webcp.hostinghacks.net/slackware | syslog
- POP user authentication
- FTP user authentication
- SSH logins
- Potentially malicious ethernet packets
- Apache + CGI activity
Edit /etc/syslog.conf for desired results:
cat > /etc/syslog.conf << "EOF" # the '-' prefix ; this omits syncing the file after every logging. # In the event of a crash, some log information might be lost kern.7 /var/log/firewall *.info;*.!warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/messages *.warn;\ authpriv.none;cron.none;mail.none;news.none -/var/log/syslog *.=debug -/var/log/debug authpriv.* -/var/log/secure cron.* -/var/log/cron mail.* -/var/log/maillog mail.notice -/var/log/mail.notice *.emerg * #kern.* /dev/console EOF touch /var/log/firewall touch /var/log/messages touch /var/log/debug touch /var/log/secure touch /var/log/cron touch /var/log/maillog touch /var/log/mail.notice chmod 640 /var/log/firewall /etc/rc.d/rc.syslog restart # kill -SIGHUP `cat /var/run/syslogd.pid`
to stop from filling the log files with: -- MARK -- pass the
-m 0 switch to syslogd with a small modification to the init script :
mv /etc/rc.d/rc.syslog /usr/src/rc.syslog.old
cat > /etc/rc.d/rc.syslog << "EOF"
#!/bin/sh
# Start/stop/restart the system logging daemons.
#
# Written for Slackware Linux by Patrick J. Volkerding.
syslogd_start() {
if [ -x /usr/sbin/syslogd -a -x /usr/sbin/klogd ]; then
echo -n "Starting sysklogd daemons: "
echo -n "/usr/sbin/syslogd "
/usr/sbin/syslogd -m 0
sleep 1 # prevent syslogd/klogd race condition on SMP kernels
echo "/usr/sbin/klogd -c 3 -x"
# '-c 3' = display level 'error' or higher messages on console
# '-x' = turn off broken EIP translation
/usr/sbin/klogd -c 3 -x
fi
}
syslogd_stop() {
killall syslogd 2> /dev/null
killall klogd 2> /dev/null
}
syslogd_restart() {
syslogd_stop
sleep 1
syslogd_start
}
case "$1" in
'start')
syslogd_start
;;
'stop')
syslogd_stop
;;
'restart')
syslogd_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
EOF
chmod 755 /etc/rc.d/rc.syslog
/etc/rc.d/rc.syslog restart
Logrotate:
cat > /etc/logrotate.d/syslog << "EOF"
/var/log/messages
/var/log/secure
/var/log/maillog
/var/log/spooler
/var/log/boot.log
/var/log/cron
/var/log/firewall
/var/log/mail.notice
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
EOF
chmod 644 /etc/logrotate.d/syslog
Review log files:
This should be as convenient as possible or it will be neglected ; but it is best not to send them across the internet unencrypted. One option is to send them to a local user and then collect mail through Secure-POP.
cat > /etc/cron.daily/watch.syslogs << "EOF" #! /bin/sh tail -100 /var/log/mail.notice | mail -s "mail.notice" servadmin@localhost tail -100 /var/log/messages | mail -s "messages" servadmin@localhost tail -100 /var/log/secure | mail -s "secure.log" servadmin@localhost last | mail -s "last logins" servadmin@localhost EOF chmod +x /etc/cron.daily/watch.syslogs /etc/cron.daily/watch.syslogs
cat > /etc/cron.weekly/watch.syslogs << "EOF" #! /bin/sh tail -100 /var/log/maillog | mail -s "mail.log" servadmin@localhost tail -100 /var/log/cron | mail -s "cron" servadmin@localhost tail -100 /var/log/debug | mail -s "debug" servadmin@localhost EOF chmod +x /etc/cron.weekly/watch.syslogs /etc/cron.weekly/watch.syslogs
Syslog.conf format: facility.level
Values for facility:
user - Messages generated by user processes. Default
for programs or facilities not listed here.
kern - Messages generated by the kernel.
mail - The mail system.
daemon - System daemons, such as in.ftpd(1M)
auth - The authorization system: login(1), su(1M), getty(1M), among others.
cron - The cron/at facility; crontab(1), at(1), cron(1M), among others.
local0-7 - Reserved for local use.
* - all facilities.
Values for level:
emerg - For panic conditions.
alert - For conditions that should be corrected immediately,
such as a corrupted system database.
crit - For warnings about critical conditions, such as hard
device errors.
err - For other errors.
warning - For warning messages.
notice - For conditions that are not error conditions, but may
require special handling. A configuration entry with
a level value of notice must appear on a separate
line.
info - Informational messages.
debug For messages that are normally used only when debugging a program.
none - Do not send messages from the indicated facility to
the selected file.
To perform an in depth analysis of syslog,
inspect the output for every facility.level and decide which
are most significant to you:
user.emerg /var/log/user.emerg user.alert /var/log/user.alert user.crit /var/log/user.crit user.err /var/log/user.err user.warning /var/log/user.warning user.notice /var/log/user.notice user.info /var/log/user.info user.debug /var/log/user.debug kern.emerg /var/log/kern.emerg kern.alert /var/log/kern.alert kern.crit /var/log/kern.crit kern.err /var/log/kern.err kern.warning /var/log/kern.warning kern.notice /var/log/kern.notice kern.info /var/log/kern.info kern.debug /var/log/kern.debug mail.emerg /var/log/mail.emerg mail.alert /var/log/mail.alert mail.crit /var/log/mail.crit mail.err /var/log/mail.err mail.warning /var/log/mail.warning mail.notice /var/log/mail.notice mail.info /var/log/mail.info mail.debug /var/log/mail.debug auth.emerg /var/log/auth.emerg auth.alert /var/log/auth.alert auth.crit /var/log/auth.crit auth.err /var/log/auth.err auth.warning /var/log/auth.warning auth.notice /var/log/auth.notice auth.info /var/log/auth.info auth.debug /var/log/auth.debug cron.emerg /var/log/cron.emerg cron.alert /var/log/cron.alert cron.crit /var/log/cron.crit cron.err /var/log/cron.err cron.warning /var/log/cron.warning cron.notice /var/log/cron.notice cron.info /var/log/cron.info cron.debug /var/log/cron.debug
Samples of what this will generate:
user.emerg user.alert user.crit user.err user.warning user.notice reboot-info user.info reboot-info user.debug all, but probably just reboot-info kern.emerg kern.alert kern.crit kern.err kern.warning system-info | firewall-info (if configured) kern.notice system-info | firewall-info (if configured) kern.info system-info | firewall-info (if configured) kern.debug all mail.emerg mail.alert mail.crit mail.err mail.warning mail.notice relaying-denied mail.info pop3-logins | success/fail-info | relay-denied mail.debug all auth.emerg auth.alert hack attempts (see example below) auth.crit hack attempts auth.err hack attempts auth.warning auth.notice ssh/pop/ftp-sessions | authentication-failures | hack-attempts auth.info ssh/pop/ftp-sessions | authentication-failures | hack-attempts auth.debug all cron.emerg cron.alert cron.crit cron.err cron.warning cron.notice minimal cron job info cron.info detailed cron job info cron.debug all