Log Analysis

Discussion in 'Server Security' started by MustangV10, Nov 11, 2011.

  1. MustangV10

    MustangV10 New Member

    Messages:
    87
    Likes Received:
    3
    Trophy Points:
    0
    Do you think it's important to analyse server logs? If so, which ones and why? A location would be good as well!

  2. ehansen

    ehansen New Member Staff Writer

    Messages:
    115
    Likes Received:
    11
    Trophy Points:
    0
    It depends on the logs, why you're monitoring them and what type of information is stored in them. Most of the time, mail logs that just record who sent what e-mail to someone will not hold much value. However, if you have SSH recording unsuccessful login attempts, it could have some great value to you.

    If this is for one of your systems, can you provide some detail on the services that are running on it, and what information it logs?

    As for location, can you clarify? Most logs are stored in /var/logs, if that is what you were wanting to know.
  3. diegosuse

    diegosuse New Member

    Messages:
    65
    Likes Received:
    3
    Trophy Points:
    0
    Important logs: apache, mysql, ftp, telnet (people still using, can believe it ?). Management panel, postfix, smtp
  4. DaReaper

    DaReaper New Member

    Messages:
    184
    Likes Received:
    3
    Trophy Points:
    0
    Yes i think it is really important to keep a record of the logins, errors and any other record if you need to know what's been going on, on your server when you were off.

    I always prefer having a login record and PHP logs, MySQL logs, apache/lighttpd logs etc.
  5. J Logging

    J Logging New Member

    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Is it important to analyze log files? You bet it is. It's also important to identify what exactly you mean when you say "analyze". I suspect you meant: monitor log files for specific strings or unusual log activity, and get an alert when a set threshold is breached.

    If that's what you mean, the following command ought to start you on the right path:

    logrobot autonda /var/log/messages '(fail|denied|segfault|segmentation|reject|oops|warn)' '.' 5 10 MsgLogWatch -ndshow

    The quoted strings in the above commands are definitely some of the many entries you should watch out for within your "messages" or "syslog" file.

    Note:
    You can modify the strings to match any other patterns you wish to analyze.
    Last edited: Dec 2, 2013
  6. JDG

    JDG New Member

    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    I can see that you know auditing is extremely important and you bring up a great question.

    I would say at a minimum you should monitor authentication attempts, attempts to modify user/group accounts, sensitive file access or privilege use, and attempts to modify your established security baseline.

    As one user pointed out /var/log is a great place to start. I know you can also run your logs through an IDS to have it identify potential anomalies.

    Beyond that it is determined by what your security objectives are: What are you trying to protect and why? How is this critical system accessible? What is the information's value?

    For example, say you store your banking information in your home directory, is this system accessible via the Internet (even if there is a firewall in place), what can one do with your bank account information? Could one wipe out your entire account?
  7. ryanvade

    ryanvade Administrator Staff Member Staff Writer

    Messages:
    1,160
    Likes Received:
    392
    Trophy Points:
    83
    I use Fail2ban to monitor server logs and send me emails with results.

Share This Page