Log File Monitoring

The ability to detect malicious activities is dependent upon adequate monitoring. Enabling logging does no good if the logs are not reviewed. The problem, of course, is that there is a great wealth of data produced from all of the logging activities. A centralized logging server provides a single location for log data and consolidates the work of examining the information. It also provides a good location for an intrusion detection system which analyzes log entries to determine malicious activities.

Possibly the most important aspect of log monitoring is the ability to automate the process and reduce the amount of information which a person has to examine. There are many tools and products which help in this endeavor.

Swatch

Swatch, Simple WATCHer, is a tool written in Perl by Todd Atkins to actively monitor messages as they are written to a log file via the UNIX syslog utility. Swatch monitors your logs for specific triggers; when those triggers are matched, swatch notifies you in a predetermined manner.

It gives an administrator the ability to process the enormous amounts of logged data without being overwhelmed. The program is simple to install, administer, and expand to perform actions defined by the administrator. It can be used as a simple intrusion detection system or can front-end other systems, reducing the volume of data for them to process.

The configuration file, called swatchrc, is the heart of the swatch program. This text file tells swatch what logs to monitor, what triggers to look for, and what to do if triggered. Swatch works by looking for regular expressions that match the triggers defined in swatchrc. When it finds a match, it executes the notification procedure defined in swatchrc.

The swatchrc file consists of four fields ” the first two fields are required, and the last two fields are optional. The first field is the regular expression for which swatch is looking. This is the trigger. The second is a list of actions to be performed if the pattern is matched. Swatch has various options for actions, including e-mail, paging, or executing any file you select. The third field " throttle " (which is optional) is a time interval. This time interval is the amount of time swatch will ignore identical matched patterns that repeat themselves . The fourth field (required if you are using the third field) is a timestamp.

 #  # Personal Swatch configuration file  #  # Alert me of bad login attempts and find out who is on that system  watchfor   /INVALIDREPEATEDINCOMPLETE/    echo inverse    bell 3  # Important program errors  watchfor   /LOGIN/    echo inverse    bell 3  watchfor   /passwd/    echo bold    bell 3  watchfor   /ruserok/    echo bold    bell 3  # Ignore this stuff  ignore   /sendmail/,/nntp/,/xntpntpd/,/faxspooler/  # Report unusual tftp info  ignore   /tftpd.*(ncdkfpsnormal exit)/  watchfor   /tftpd/    echo    bell 3  # Kernel problems  watchfor   /(panichaltSunOS Release)/    echo bold    bell  watchfor   /file system full/    echo bold    bell 3  ignore   /vmunix.*(aton)/  watchfor   /vmunix/    echo    bell  watchfor   / fingerd.*(root[Tt]ipguest)/    echo    bell 3  watchfor   /su:/    echo bold  watchfor   /.*/    echo