Anyway I've been getting feet wet in learning indepth about Linux security and I've learned quite a lot starting from suid, guid, sticky bits to firewall, shutting down unused services, etc. & I've installed & configured bastille linux and at the moment I feel like my system is quite secure.
So I've been looking into logging and IDS stuff. I've installed scanlogd, but one thing that I haven't yet figured out is how to separate the logs. I mean all the logs starting from kernel messages to cron logs, scanlogd logs are in one file "/var/log/messages".
Example of the current state of my log:
- Code: Select all
# tail -20 messages root@Hacker-Network
Oct 23 15:04:36 localhost kernel: [17861.137365] EXT4-fs (dm-1): re-mounted. Opts: user_xattr,commit=600
Oct 23 15:04:36 localhost kernel: [17861.144966] EXT4-fs (sda1): re-mounted. Opts: commit=600
Oct 23 15:05:05 localhost kernel: [17890.465933] ata3.00: configured for UDMA/133
Oct 23 15:05:05 localhost kernel: [17890.465944] ata3: EH complete
Oct 23 15:05:05 localhost kernel: [17890.466218] sd 4:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Oct 23 15:05:05 localhost kernel: [17890.734077] EXT4-fs (dm-1): re-mounted. Opts: user_xattr,commit=0
Oct 23 15:05:05 localhost kernel: [17890.739284] EXT4-fs (sda1): re-mounted. Opts: commit=0
Oct 23 15:10:01 localhost cron[19669]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Oct 23 15:20:01 localhost cron[19832]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Oct 23 15:30:01 localhost cron[19857]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Oct 23 15:35:02 localhost dbus[8428]: [system] Activating service name='org.bluez' (using servicehelper)
Oct 23 15:35:03 localhost dbus[8428]: [system] Activated service 'org.bluez' failed: Launch helper exited with unknown return code 1
Oct 23 15:35:51 localhost dbus[8428]: [system] Activating service name='org.bluez' (using servicehelper)
Oct 23 15:35:51 localhost dbus[8428]: [system] Activated service 'org.bluez' failed: Launch helper exited with unknown return code 1
Oct 23 15:40:01 localhost cron[20001]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
Oct 23 15:44:26 localhost kernel: [20251.646754] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Oct 23 09:44:26 localhost scanlogd: 127.0.0.1:56691 to 127.0.0.1 ports 22, 139, 256, 111, 443, 587, ..., fSrpauxy, TOS 00 @09:44:26
Oct 23 09:44:38 localhost scanlogd: 127.0.0.1:59119 to 127.0.0.1 ports 3389, 139, 110, 993, 22, 8888, 25, 445, ..., fSrpauxy, TOS 00 @09:44:38
Oct 23 09:44:50 localhost scanlogd: 127.0.0.1:33711 to 127.0.0.1 ports 22, 21, 80, 8080, 1720, 23, 1025, 3306, 5900, 139, ..., fSrpauxy, TOS 00 @09:44:50
Oct 23 09:44:59 localhost scanlogd: 127.0.0.1 to 127.0.0.1 ports 8080, 139, 587, 143, 256, 199, 8888, 3389, ..., fSrpauxy, TOS 00, TTL 64 @09:44:59
The scan was done on my machine to test scanlogd, so nothing to worry about!
The reason I want to separate them is because I want to keep an eye on my logs by configuring my conky to display them in real time and in separate part of the screens. One corner for kernel message, one for network (illegal scans, etc.), one for failed login attempts, etc. You get the picture
Or is there any other way to achieve what I want to...please let me know.
Thanks.
