Security Handbook/Logging

Choose between (at least) three different system loggers. == Logging == Extra logging should be added to catch warnings or errors that might indicate an ongoing attack or a successful compromise. Attackers often scan or probe before attacking.

It's also vital that your log files are easily readable and manageable. Gentoo Linux lets you choose between three different loggers when installing.

Syslogd
Syslogd is the most common logger for Linux and Unix in general. It has some log rotation facilities, but using in a cron job (logrotate is configured in ) might prove to be more powerful as logrotate has many features. How often log rotation should be done depends on the system load.

Below is the standard with some added features. We have uncommented the cron and tty lines and added a remote logging server. To further enhance security you could add logging to two places.

Attackers will most likely try to erase their tracks by editing or deleting log files. You can make it harder for them by logging to one or more remote logging servers on other machines. Get more info about syslogd by executing.

Metalog
Metalog by Frank Dennis is not able to log to a remote server, but it does have advantages when it comes to performance and logging flexibility. It can log by program name, urgency, facility (like syslogd), and comes with regular expression matching with which you can launch external scripts when specific patterns are found. It is very good at taking action when needed.

The standard configuration is usually enough. If you want to be notified by email whenever a password failure occurs use one of the following scripts.

For postfix:

For netqmail:

Remember to make the script executable by issuing

Then uncomment the command line under "Password failures" in like:

Syslog-ng
Syslog-ng provides some of the same features as syslog and metalog with a small difference. It can filter messages based on level and content (like metalog), provide remote logging like syslog, handle logs from syslogd (even streams from Solaris), write to a TTY, execute programs, and it can act as a logging server. Basically it is the best of both loggers combined with advanced configuration.

Below is a classic configuration file slightly modified.

Syslog-ng is very easy to configure, but it is also very easy to miss something in the configuration file since it is huge. The author still promises some extra features like encryption, authentication, compression and MAC (Mandatory Access Control) control. With these options it will be a perfect for network logging, since the attacker cannot spy on the log.

And syslog-ng does have one other advantage: it does not have to run as root!

Log analysis with Logcheck
Of course, keeping logs alone is only half the battle. An application such as Logcheck can make regular log analysis much easier. Logcheck is a script, accompanied by a binary called, that runs from your cron daemon and checks your logs against a set of rules for suspicious activity. It then mails the output to root's mailbox.

Logcheck and logtail are part of the package.

Logcheck uses four files to filter important log entries from the unimportant. These files are logcheck.hacking, which contains known hacking attack messages, logcheck.violations, which contains patterns indicating security violations, logcheck.violations.ignore, which contains keywords likely to be matched by the violations file, allowing normal entries to be ignored, and logcheck.ignore, which matches those entries to be ignored.