FreeOS.com: Intrusion Detection Systems, Part IV: LogcheckFeb 13, 2001, 14:44 (0 Talkback[s])
(Other stories by Trevor Warren)
[ Thanks to Trevor Warren for this link. ]
"The first thing any intruder would do is to wipe out any tell tale signs of intrusions. This task would be of high priority to the cracker, so that there are no fingerprints to follow up on, or no other leads that would eventually lead to disclosing the origin of the attack. Therefore, a good system administrator will always implement a log file monitor. There are various tools out there, which will help you get this task done, among them being Logcheck and Swatch. In this article we take a look the working and implementation of Logcheck. The author of Logcheck is Craig H. Rowland. As with most of the other Open Source projects, this too is distributed under the GNU GPL license."
"Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck uses a program called logtail that remembers the last position it read from in a log file and will use this position on subsequent runs to process new information. All source code is available for review and the implementation has been kept simple to avoid problems. This package is a clone of the frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm) firewall package."
"Auditing and logging on any system is of great significance as it makes sure that a serious breach of any kind is always tracked. What is great about Unix is that most modern implementations, use the syslog facility to report extensively -- if configured and supported correctly -- all happenings, good or bad on the host system. This allows the creation of an audit trail that can be used very effectively to subvert potential attacks and alert system administrators. However, all this is of no use if the system administrator has no time to look at the logs. One reason for this is the very nature and quantity of logging happening on a machine. We have known Systems Administrators complaining about daily logs on machines, running to the tune of more than 10 - 20 Megs -- hardly an enviable task. This is where logcheck will help. Logcheck automates the auditing process and weeds out normal log information, to give you a condensed look at problems and potential troublemakers mailed to wherever you please."