System Logging

What is System Logging ?

n  An important part of maintaining a secure system is keeping track of the activities that take place on the system. If you know what usually happens, such as understanding when users log into your system, you can use log files to spot unusual activity

n  Two main logging daemons

l  klogd                           :The kernel log daemon service logs kernel messages                                                  and events

l  syslogd                        :The syslog daemon logs all other process activity. You can use the log files that syslogd generates to track activities on your system

Log Files

n  /var/log/dmesg                        : Kernel log messages

n  /var/log/messages                   : Standard system error messages

n  /var/log/maillog                      : Mail System messages

n  /var/log/secure                        : Security, authentication, and xinetd messages

utmpdump /var/log/wtmp

used for monitoring login activity

Configuring Central Log Server

n  Server Side – Allow “syslogd” to accept remote message

l  vi /etc/sysconfig/syslog

l  SYSLOGD_OPTIONS=”-r -m 0”

l  Restart the “syslogd” 

l  service syslog restart

n  Client Side – Instruct client to send log to Central Server

l  vi /etc/syslog.conf

l  user.*               @192.168.0.253

l  Restart “syslogd”

l  service syslog restart

n  Test – On client

logger  -i  -t  username  “this is to be sent to remote server”