Re: searching logs for key phrases

Troy (infoline@hutton.net)
Thu, 28 Nov 1996 04:25:34 -0500 

Mike Kienenberger wrote:
> 
> What key phrases do people scan log files for?
> 
> At our site, we log everything we can to a central "more secure" logging
> server.  We divide our logging up into three files: SYSLOG.mail for all mail,
> SYSLOG.auth for authentication, and SYSLOG for everything else.
> 
> On our IRIX 5.3 systems, I've found that searching for the following are helpf
ul
> :
> 
> VRFY            /usr/adm/*SYSLOG.mail   check mail logs for VRFY commands
> EXPN            /usr/adm/*SYSLOG.mail   check mail logs for EXPN commands
> " command "     /usr/adm/*SYSLOG.mail   check mail logs for debug/wiz commands
> 
> deni                    /usr/adm/*SYSLOG.auth   check for denied net cmds in SYS
> LOG
> fail                    /usr/adm/*SYSLOG.auth   check for failed login
> attempts (passwords
>                                                                         at
> the login prompt; brute force attacks, etc)
> 
> Does anyone have other things you look for on a regular basis?
> 
> I'm eventually hoping that we'll start using one of the log filter packages
> out there on
> the net.  Anyone compared the various log filtering packages out there?  Do an
y
> of
> the packages come with preset standard patterns to search for?
> 
> Thanks!
> ---
> Mike Kienenberger    Arctic Region Supercomputing Center
> Systems Analyst      (907) 474-6842
> mkienenb@arsc.edu    http://www.arsc.edu

YES, I would also watch the sulog for superuser attempts and failures
since this is a rather high priority access level as well.

-- 
                        Troy Billington  
                    SysOp: InfoLine BBS systems     
                    (305) 598-2679  Miami, Fl
                    "http://www.hutton.net/infoline"