernel exploits or even successful with a sloppy attacker may be logged /var/log/debug - certain services may output debugging information here such as their start/stop status, this might spot unauthorised service restarts /var/log/messages - the main things to look out for here are unauthorised syslogd 1.4.1#10: restart.this would indicate an attacked may have restarted syslog /var/log/setuid.changes - this will indicate any mysterious new suid binaries that may have been introduced to your system
Whilst it may seem an impossible task on a highly active system, it is wise to keep track of as much activity on your server as is humanly possible and checking
these logs on a daily basis for events is one way. Regards Matt info () learnsecurityonline com http://www.learnsecurityonline.com
Current thread:
- Re: question about security logs Gonzalo Martinez (Jul 04)
- <Possible follow-ups>
- Re: question about security logs ????????? ????????? (Jul 04)
- Re: question about security logs Phil Cryer (Jul 04)
- Re: question about security logs matt (Jul 04)