Section 16.1 Log Files

16.1 Log Files

It is well worth the time spent configuring the /etc/syslog.conf file so that you can more easily spot evidence of crackers by separating out this evidence into files separate from routine entries. It is important, too, to spend the time to set up programs to scan the log files automatically for these cracking attempts, because people are notoriously bad at such mundane tasks. Note that the two fields must be separated by tabs, not spaces, for them to be interpreted correctly.

In most distributions, this file has a line similar to

 *.info;mail.none;auth.none;authpriv.none  /var/log/messages 

that dumps almost every message into the messages log file. If this line (or something similar) is missing, I certainly recommend adding it. It causes all messages of severity info or greater to be logged here except that no mail, auth, or authpriv messages will be logged because they are logged elsewhere.

Because there tend to be so many mail messages and they are largely uninteresting, you normally dump them into a separate file thusly:

 mail.info                                 /var/log/mail 

The following entry will log all security-related messages that might indicate problems:

 *.warn;authpriv.notice;auth.notice        /var/log/secure 

You probably also want to log "routine" security messages, such as successful logins, in case you later discover that there was a compromised account and you want to find when it was used.

 authpriv.debug;auth.debug                 /var/log/secure.ok