Log Analysis

M

MustangV10

Guest
Do you think it's important to analyse server logs? If so, which ones and why? A location would be good as well!
 


It depends on the logs, why you're monitoring them and what type of information is stored in them. Most of the time, mail logs that just record who sent what e-mail to someone will not hold much value. However, if you have SSH recording unsuccessful login attempts, it could have some great value to you.

If this is for one of your systems, can you provide some detail on the services that are running on it, and what information it logs?

As for location, can you clarify? Most logs are stored in /var/logs, if that is what you were wanting to know.
 
Important logs: apache, mysql, ftp, telnet (people still using, can believe it ?). Management panel, postfix, smtp
 
Yes i think it is really important to keep a record of the logins, errors and any other record if you need to know what's been going on, on your server when you were off.

I always prefer having a login record and PHP logs, MySQL logs, apache/lighttpd logs etc.
 
Is it important to analyze log files? You bet it is. It's also important to identify what exactly you mean when you say "analyze". I suspect you meant: monitor log files for specific strings or unusual log activity, and get an alert when a set threshold is breached.

If that's what you mean, the following command ought to start you on the right path:

logrobot autonda /var/log/messages '(fail|denied|segfault|segmentation|reject|oops|warn)' '.' 5 10 MsgLogWatch -ndshow

The quoted strings in the above commands are definitely some of the many entries you should watch out for within your "messages" or "syslog" file.

Note:
You can modify the strings to match any other patterns you wish to analyze.
 
Last edited:
I can see that you know auditing is extremely important and you bring up a great question.

I would say at a minimum you should monitor authentication attempts, attempts to modify user/group accounts, sensitive file access or privilege use, and attempts to modify your established security baseline.

As one user pointed out /var/log is a great place to start. I know you can also run your logs through an IDS to have it identify potential anomalies.

Beyond that it is determined by what your security objectives are: What are you trying to protect and why? How is this critical system accessible? What is the information's value?

For example, say you store your banking information in your home directory, is this system accessible via the Internet (even if there is a firewall in place), what can one do with your bank account information? Could one wipe out your entire account?
 
I use Fail2ban to monitor server logs and send me emails with results.
 

Members online


Top