Re: question about security logs

[Gonzalo Martinez <karmax () gmail com>]

On 6/30/05, Tahis Vera <tahis.vera () gmail com> wrote:
> which logs are the most important to check everyday
> (I'm using Linux Debian).


Hi Tahis
 
 First you must config /etc/syslog.conf to tell "WHAT" do you want to
log (and how). (I asume that you use syslog, but i recommend you that
use syslog-ng)
 
 By default syslogd logs to this files:
 
 
  /var/log/messages
  *.=info;*.=notice;*.=warning  /var/log/messages
  
 This file logs almost "all" messages (also the firewall logs, depends
on how setup)
  
 
  /var/log/syslog
  
 Generally here are the logs related with "access" (or attemps) to the
system services.
  
 
  /var/log/debug
  *.=debug                      /var/log/debug
  
 Logs with priority 6 (DEBUG)
  
 
  /var/log/daemon.log
  daemon.*                      /var/log/daemon.log
  
 Logs of daemons
  
 
 /var/log/kern.log
  kern.*                                /var/log/kern.log
  
 klogd at most logs here
  
  
 /var/log/user.log
  user.*                                /var/log/user.log
  
 related with messages to users (ie: System shutdown)
  
 
 /var/log/mail.log
  mail.info                     /var/log/mail.info
  mail.warning                  /var/log/mail.warning
  mail.err                      /var/log/mail.err
  
 Everything about mail (what comes in and out, errors, etc)
  
 
 /var/log/wtmp
  
 logins related log (when, where, date, who..)
 You must check with last
 ie: last -5
 (to check the last 5 login info)
 
 
 /var/log/lastlog
  
 date and where was the last user login
 To check it you must use lastlog
 ie: lastlog -u root
 
 
 /var/log/faillog
  
 Related with lastlog, but with the command "faillog" you can check
the logins failed
 ie: faillog -u user
  You can set a "maximum" attemps
 ie: faillog -u user -m value
 
 
 Well its just a REALLY basic answer, but you can check a lot more
with man or just google.
 Good bye

-- 
Gonzalo Martinez
Jabber: KarMax () jabber org