Which logs do you monitor most often?

[Construct]

I was wondering which logs you guys keep an eye on the most. I've just compiled root-tail and was trying to find some examples of which logs to monitor in Slackware (I've noticed when reading about logs mine aren't where they're "supposed" to be). Maybe even let me know how syslogd is configured on your system. That would be a great resource for info.

-Thanks in advance

[adrenaline]

I watch secure and messages alot.
Secure will tell you who's logging in whos trying to log in accepted as well as failures.
Messages will tell you just about everything else.
System failures and such.
If you are running a mail server I check out maillog too.
Also check out
My Slackware doesn't have xferlog but if yours does I would check it every now and then. Just to see if files are moving on or off of your system. Such as a FTP hack.
These are in /var/log

Just in case you didn't know
as root
tail -f /var/log/messages
-f gives you the latest 10 lines of the file and stays reoccuring
if you don't want to watch real time
-100 instead of -f this will give you the latest 100 then ends.
remember if syslog has recently rotated files there might not be 100 lines yet

Cheers,
Mike

[Construct]

Thanks for the info. Now I'm trying to get root tail running when I launch x11. Unfortunately I can't put in in my .xinitrc because I need to be root to access the log files. Anyone have any experience setting up root-tail?

-Thanks again for all your help.

[adrenaline]

tail is a normal command like more or less.
you could save the file and more or less or cat it
I like tail the best
I don't think you have to be root to use tail but you do to watch the logs. If you don't have root access you can have you admin create a group that will allow you to monitor the files without write permissions.
if you do have root permission
su -
password
cd /var/log
tail -f secure

Make sure you have the dash after su that is true root
if you only do su you will be user with some of root priveledges.
su - is full on root
be carefull
Mike

[Construct]

tail is a normal command like more or less.
you could save the file and more or less or cat it
I like tail the best
I don't think you have to be root to use tail but you do to watch the logs. If you don't have root access you can have you admin create a group that will allow you to monitor the files without write permissions.
if you do have root permission
su -
password
cd /var/log
tail -f secure

Make sure you have the dash after su that is true root
if you only do su you will be user with some of root priveledges.
su - is full on root
be carefull
Mike

Could I just change the permissions of /var/log to be readable by all? Is that a security risk for people to be able to read your logs? Anyway it doesn't matter to me no one uses this computer but me. And if you can hack into my computer kudos; just don't mess anything up (like removing my logs)!

So I will give that a try and see how it works out for me.

[adrenaline]

You don't have to worry about me hacking into your computer but you do have to worry about super villan doing it.
if you are the only one that uses the computer just su - or do a
chmod 770 messages
chgrp <usrname> messages
then it root and your usrname will have all rights but anybody else will have no rights
make sense?
Mike
oh ya you will have to be root to do that and you will have to be in the directory
cd /var/log

BTW if someone does hack your computer the first thing they will do is erase your logs or aleast the ones that capture him

[Construct]

I imagine if the first thing they did was remove my logs they would have failed at not being detected. The logs would be cleared last I assume or else there would be logs of everything the hacker did afterwords :P

If a hacker had gained access to a super-user account, which I believe is needed to clear the logs(?), then it wouldn't matter if everyone had read access anyway because he could change his permissions to anything he likes. :\

Right?

[edit] Also I noticed that syslog was readable, err, well when I was root and ls -l in /var/log shows -rw-r--r-- so I thought that meant that it was readable by all. But when I try to use root-tail /var/log/syslog nothing shows up on my desktop. Using sudo and an absolute pathname to root-tail makes it work (well I've tried on both secure and messages but not syslog). But I can't use sudo in my x startup scripts. Once again the help is appreciated. BTW syslog is FULL of stuff so it's not that the file was empty.[/edit]

[adrenaline]

You are right but if you keep your box secure you won't have to worry about it at all. They can do things like right scripts that dont log their commands after they erase your logs.
Here is what happened to me a few years back:
I had a wu ftp server running and I was green. I got hacked and they used my box to try and hack the civil defense dept. (of which they didn't) but a **** storm came down on my ISP and I had a lot of questions to answer. What he did is got in through my broken ftp figured out my root password and hid all of his folders. Then he edited "ls" so it wouldn't show his files and directories. In fact I never figured out he was there till my ISP went through and found him. He was never in my logs. BTW he did use my box to hack 3com and was successful.
Just a little FYI
I haven't been hacked since.
It would be a good thing to learn how read the logs.
Mike

[Construct]

Ouch.
I am aware of the security risks of running a computer on the internet. I am in college for computer network engineering not because I wanted to but because it was obvious that everything I was learning untill that point was pointing me in that direction. I try and keep my box as secure as possible (that's why I don't care if a hacker gets in), he must be better than me to get past what I try to make a secure system and I am constantly reading and trying to make my box more secure.

I've noticed in the real world many people don't care about security but I have always at least been concious of that aspect of computers (even though my teachers in school, and real world boss and co-workers hadn't a clue about network security). I plan on continuing my persuit of knowledge in this wonderful field even if my classes don't require it, I'm just going at my own pace. Readable logs seems like a minor security threat to me. Perhaps you think differently. Oh well. Can we get back to running root-tail as a non-root user in slackware? Cause that's what I really want to talk about.

Thanks again for your input.

[adrenaline]

-rw-r----- 1 root root 4148 2004-09-09 16:28 secure
this is what my file looks like
where is says root root
the first root is the owner and the second root is the group
the -rw-r means that owner has read/ right and group has read.
as root do
chgrp <usrname> secure
user name is your user name that you are logged in your system as right now
now it should read
-rw-r----- 1 root <usrname> 4148 2004-09-09 16:28 secure
This should allow your user name to read that file.

Make sense?
Mike
Also incase you didn't know
netstat -pant will show you your tcp ports that are open.