Security Basics mailing list archives
Re: question about security logs
From: Gonzalo Martinez <karmax () gmail com>
Date: Fri, 1 Jul 2005 11:15:39 -0300
On 6/30/05, Tahis Vera <tahis.vera () gmail com> wrote:
which logs are the most important to check everyday (I'm using Linux Debian).
Hi Tahis First you must config /etc/syslog.conf to tell "WHAT" do you want to log (and how). (I asume that you use syslog, but i recommend you that use syslog-ng) By default syslogd logs to this files: /var/log/messages *.=info;*.=notice;*.=warning /var/log/messages This file logs almost "all" messages (also the firewall logs, depends on how setup) /var/log/syslog Generally here are the logs related with "access" (or attemps) to the system services. /var/log/debug *.=debug /var/log/debug Logs with priority 6 (DEBUG) /var/log/daemon.log daemon.* /var/log/daemon.log Logs of daemons /var/log/kern.log kern.* /var/log/kern.log klogd at most logs here /var/log/user.log user.* /var/log/user.log related with messages to users (ie: System shutdown) /var/log/mail.log mail.info /var/log/mail.info mail.warning /var/log/mail.warning mail.err /var/log/mail.err Everything about mail (what comes in and out, errors, etc) /var/log/wtmp logins related log (when, where, date, who..) You must check with last ie: last -5 (to check the last 5 login info) /var/log/lastlog date and where was the last user login To check it you must use lastlog ie: lastlog -u root /var/log/faillog Related with lastlog, but with the command "faillog" you can check the logins failed ie: faillog -u user You can set a "maximum" attemps ie: faillog -u user -m value Well its just a REALLY basic answer, but you can check a lot more with man or just google. Good bye -- Gonzalo Martinez Jabber: KarMax () jabber org
Current thread:
- Re: question about security logs Gonzalo Martinez (Jul 04)
- <Possible follow-ups>
- Re: question about security logs ????????? ????????? (Jul 04)
- Re: question about security logs Phil Cryer (Jul 04)
- Re: question about security logs matt (Jul 04)