Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
I was wondering which logs you guys keep an eye on the most. I've just compiled root-tail and was trying to find some examples of which logs to monitor in ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53

    Which logs do you monitor most often?


    I was wondering which logs you guys keep an eye on the most. I've just compiled root-tail and was trying to find some examples of which logs to monitor in Slackware (I've noticed when reading about logs mine aren't where they're "supposed" to be). Maybe even let me know how syslogd is configured on your system. That would be a great resource for info.

    -Thanks in advance

  2. #2
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    I watch secure and messages alot.
    Secure will tell you who's logging in whos trying to log in accepted as well as failures.
    Messages will tell you just about everything else.
    System failures and such.
    If you are running a mail server I check out maillog too.
    Also check out
    My Slackware doesn't have xferlog but if yours does I would check it every now and then. Just to see if files are moving on or off of your system. Such as a FTP hack.
    These are in /var/log

    Just in case you didn't know
    as root
    tail -f /var/log/messages
    -f gives you the latest 10 lines of the file and stays reoccuring
    if you don't want to watch real time
    -100 instead of -f this will give you the latest 100 then ends.
    remember if syslog has recently rotated files there might not be 100 lines yet

    Cheers,
    Mike

  3. #3
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53
    Thanks for the info. Now I'm trying to get root tail running when I launch x11. Unfortunately I can't put in in my .xinitrc because I need to be root to access the log files. Anyone have any experience setting up root-tail?

    -Thanks again for all your help.

  4. #4
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    tail is a normal command like more or less.
    you could save the file and more or less or cat it
    I like tail the best
    I don't think you have to be root to use tail but you do to watch the logs. If you don't have root access you can have you admin create a group that will allow you to monitor the files without write permissions.
    if you do have root permission
    su -
    password
    cd /var/log
    tail -f secure

    Make sure you have the dash after su that is true root
    if you only do su you will be user with some of root priveledges.
    su - is full on root
    be carefull
    Mike

  5. #5
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53
    Quote Originally Posted by adrenaline
    tail is a normal command like more or less.
    you could save the file and more or less or cat it
    I like tail the best
    I don't think you have to be root to use tail but you do to watch the logs. If you don't have root access you can have you admin create a group that will allow you to monitor the files without write permissions.
    if you do have root permission
    su -
    password
    cd /var/log
    tail -f secure

    Make sure you have the dash after su that is true root
    if you only do su you will be user with some of root priveledges.
    su - is full on root
    be carefull
    Mike
    Could I just change the permissions of /var/log to be readable by all? Is that a security risk for people to be able to read your logs? Anyway it doesn't matter to me no one uses this computer but me. And if you can hack into my computer kudos; just don't mess anything up (like removing my logs)!

    So I will give that a try and see how it works out for me.

  6. #6
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    You don't have to worry about me hacking into your computer but you do have to worry about super villan doing it.
    if you are the only one that uses the computer just su - or do a
    chmod 770 messages
    chgrp <usrname> messages
    then it root and your usrname will have all rights but anybody else will have no rights
    make sense?
    Mike
    oh ya you will have to be root to do that and you will have to be in the directory
    cd /var/log

    BTW if someone does hack your computer the first thing they will do is erase your logs or aleast the ones that capture him

  7. #7
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53
    I imagine if the first thing they did was remove my logs they would have failed at not being detected. The logs would be cleared last I assume or else there would be logs of everything the hacker did afterwords :P

    If a hacker had gained access to a super-user account, which I believe is needed to clear the logs(?), then it wouldn't matter if everyone had read access anyway because he could change his permissions to anything he likes. :\

    Right?

    [edit] Also I noticed that syslog was readable, err, well when I was root and ls -l in /var/log shows -rw-r--r-- so I thought that meant that it was readable by all. But when I try to use root-tail /var/log/syslog nothing shows up on my desktop. Using sudo and an absolute pathname to root-tail makes it work (well I've tried on both secure and messages but not syslog). But I can't use sudo in my x startup scripts. Once again the help is appreciated. BTW syslog is FULL of stuff so it's not that the file was empty.[/edit]

  8. #8
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    You are right but if you keep your box secure you won't have to worry about it at all. They can do things like right scripts that dont log their commands after they erase your logs.
    Here is what happened to me a few years back:
    I had a wu ftp server running and I was green. I got hacked and they used my box to try and hack the civil defense dept. (of which they didn't) but a **** storm came down on my ISP and I had a lot of questions to answer. What he did is got in through my broken ftp figured out my root password and hid all of his folders. Then he edited "ls" so it wouldn't show his files and directories. In fact I never figured out he was there till my ISP went through and found him. He was never in my logs. BTW he did use my box to hack 3com and was successful.
    Just a little FYI
    I haven't been hacked since.
    It would be a good thing to learn how read the logs.
    Mike

  9. #9
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53
    Ouch.
    I am aware of the security risks of running a computer on the internet. I am in college for computer network engineering not because I wanted to but because it was obvious that everything I was learning untill that point was pointing me in that direction. I try and keep my box as secure as possible (that's why I don't care if a hacker gets in), he must be better than me to get past what I try to make a secure system and I am constantly reading and trying to make my box more secure.

    I've noticed in the real world many people don't care about security but I have always at least been concious of that aspect of computers (even though my teachers in school, and real world boss and co-workers hadn't a clue about network security). I plan on continuing my persuit of knowledge in this wonderful field even if my classes don't require it, I'm just going at my own pace. Readable logs seems like a minor security threat to me. Perhaps you think differently. Oh well. Can we get back to running root-tail as a non-root user in slackware? Cause that's what I really want to talk about.

    Thanks again for your input.

  10. #10
    Linux Engineer adrenaline's Avatar
    Join Date
    Aug 2004
    Location
    Seattle, Washington
    Posts
    1,058
    -rw-r----- 1 root root 4148 2004-09-09 16:28 secure
    this is what my file looks like
    where is says root root
    the first root is the owner and the second root is the group
    the -rw-r means that owner has read/ right and group has read.
    as root do
    chgrp <usrname> secure
    user name is your user name that you are logged in your system as right now
    now it should read
    -rw-r----- 1 root <usrname> 4148 2004-09-09 16:28 secure
    This should allow your user name to read that file.

    Make sense?
    Mike
    Also incase you didn't know
    netstat -pant will show you your tcp ports that are open.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •