Re: question about security logs

[matt <matt () learnsecurityonline com>]

Tahis Vera wrote:

> Hi all, 
> Pardon me if the question is too basic, but I wanted to know which
> logs are the most important to check everyday for security purposes
> (I'm using Linux Debian).
> I check auth.log daily, and the accesses for some programs, but I read
> some articles that say that there are logs that must be checked
> regularly in the system in order to keep safe and identify possible
> intrusions/activity in the network.
>
> thanks
>
> tahis
>
>  
Hey,

On debian the main logs you will need to check are as follows:

/var/log/daemon.log    - will in form you of information from daemons, 
such as wierd requests, you may be able to spot attempted intrusions or 
actual intrusions
/var/log/kern.log         - will spot kernel problems, failed kernel 
exploits or even successful with a sloppy attacker may be logged
/var/log/debug            - certain services may output debugging 
information here such as their start/stop status, this might spot 
unauthorised service restarts
/var/log/messages       - the main things to look out for here are 
unauthorised syslogd 1.4.1#10: restart.this would indicate an attacked 
may have restarted syslog
/var/log/setuid.changes  - this will indicate any mysterious new suid 
binaries that may have been introduced to your system

Whilst it may seem an impossible task on a highly active system, it is 
wise to keep track of as much activity on your server as is humanly 
possible and checking
these logs on a daily basis for events is one way.

Regards

Matt
info () learnsecurityonline com
http://www.learnsecurityonline.com