Log Monitoring

Monitoring log files is used to watch for anomalies that might indicate an attack. Although this method is used successfully, it can result in huge amounts of data and become cumbersome on large networks.

When combined with other tools, log monitoring can be made to work. For example, using log monitoring on a few key systems can reduce the amount of data being received. However, this and other such measures are really stop-gap measures because they do little to ensure the security of the systems that aren't monitored.

Numerous packages are available to monitor log files. Three such packages include Logsnorter, Swatch, and Logcheck. More information on each can be found at their respective websites or from within your system's documentation if the distribution includes them as available packages. I'll briefly cover Swatch here just to give you a taste of some of the capabilities of these types of tools.

Swatch

Swatch is available with many Linux distributions as an add-on package or can be downloaded from http://swatch.sourceforge.net/. Swatch is highly configurable and can perform a number of actions based on a match.

Swatch works in several modes, including a mode called single-pass, which has the program parse a log file once, searching for matches and taking action based on those matches. Another mode sees Swatch perform a running tail (tail -f) of a log file looking for matches. By default, Swatch monitors /var/log/messages but it can be configured to monitor any file or even a socket.

Because Swatch is so powerful, I don't feel as though I can do it justice in a book on Linux firewalls. I invite you to read more about Swatch. For now, I'll give a recipe for monitoring a log file with Swatch. Another such recipe shows up in Chapter 11, in the section on Snort titled "Automated Intrusion Monitoring with Snort."

USING SWATCH TO MONITOR SSH LOGIN FAILURES

In 2004 and 2005, a number of brute-force login attempts were noted against servers running SSH. These usually didn't result in much of anything except annoyance. However, it's generally useful to monitor log files for these and other attempts to brute-force attack a server. Swatch can be configured to send an email (or do any number of other actions) when such an attempt is logged. This section shows how to send an email alert when an authentication failure is logged.

The system logs a line similar to the following when a login is attempted and fails:

 Jun  7 17:09:10 ord sshd[3434]: error: \         PAM: Authentication failure for root from 192.168.1.10 

There are a number of unique items on this line, but I'll choose to look for the words "Authentication failure" because that is the type of thing I want to be alerted on. The Swatch syntax is painfully easy yet can be incredibly powerful. This is because Swatch uses regular expression syntax for matching. The match in this case is rather trivial. Simply telling Swatch what to watch for with the aptly titled watchfor configuration directive and then giving it one or more actions to perform when a match is noted is all that's required for Swatch configuration. For example, to look for the words "Authentication failure" and have an email sent, the Swatch configuration consists of the following:

 watchfor /Authentication failure/     mail 

These two lines are saved in ~/.swatchrc. In this case, I'm doing so as root because Swatch will need read access to the log file in question.

Next, start Swatch and tell it what file to monitor. Again, the default is /var/log/messages. However, I'm creating this example on a Debian system and therefore the authentication failures are logged to /var/log/auth.log by default. Therefore, I point Swatch at the correct configuration file and start it:

 swatch tail-file=/var/log/auth.log 

Swatch will now monitor the log file for the words "Authentication failure" and will send an email to root if and when the words are found.

As previously stated, there are several options for alerts, including executing other programs. These programs could be shell scripts or really anything, so the possibilities are virtually limitless.